[security-dev] Adding a new child group to a parent group that has no children before

[Ehsan Zaery Moghaddam]

Hi guys

I'm trying to use the picketlink on top of LDAP server using the following
configuration:

public void observeIdentityConfigurationEvent(@Observes
IdentityConfigurationEvent event){
​    ​
IdentityConfigurationBuilder builder = event.getConfig();
​    ​
builder.named("default")
​    ​
.stores()
​    ​    ​
.ldap()
​​    ​    ​    ​
.baseDN("dc=moghaddam,dc=com")
​​    ​    ​    ​
.bindDN("cn=Directory Manager")
​​    ​    ​    ​
.bindCredential("111")
​​    ​    ​    ​
.url("ldap://localhost:389")
​​    ​    ​    ​
.supportCredentials(true)
​​    ​    ​    ​
.mapping(User.class)
​​    ​    ​    ​    ​
.baseDN("ou=Users,dc=moghaddam,dc=com")
​​    ​    ​    ​    ​
.objectClasses("inetOrgPerson")
​​    ​    ​    ​    ​
.attribute("firstName", "givenName")
​​    ​    ​    ​    ​
.attribute("lastName", "sn")
​​    ​    ​    ​    ​
.attribute("email", "mail")
​​    ​    ​    ​    ​
.attribute("loginName", "cn", true)
​​    ​    ​    ​    ​
.attribute("employeeNumber", "employeeNumber")
​
​
​
​
​
​
​
.mapping(Group.class)
​​    ​    ​    ​    ​
.hierarchySearchDepth(4)
​​    ​    ​    ​    ​
.baseDN("ou=Groups,dc=moghaddam,dc=com")
​​    ​    ​    ​    ​
.objectClasses("gamGroup")
​​    ​    ​    ​    ​
.attribute("name", "name", true)
​​    ​    ​    ​    ​
.parentMembershipAttributeName("member")
​​    ​    ​    ​
.mapping(GroupMembership.class)
​​    ​    ​    ​    ​
.forMapping(Group.class)
​​    ​    ​    ​    ​
.attribute("member", "member")
​​    ​
.build();
}

What I want to do is to create a new Group as a child of a parent Group
object:

​
Group
​parentGroup
 = BasicModel.getGroup(identityManager, "/Group 1");

​
Group group = new Group(
​"Child Group"
,
​
parentGroup);

identityManager.add(group);

​If the "/Group 1" has at least one "member​" in LDAP, everything works
fine. But if it has no members at all, when PicketLink's *LDAPIdentityStore.
<http://LDAPIdentityStore.>**addToParentAsMember
<https://github.com/picketlink/picketlink/blob/master/modules/idm/impl/src/main/java/org/picketlink/idm/ldap/internal/LDAPIdentityStore.java#L1008>
*tries
to load it from LDAP server, there would be no *Attribute *object named
"member" in its attributes list. So when it tries to call the *add *method
of the retrieved attribute, a NullPointerException would be thrown.

I'm not sure this is intentional (that means a group should always have at
least a member) or is just a bug. So decided to ask it here first and
didn't created an issue in JIRA yet. If it's a bug, there should be a
checking against null before adding the new child and if the member
attribute is null, we have to first add "member" attribute to the parent
object and then try to add the new child to it.

Regards
Ehsan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20150915/f502cb3d/attachment.html