In my example, I've used the user 'maarten' to authenticate myself with when logging into Weblogic Server. The user 'maarten' is member of the groups Administrators and DummyGroup. The debug information was acquired by setting the DebugSecurityAtn flag as described here. Weblogic Server 12.1.3.0.0 was used and ApacheDS 2.0.0 as LDAP server. For the configuration of ApacheDS/Weblogic Server, I've used the following: http://javaoraclesoa.blogspot.nl/2014/08/ldap-and-weblogic-using-apacheds-as.html.
GUID Attribute set to entryUUID
In the below example, the GUID attribute is set to 'entryUUID'. As you can see, the GUID is correctly determined and there where no errors during authentication.
<LDAP Atn Login username: maarten>
<authenticate user:maarten>
<getConnection return conn:LDAPConnection {ldaps://localhost:10389 ldapVersion:3 bindDN:"uid=admin,ou=system"}>
<getDNForUser search("ou=users,ou=system", "(&(uid=maarten)(objectclass=person))", base DN & below)>
<Retrieved guid:ca05de8f-89d8-47d7-b83a-d0bc5e63f7f8>
<DN for user maarten: uid=maarten,ou=users,ou=system>
<returnConnection conn:LDAPConnection {ldaps://localhost:10389 ldapVersion:3 bindDN:"uid=admin,ou=system"}>
<authenticate user:maarten with DN:uid=maarten,ou=users,ou=system>
<getConnection return conn:LDAPConnection {ldaps://localhost:10389 ldapVersion:3 bindDN:"uid=maarten,ou=users,ou=system"}>
<authentication succeeded>
<returnConnection conn:LDAPConnection {ldaps://localhost:10389 ldapVersion:3 bindDN:"uid=maarten,ou=users,ou=system"}>
<LDAP Atn Authenticated User maarten>
I can browse the groups my user is in also without errors:
The following doesn't work well when the GUID Attribute in the LDAPAuthentication provider of Weblogic Server is left empty.
Logging in
After the first login, the below error occurs. The second login allows you to access the Weblogic console:
<authenticate user:maarten>
<getConnection return conn:LDAPConnection {ldaps://localhost:10389 ldapVersion:3 bindDN:"uid=admin,ou=system"}>
<getDNForUser search("ou=users,ou=system", "(&(uid=maarten)(objectclass=person))", base DN & below)>
<returnConnection conn:LDAPConnection {ldaps://localhost:10389 ldapVersion:3 bindDN:"uid=admin,ou=system"}>
<java.lang.NullPointerException at weblogic.security.providers.authentication.LDAPAtnDelegate.getDNForUser(LDAPAtnDelegate.java:3861)
When disabling the cache, this behavior and corresponding error does not occur. You can guess where the NullPointerException is coming from.
Browsing user groups
When requesting user group memberships in the Weblogic Console (the Groups tab after clicking on a user under the security realm), it fails with a NullPointerException.
An unexpected exception has occurred processing your request
Message: Stack java.lang.NullPointerException at weblogic.security.proAders.authentication.LDAPAtnDelegate.getDNForUser(LDAPAtnDelegate.java:3861) at weblogic.security.providers.authentication.LDAPAtnDelegate.getDNForUser(LDAPAtnDelegate.java:5168) at Trace: weblogic.security.providers.authentication.LDAPAtnDelegate.listMemberGroups(LDAPAtnDelegate.java:2278) at weblogic.security.providers.authentication.LDAPAuthenticatorImpl.listMemberGroups(LDAPAuthenticatorimpl.java:171) at
GUID Attribute defined incorrectly
When I define the GUID attribute incorrectly, I do not get any errors during authentication and when browsing which groups my user is in. I can imagine though (based on errors when the cache is enabled and the GUID Attribute is not specified) that the GUID plays a role in the LDAP cache functionality in Weblogic Server. Should this be the case, some unwanted behavior could possibly occur like inefficient caching or worse, wrong LDAP cache returns and resulting security issues.
No comments:
Post a Comment