AdvancedLdapLoginModule not getting all the roles
hoyenko Nov 2, 2017 11:05 AMI have Kerberos set up with wildfly plus I get groups from LDAP and I have a problem with it not getting all the roles.
Kerberos works as expected and here is the config I have for LDAP:
<login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="requisite">
<module-option name="java.naming.provider.url" value="ldap://myhost.com:3268/"/>
<module-option name="bindDN" value="login"/>
<module-option name="bindCredential" value="pwd"/>
<module-option name="baseCtxDN" value="DC=AD,DC=TTT,DC=com"/>
<module-option name="baseFilter" value="(userPrincipalName={0})"/>
<module-option name="rolesCtxDN" value="DC=AD,DC=TTT,DC=com"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="allowEmptyPassword" value="false"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
I have setup a group called app_ttt_api. I added some members to this group.
So my setup works when the member I added is a group itself and you are a member of that group. If you add a user directly, it doesn't work. Also if you add a group that contains a group that contains a user it also doesn't work.
So, group->group->user
works but
group->user
and
group->group->group->user
doesn't and it goes on like that, so
group->group->group->group->user will work too
I looked at the source code of AdvancedLdapLoginModule
From the code it looks like following:
1. get all the roles from initial role context filtering by user
526 results = searchContext.search(rolesCtxDN, roleFilter, filterArgs, roleSearchControls);
rolesCtxDN=DC=AD,DC=TTT,DC=com roleFilter=(member={1}) filterArgs[0]=myuser@AD.TTT.COM filterArgs[1]=CN=myuser,CN=Managed Service Accounts,DC=AD,DC=MLP,DC=com
2. Iterate through roles calling
532 obtainRole(searchContext, resultDN);
3. In obtainRole it calls
572 Attributes result = searchContext.getAttributes(dn, attrNames);
575 Attribute roles = result.get(roleAttributeID);
where attrNames is roleAttributeID - "memberOf" in my case.
4. Go through all the roles obtained from line 575 and call
585 loadRoleByRoleNameAttributeID(searchContext, roleDN);
586 recurseRolesSearch(searchContext, baseRoleDN);
where 585 adds a role and 586 recursively searches for underlying roles.
The problem in my case in 3 - why would we try to get roles our initial role is memberOf and not add it right away, we already know that the user is a member of this role. I think that's the reason why I only get authorized when I have group->group->user and not in other cases.
Am I understanding what's going on right? Should I pass something else in the config? I tried different variations of the config, when I do
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="false"/>
it will load all first level roles, but wouldn't recurse to lower level groups.
In other configurations I tried there were no roles loaded.