Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-15894

(7.1.z) Referrals roles assignment for referral user does not work for AdvancedLdapLoginModule with Active Directory

    Details

      Description

      Consider two MS Active Directory domains with configured crossRef to each other. EAP using AdvancedLdapLoginModule for MS AD with referrals and rolesCtxDN is set to the referral DN where user account are stored; also EAP is configured for searching roles based on users entries (mapping users to roles).

      If referral users (from EAP point of view - hostname is configured for original LDAP and user is obtained as referral user - from second of domains) authenticate then they have not assigned roles from AD attribute from 'roleAttributeID' option.

      Example:
      I have two MS AD domains - DC=jboss,DC=test (Domain A) and DC=jboss,DC=test2 (Domain B) with crossRef.
      Part of ldif for Domain A:

      ...
      dn: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
      objectClass: groupOfNames
      objectClass: top
      cn: TheDuke
      businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
      member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test
      ...
      

      Part of ldif for Domain B

      ...
      dn: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
      objectclass: top
      objectclass: person
      objectClass: inetOrgPerson
      cn: jduke
      sn: Duke
      description: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test
      description: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
      userPassword: Password1
      
      dn: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2
      objectClass: groupOfNames
      objectClass: top
      cn: Admin
      businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2
      member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test2
      ...
      

      EAP AdvancedLdapLoginModule is configured:

                      <security-domain name="AdvancedLdapReferrals">
                          <authentication>
                              <login-module code="AdvancedLdap" flag="required">
                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                                  <module-option name="java.naming.provider.url" value="HOSTNAME_OF_DOMAIN_A"/>
                                  <module-option name="bindDN" value="BIND_DN"/>
                                  <module-option name="bindCredential" value="PASSWORD"/>
                                  <module-option name="referralUserAttributeIDToCheck" value="businessCategory"/>
                                  <module-option name="roleAttributeIsDN" value="true"/>
                                  <module-option name="roleFilter" value="(CN={0})"/>
                                  <module-option name="roleAttributeID" value="description"/>
                                  <module-option name="rolesCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/>
                                  <module-option name="java.naming.security.authentication" value="simple"/>
                                  <module-option name="baseCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/>
                                  <module-option name="java.naming.referral" value="follow"/>
                                  <module-option name="throwValidateError" value="true"/>
                                  <module-option name="baseFilter" value="(CN={0})"/>
                                  <module-option name="roleNameAttributeID" value="CN"/>
                              </login-module>
                          </authentication>
                      </security-domain>
      

      Then when jduke try to authenticate to application roles TheDuke and Admin should be assigned to him.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jondruse Jiri Ondrusek
                  Reporter:
                  thofman Tomas Hofman
                  Tester:
                  Ondrej Lukas
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: