Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-6888

ldap group membership cached for approximately 100 seconds

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.9.1
    • Fix Version/s: None
    • Component/s: LDAP
    • Labels:
      None

      Description

      Setup

      • Start Clean Nexus OSS 2.9.1-01
      • Configure ldap pointing to Apache DS ( see attached example config )
      • Add Nexus LDAP realm after Xml realms
      • Map External LDAP group ( dn: cn=developer,ou=groups,o=sonatype) with test0000 user as a member of that group in ldap.
        • Add Nexus Administrators group to role mapping and save. ( see example config )

      Test

      Perform an ldapsearch for that user's group membership to confirm that record is found.

      > ldapsearch -D 'uid=admin,ou=system' -w secret -x -h localhost -p 10389 -b "ou=groups,o=sonatype"  "(&(objectClass=groupOfUniqueNames)(&(cn=*)(uniqueMember=uid=test0000,ou=people,o=sonatype)))" dn
      # extended LDIF
      #
      # LDAPv3
      # base <ou=groups,o=sonatype> with scope subtree
      # filter: (&(objectClass=groupOfUniqueNames)(&(cn=*)(uniqueMember=uid=test0000,ou=people,o=sonatype)))
      # requesting: dn 
      #
      
      # developer, groups, sonatype
      dn: cn=developer,ou=groups,o=sonatype
      
      # search result
      search: 2
      result: 0 Success
      
      # numResponses: 2
      # numEntries: 1
      

      Request a file as that user and confirm access succeeds in Nexus:

      > curl -u test0000:admin123 http://localhost:8081/nexus/content/repositories/central/abbot/abbot/0.12.3/abbot-0.12.3.pom -4 -I
      HTTP/1.1 200 OK
      Date: Wed, 24 Sep 2014 23:18:23 GMT
      Server: Nexus/2.9.1-02
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Set-Cookie: rememberMe=deleteMe; Path=/nexus; Max-Age=0; Expires=Tue, 23-Sep-2014 23:18:23 GMT
      Accept-Ranges: bytes
      ETag: "{SHA1{0b487115164f6fd8662855e3e8d60c2c9e3892f5}}"
      Content-Type: application/xml
      Last-Modified: Tue, 08 Nov 2005 22:07:44 GMT
      Content-Length: 166
      

      Now in ApacheDS edit the LDAP group entry. Find the member attribute entry in this group that contains the user dn value. Edit the value, changing it to a non-existent user dn, for example uid=test0000x,ou=people,o=sonatype.

      Confirm in the modifications logs that your edits are saved by Apache DS:

      #!RESULT OK
      #!CONNECTION ldap://localhost:10389
      #!DATE 2014-09-24T23:14:04.435
      dn: cn=developer,ou=groups,o=sonatype
      changetype: modify
      delete: uniqueMember
      uniqueMember: uid=test0000,ou=people,o=sonatype
      -
      add: uniqueMember
      uniqueMember: uid=test0000x,ou=people,o=sonatype
      -
      

      Now verify with ldapsearch also that your changes are persisted in Apache DS:

      > ldapsearch -D 'uid=admin,ou=system' -w secret -x -h localhost -p 10389 -b "ou=groups,o=sonatype"  "(&(objectClass=groupOfUniqueNames)(&(cn=*)(uniqueMember=uid=test0000,ou=people,o=sonatype)))" dn
      # extended LDIF
      #
      # LDAPv3
      # base <ou=groups,o=sonatype> with scope subtree
      # filter: (&(objectClass=groupOfUniqueNames)(&(cn=*)(uniqueMember=uid=test0000,ou=people,o=sonatype)))
      # requesting: dn 
      #
      
      # search result
      search: 2
      result: 0 Success
      
      # numResponses: 1
      

      Now request within less than 100 seconds of this change using curl - PROBLEM the request does not return 403

      > curl -u test0000:admin123 http://localhost:8081/nexus/content/repositories/central/abbot/abbot/0.12.3/abbot-0.12.3.pom -4 -I
      HTTP/1.1 200 OK
      Date: Wed, 24 Sep 2014 23:26:27 GMT
      Server: Nexus/2.9.1-02
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Set-Cookie: rememberMe=deleteMe; Path=/nexus; Max-Age=0; Expires=Tue, 23-Sep-2014 23:26:27 GMT
      Accept-Ranges: bytes
      ETag: "{SHA1{0b487115164f6fd8662855e3e8d60c2c9e3892f5}}"
      Content-Type: application/xml
      Last-Modified: Tue, 08 Nov 2005 22:07:44 GMT
      Content-Length: 166
      

      Now wait around 100 seconds, eventually 403 as expected:

      > curl -u test0000:admin123 http://localhost:8081/nexus/content/repositories/central/abbot/abbot/0.12.3/abbot-0.12.3.pom -4 -I
      HTTP/1.1 403 Forbidden
      Date: Wed, 24 Sep 2014 23:28:11 GMT
      Set-Cookie: rememberMe=deleteMe; Path=/nexus; Max-Age=0; Expires=Tue, 23-Sep-2014 23:28:12 GMT
      Server: Nexus/2.9.1-02
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Pragma: no-cache
      Cache-Control: post-check=0, pre-check=0
      Expires: 0
      Content-Type: text/html
      Transfer-Encoding: chunked
      

      Expected: since Nexus OSS is not supposed to cache authorization, changes in LDAP should be reflected without delay.

        Attachments

        1. 2014-09-24_2034_apacheds.png
          381 kB
          Peter Lynch
        2. ldap.xml
          1 kB
          Peter Lynch
        3. logback-overrides.xml
          0.3 kB
          Peter Lynch
        4. security.xml
          2 kB
          Peter Lynch
        5. security-configuration.xml
          0.4 kB
          Peter Lynch

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                tigCommentSecurity.panel-title