0 Replies Latest reply on Nov 2, 2017 11:05 AM by hoyenko

    AdvancedLdapLoginModule not getting all the roles

    hoyenko Newbie

      I have Kerberos set up with wildfly plus I get groups from LDAP and I have a problem with it not getting all the roles.

      Kerberos works as expected and here is the config I have for LDAP:

                              <login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="requisite">

                                  <module-option name="java.naming.provider.url" value="ldap://myhost.com:3268/"/>

                                  <module-option name="bindDN" value="login"/>

                                  <module-option name="bindCredential" value="pwd"/>

                                  <module-option name="baseCtxDN" value="DC=AD,DC=TTT,DC=com"/>

                                  <module-option name="baseFilter" value="(userPrincipalName={0})"/>

                                  <module-option name="rolesCtxDN" value="DC=AD,DC=TTT,DC=com"/>

                                  <module-option name="roleFilter" value="(member={1})"/>

                                  <module-option name="roleAttributeID" value="memberOf"/>

                                  <module-option name="roleAttributeIsDN" value="true"/>

                                  <module-option name="roleNameAttributeID" value="cn"/>

                                  <module-option name="recurseRoles" value="true"/>

                                  <module-option name="password-stacking" value="useFirstPass"/>

                                  <module-option name="allowEmptyPassword" value="false"/>

                                  <module-option name="searchScope" value="SUBTREE_SCOPE"/>

                              </login-module>

      I have setup a group called app_ttt_api. I added some members to this group.

      So my setup works when the member I added is a group itself and you are a member of that group. If you add a user directly, it doesn't work. Also if you add a group that contains a group that contains a user it also doesn't work.

      So, group->group->user works but

      group->user

      and

      group->group->group->user

      doesn't and it goes on like that, so

      group->group->group->group->user will work too

       

      I looked at the source code of AdvancedLdapLoginModule

       

      here: GC: AdvancedLdapLoginModule - org.jboss.security.negotiation.AdvancedLdapLoginModule (.java) - GrepCode Class Source

       

      From the code it looks like following:

      1. get all the roles from initial role context filtering by user

          526            results = searchContext.search(rolesCtxDN, roleFilter, filterArgs, roleSearchControls);

          rolesCtxDN=DC=AD,DC=TTT,DC=com roleFilter=(member={1}) filterArgs[0]=myuser@AD.TTT.COM filterArgs[1]=CN=myuser,CN=Managed Service Accounts,DC=AD,DC=MLP,DC=com

      2. Iterate through roles calling

          532               obtainRole(searchContext, resultDN);

      3. In obtainRole it calls

          572      Attributes result = searchContext.getAttributes(dn, attrNames);

          575         Attribute roles = result.get(roleAttributeID);

          where attrNames is roleAttributeID - "memberOf" in my case.

      4. Go through all the roles obtained from line 575 and call

          585               loadRoleByRoleNameAttributeID(searchContext, roleDN);

          586               recurseRolesSearch(searchContext, baseRoleDN);

      where 585 adds a role and 586 recursively searches for underlying roles.

       

      The problem in my case in 3 - why would we try to get roles our initial role is memberOf and not add it right away, we already know that the user is a member of this role. I think that's the reason why I only get authorized when I have group->group->user and not in other cases.

      Am I understanding what's going on right? Should I pass something else in the config? I tried different variations of the config, when I do

                                  <module-option name="roleAttributeID" value="cn"/>

                                  <module-option name="roleAttributeIsDN" value="false"/>

      it will load all first level roles, but wouldn't recurse to lower level groups.

       

      In other configurations I tried there were no roles loaded.