[jboss-jira] [JBoss JIRA] (SECURITY-758) AdvancedLdapLoginModule doesn't isn't mapping nested roles
RH Bugzilla Integration (JIRA)
jira-events at lists.jboss.org
Fri Nov 15 07:19:06 EST 2013
[ https://issues.jboss.org/browse/SECURITY-758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12923960#comment-12923960 ]
RH Bugzilla Integration commented on SECURITY-758:
--------------------------------------------------
Josef Cacek <jcacek at redhat.com> made a comment on [bug 1017974|https://bugzilla.redhat.com/show_bug.cgi?id=1017974]
Role recursion doesn't work when referrals are followed:
LM configuration:
<login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="java.naming.referral" value="follow"/>
<module-option name="bindDN" value="uid=admin,ou=system"/>
<module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
<module-option name="referralUserAttributeIDToCheck" value="member"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
<module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="roleFilter" value="(|(objectClass=referral)(member={1}))"/>
<module-option name="java.naming.provider.url" value="ldap://127.0.0.1:10389"/>
<module-option name="bindCredential" value="secret"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleAttributeID" value="description"/>
<module-option name="throwValidateError" value="true"/>
</login-module>
# important entries in dc=jboss,dc=org:
dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: uidObject
objectclass: person
uid: jduke
cn: Java Duke
sn: Duke
userPassword: theduke
dn: ou=RefRoles,ou=Roles,dc=jboss,dc=org
objectClass: extensibleObject
objectClass: referral
objectClass: top
ou: RefRoles
ref: ldap://localhost:11389/ou=SharedRoles,dc=jboss,dc=com
# important entries in dc=jboss,dc=com:
dn: ou=SharedRoles,dc=jboss,dc=com
objectclass: top
objectclass: organizationalUnit
ou: SharedRoles
dn: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
objectClass: top
objectClass: groupOfNames
cn: Admin
description: cn=Admin,ou=SharedRoles,dc=jboss,dc=com
member: uid=jduke,ou=People,dc=jboss,dc=org
########################
user jduke should get Admin role assigned, but it doesn't work with AdvancedLdapLoginModule
It works as expected when the LdapExtLoginModule is used.
> AdvancedLdapLoginModule doesn't isn't mapping nested roles
> ----------------------------------------------------------
>
> Key: SECURITY-758
> URL: https://issues.jboss.org/browse/SECURITY-758
> Project: PicketBox
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Negotiation
> Affects Versions: Negotiation_2_2_5
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: Negotiation_2_2_6
>
>
> The recursive role searching is currently broken, believed to be caused by the introduction of quotes for a previous role searching fix.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list