Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-78117

SAML Import from LDAP fails if import filter contains multiple macros

    Details

      Description

      Reproduction steps - ORIGINAL (See simplified steps below.)

      1. Set up an IdP (6.2 EE is ok), following this specific section
      2. Set up an SP following the above. Do not turn on "import from ldap" yet.
        • Checkpoint: Test an SP initiated login with the "test@liferay.com" user to verify that SAML works
      3. Connect LDAP to IdP
      4. Enable LDAP on IdP and log in with a couple of users / have them imported
      5. Disable LDAP on IdP (may not be required, but I did it, so specifying)
      6. Add the LDAP server to SP, but do not enable it!
      7. Set the Auth Search Filter to (|(mail=@email_address@)(cn=@screen_name@))
        1. note: depending on the used ldap server, the attribute names may differ.
      8. Set "Enable LDAP Import" for SAML on SP
      9. Try to log in via an SP initiated SSO with one of the users that are on the IdP side but not on the SP yet

      Expected result: Successful authentication with no error message.
      Actual result: The following exception is thrown:

      2018-02-07 14:41:44.325 ERROR [http-nio-7070-exec-2][BaseSamlStrutsAction:54] com.liferay.portal.kernel.exception.SystemException: Problem accessing LDAP server Invalid filter (|(mail=test-30@liferay.com)(cn=))
      com.liferay.portal.kernel.exception.SystemException: Problem accessing LDAP server Invalid filter (|(mail=test-30@liferay.com)(cn=))
      	at com.liferay.portal.security.ldap.internal.exportimport.LDAPUserImporterImpl.importUser(LDAPUserImporterImpl.java:244)
      	at com.liferay.portal.security.ldap.internal.exportimport.LDAPUserImporterImpl.importUser(LDAPUserImporterImpl.java:280)
      	at com.liferay.saml.opensaml.integration.internal.resolver.DefaultUserResolver.importLdapUser(DefaultUserResolver.java:330)
      	at com.liferay.saml.opensaml.integration.internal.resolver.DefaultUserResolver.resolveUser(DefaultUserResolver.java:96)
      	at com.liferay.saml.opensaml.integration.internal.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:629)
      	at com.liferay.saml.opensaml.integration.internal.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:169)
      	at com.liferay.saml.web.internal.portlet.action.AssertionConsumerServiceAction.doExecute(AssertionConsumerServiceAction.java:59)
      	at com.liferay.saml.web.internal.portlet.action.BaseSamlStrutsAction.execute(BaseSamlStrutsAction.java:51)
      	at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:39)
      	at com.liferay.portal.struts.ActionAdapter.execute(ActionAdapter.java:50)
      	at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
      	at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
      	at com.liferay.portal.struts.PortalRequestProcessor.process(PortalRequestProcessor.java:170)
      	at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
      	at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
      	at com.liferay.portal.servlet.MainServlet.callParentService(MainServlet.java:608)
      	at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:585)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:119)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
      	at com.liferay.frontend.compatibility.ie.servlet.filter.IEMimeTypeCompatibilityFilter.processFilter(IEMimeTypeCompatibilityFilter.java:48)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
      	at com.liferay.portal.servlet.filters.uploadservletrequest.UploadServletRequestFilter.processFilter(UploadServletRequestFilter.java:93)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
      	at com.liferay.portal.servlet.filters.strip.StripFilter.processFilter(StripFilter.java:343)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
      	at com.liferay.portal.servlet.filters.gzip.GZipFilter.processFilter(GZipFilter.java:125)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
      	at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilter.java:337)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
      	at com.liferay.portal.servlet.filters.jsoncontenttype.JSONContentTypeFilter.processFilter(JSONContentTypeFilter.java:42)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
      	at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:88)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
      	at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:263)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
      	at com.liferay.portal.monitoring.internal.servlet.filter.MonitoringFilter.processFilter(MonitoringFilter.java:181)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      	at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
      	at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
      	at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
      	at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394)
      	at com.liferay.portal.servlet.filters.urlrewrite.UrlRewriteFilter.processFilter(UrlRewriteFilter.java:65)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:100)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
      	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:748)

      Reproduction steps - SIMPLIFIED

      1. Connect Liferay to LDAP
      2. Mark LDAP authentication as Required
      3. Set the Auth Search Filter to (|(mail=@email_address@)(cn=))
        1. note: depending on the used ldap server, the attribute names may differ.
      4. Try to log in

      Expected result: Successful authentication with no error message.
      Actual result: Exception is similar to previously mentioned, complaining Invalid filter (|(mail=test-30@liferay.com)(cn=))

      Additional information: Search Filters are specified by RFC-4515, which contains such an example in Section 4 (the last one):

      This section gives a few examples of search filters written using
      this notation.
      
              (cn=Babs Jensen)
              (!(cn=Tim Howes))
              (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
              (o=univ*of*mich*)
              (seeAlso=)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sharry.shi Sharry Shi
                Reporter:
                istvan.sajtos Istvan Sajtos
                Participants of an Issue:
                Recent user:
                Csaba Turcsan
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  1 year, 20 weeks, 2 days ago

                  Packages

                  Version Package
                  7.0.0 DXP FP53
                  7.0.0 DXP SP9
                  7.0.X
                  7.1.0 Beta 3
                  7.1.X
                  Master