Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-2157

AdvancedLdapLoginModule does not handle loops in referrals

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Critical
    • None
    • 7.0.0.ER2 (Beta)
    • Security
    • None
    • Hide

      1) Start two LDAP servers which use attached server1.ldif and server2.ldif
      2) Add following security domain to configuration:

      <security-domain name="ldapSecurityDomain">
    <authentication>
        <login-module code="AdvancedLdap" flag="required">
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
            <module-option name="referralUserAttributeIDToCheck" value="member"/>
            <module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/>
            <module-option name="roleAttributeID" value="cn"/>
            <module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="bindDN" value="uid=admin,ou=system"/>
            <module-option name="bindCredential" value="secret"/>
            <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
            <module-option name="java.naming.referral" value="throw"/>
            <module-option name="throwValidateError" value="true"/>
            <module-option name="baseFilter" value="(uid={0})"/>
        </login-module>
    </authentication>
</security-domain>

      3) Deploy attached application app.war
      4) Run periodically

      curl -u jduke:Password1 http://localhost:8080/app/protected/printRoles?role=TheDuke&role=Admin

      -> java.lang.OutOfMemoryError on EAP server

      Show
      1) Start two LDAP servers which use attached server1.ldif and server2.ldif 2) Add following security domain to configuration: <security-domain name= "ldapSecurityDomain" > <authentication> <login-module code= "AdvancedLdap" flag= "required" > <module-option name= "java.naming.factory.initial" value= "com.sun.jndi.ldap.LdapCtxFactory" /> <module-option name= "java.naming.provider.url" value= "ldap://localhost:10389" /> <module-option name= "referralUserAttributeIDToCheck" value= "member" /> <module-option name= "roleFilter" value= "(|(objectClass=referral)(member={1}))" /> <module-option name= "roleAttributeID" value= "cn" /> <module-option name= "rolesCtxDN" value= "ou=Roles,dc=jboss,dc=org" /> <module-option name= "java.naming.security.authentication" value= "simple" /> <module-option name= "bindDN" value= "uid=admin,ou=system" /> <module-option name= "bindCredential" value= "secret" /> <module-option name= "baseCtxDN" value= "ou=People,dc=jboss,dc=org" /> <module-option name= "java.naming.referral" value= "throw" /> <module-option name= "throwValidateError" value= "true" /> <module-option name= "baseFilter" value= "(uid={0})" /> </login-module> </authentication> </security-domain> 3) Deploy attached application app.war 4) Run periodically curl -u jduke:Password1 http://localhost:8080/app/protected/printRoles?role=TheDuke&role=Admin -> java.lang.OutOfMemoryError on EAP server

    Description

      According to LDAP specification [1]: "Clients that follow referrals MUST ensure that they do not loop between servers. They MUST NOT repeatedly contact the same server for the same request with the same parameters.".

      When EAP server is configured to use AdvancedLdapLoginModule which uses referrals and LDAP servers contain loop then it leads to infinite cycle. It can results to java.lang.OutOfMemoryError on EAP server.

      We hit this issue during certification of 3rd Party LDAP servers. This issue is not regression to EAP 6.x.

      [1] http://tools.ietf.org/html/rfc4511#section-4.1.10

      Attachments

        1. app.war
          4 kB
        2. server1.ldif
          0.7 kB
        3. server2.ldif
          0.4 kB

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFLY-5787 AdvancedLdapLoginModule does not handle loops in referrals

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              pskopek@redhat.com Peter Skopek
              olukas Ondrej Lukas (Inactive)
              Ondrej Lukas Ondrej Lukas (Inactive)
              Ondrej Lukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: