TechQA.

Search users in a group - Jetty JAAS LDAP

60 views Asked by At

I am using Jetty's LDAP Login Module to connect to an internal LDAP server. The LDAPLoginModule configuration (ldap-loginModule.conf) is provided as below:

ldap {
   org.eclipse.jetty.jaas.spi.LdapLoginModule required
   debug="true"
   contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
   hostname="<ldap hostname>"
   port="389"

   bindDn="cn=admin,dc=myorg,dc=com"
   bindPassword="password"
   authenticationMethod="simple"
   forceBindingLogin="true"

   userBaseDn="ou=users,dc=myorg,dc=com"
   userRdnAttribute="cn"
   userIdAttribute="cn"
   userPasswordAttribute="userPassword"
   userObjectClass="inetOrgPerson";
};

The above code works fine when I integrate it with my application, using the JVM parameter: -Djava.security.auth.login.config=./ldap-loginModule.conf. As you can understand, the above LDAP configuration searches through all of the users in the userBaseDN(ou=users,dc=myorg,dc=com).

However, I am searching for users with a specific role (cn=my-group,ou=roles,dc=rsorg,dc=com) using the above configuration.? I am looking for a solution which would replicate the below ldap search in the above JETTY LDAP configuration:

ldapsearch -x -H ldap://<ldap hostname>:636 -b "dc=myorg,dc=com" -D "cn=admin,dc=myorg,dc=com" -w password "(&(objectClass=inetOrgPerson)(memberOf=cn=my-group,ou=roles,dc=rsorg,dc=com))"

Below is the configuration, I have tried and it didn't fetch me the correct result:

 ldap {
   org.eclipse.jetty.jaas.spi.LdapLoginModule required
   debug="true"
   contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
   hostname="<ldap hostname>"
   port="389"

   bindDn="cn=admin,dc=myorg,dc=com"
   bindPassword="password"
   authenticationMethod="simple"
   forceBindingLogin="true"

   userBaseDn="ou=users,dc=myorg,dc=com"
   userRdnAttribute="cn"
   userIdAttribute="cn"
   userPasswordAttribute="userPassword"
   userObjectClass="inetOrgPerson"

   ## Additional role check
   roleBaseDn="cn=my-group,ou=roles,dc=myorg,dc=com"
   roleNameAttribute="cn"
   roleMemberAttribute="memberOf"
   roleObjectClass="groupOfUniqueNames";
};

I am using OpenLDAP to configure the LDAP and the application is a JAVA application. Appreciate your help.

active-directory ldap jetty openldap jaas
Original Q&A
1

There are 1 answers

0
ixe013 On

Unfortunately for you, Jetty's module source code has an hardcoded ldap filter:

String filter = "(&(objectClass={0})({1}={2}))";

Where {1} will be replaced by the value userIdAttribute and {2} the username of the user trying to log in.

You can play some tricks by "injecting" (as in SQL injection) your search query in the userIdAttribute parameter. Usual caveats about parameter abuse apply here, obviously.

I cannot test it, but I would try to set userIdAttribute to this value:

userIdAttribute="memberOf=cn=my-group,ou=roles,dc=rsorg,dc=com)(cn"

So that at runtime the search becomes (with {2} still the username):

(&(objectClass={0})(memberOf=cn=my-group,ou=roles,dc=rsorg,dc=com)(cn={2}))

Same thing, in color: LDAP search filter injection

Explained here

Related Questions in ACTIVE-DIRECTORY

Related Questions in LDAP

Related Questions in JETTY

Related Questions in OPENLDAP

Related Questions in JAAS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions