Skip to content

Negotiate auth handler LDAP integration goes in infinate loop when AD groups have circular relationship on Linux #38769

New issue
New issue
Closed
#38817
Closed
Negotiate auth handler LDAP integration goes in infinate loop when AD groups have circular relationship on Linux#38769
#38817
Assignees
Tratcher
Labels
area-authIncludes: Authn, Authz, OAuth, OIDC, Bearer
Milestone
7.0-preview1
@macsux

Description

@macsux
macsux
opened on Dec 1, 2021

When using Negotiate authentication provider on Linux with LDAP integration for group resolution enabled, the application freezes if the principal has groups that have a circular relationships.

Example: User belongs to AD Group A. Group A is memberof Group B. GroupB is also a memberof group A.

These kinds of relationships are valid in AD, but recursion logic built into Negotiate provider's LDAP integration does not handle circular relationships of groups causing infinite recursive resolution.

Relevant code.

To Reproduce

  1. Create two AD groups.
  2. Add each group as member of the other (circular)
  3. Assign one of the groups to an AD user
  4. Enable LDAP integration for Negotiate authentication middleware
  5. Run under Linux
  6. Attempt to authenticate the user.

Further technical details

  • ASP.NET Core version: 5.0 (though 6.0 should also be affected as code is the same)
  • Jetbrains Rider, Windows 10 /w WSL2 Ubuntu
  • Include the output of dotnet --info:
.NET SDK (reflecting any global.json):
 Version:   6.0.100
 Commit:    9e8b04bbff

Runtime Environment:
 OS Name:     ubuntu
 OS Version:  20.04
 OS Platform: Linux
 RID:         ubuntu.20.04-x64
 Base Path:   /usr/share/dotnet/sdk/6.0.100/

Host (useful for support):
  Version: 6.0.0
  Commit:  4822e3c3aa

.NET SDKs installed:
  5.0.402 [/usr/share/dotnet/sdk]
  6.0.100 [/usr/share/dotnet/sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 5.0.11 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 6.0.0-rc.2.21480.10 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 6.0.0 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 5.0.11 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 6.0.0 [/usr/share/dotnet/shared/Microsoft.NETCore.App]

Proposed fix

I have an alternate Negotiate adapter as part of my own project that does LDAP resolution properly. The logic can be seen here

I would be happy to build and submit a PR for this issue once this is confirmed and the proposed solution is accepted.

Metadata

Metadata

Assignees

Labels

area-authIncludes: Authn, Authz, OAuth, OIDC, Bearer

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions