0 Replies Latest reply on Aug 9, 2018 7:33 AM by Philippe Marschall

    LDAPS referrals not working in Elytron

    Philippe Marschall Expert

      We are having trouble getting LDAPS referrals working with an Elytron LDAP realm. The issue is the following stack trace.

       

      javax.security.sasl.SaslException: ELY05012: Authentication mechanism server-side authentication failed [Caused by org.wildfly.security.auth.server.RealmUnavailableException: ELY01153: Direct LDAP verification failed with DN [redacted] and absolute DN [null]]

              at org.wildfly.security.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:121)

              at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)

              at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)

              at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:59)

              at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)

              at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)

              at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)

              at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:926)

              at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)

              at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)

              at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)

              at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1349)

              at java.lang.Thread.run(Thread.java:748)

      Caused by: org.wildfly.security.auth.server.RealmUnavailableException: ELY01153: Direct LDAP verification failed with DN [redacted] and absolute DN [null]

              at org.wildfly.security.auth.realm.ldap.DirectEvidenceVerifier$1.verifyEvidence(DirectEvidenceVerifier.java:104)

              at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:609)

              at org.wildfly.security.auth.realm.AggregateSecurityRealm$Identity.verifyEvidence(AggregateSecurityRealm.java:155)

              at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)

              at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)

              at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)

              at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)

              at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)

              at org.wildfly.security.sasl.util.SSLQueryCallbackHandler.handle(SSLQueryCallbackHandler.java:60)

              at org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.lambda$createSaslServer$0(TrustManagerSaslServerFactory.java:96)

              at org.wildfly.security.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:117)

              ... 12 more

      Caused by: javax.naming.CommunicationException: ldap.acme.com:636 [Root exception is java.lang.ClassNotFoundException: org.wildfly.security.auth.realm.ldap.ThreadLocalSSLSocketFactory from [Module "org.wildfly.extension.io" version 5.0.0.Final from local module loader @7586beff (finder: local module finder @3b69e7d1 (roots: redacted))]]

              at com.sun.jndi.ldap.Connection.<init>(Connection.java:226)

              at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)

              at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)

              at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)

              at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2699)

              at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2673)

              at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2669)

              at org.wildfly.security.auth.realm.ldap.DelegatingLdapContext.reconnect(DelegatingLdapContext.java:181)

              at org.wildfly.security.auth.realm.ldap.DirectEvidenceVerifier$1.verifyEvidence(DirectEvidenceVerifier.java:97)

              ... 22 more

      Caused by: java.lang.ClassNotFoundException: org.wildfly.security.auth.realm.ldap.ThreadLocalSSLSocketFactory from [Module "org.wildfly.extension.io" version 5.0.0.Final from local module loader @7586beff (finder: local module finder @3b69e7d1 (roots: redacted))]

              at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255)

              at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)

              at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)

              at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)

              at java.lang.Class.forName0(Native Method)

              at java.lang.Class.forName(Class.java:348)

              at com.sun.jndi.ldap.VersionHelper12.loadClass(VersionHelper12.java:72)

              at com.sun.jndi.ldap.Connection.createSocket(Connection.java:281)

              at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)

              ... 30 more

       

      As you can see the Sun/Oracle LDAP classes try to load the class "org.wildfly.security.auth.realm.ldap.ThreadLocalSSLSocketFactor" using the TCCL which is the "org.wildfly.extension.io" module loader. This will not work as ThreadLocalSSLSocketFactor is in the module "org.wildfy.security.elytron-private".

      We have a custom patch against DelegatingLdapContext where we call

      Thread.currentThread().setContextClassLoader(ThreadLocalSSLSocketFactory.class.getClassLoader());

      before calling

      ThreadLocalSSLSocketFactory.set

      This gets LDAPS referrals working but is a bit hack-ish.