Kamesh Sampath created ISPN-7712: ------------------------------------ Summary: LDAP Authorization Common RoleName Mapper Case Insensitive CN extraction Key: ISPN-7712 URL: https://issues.jboss.org/browse/ISPN-7712 Project: Infinispan Issue Type: Bug Components: Security Reporter: Kamesh Sampath Priority: Critical Attachments: example.com.ldif, jdg-security-demo.tar.gz, ldap_cluster_notworking.xml, ldap_cluster_workaround.xml When enabling security with Inifinispan with LDAP backend and when using `common-role-name-mapper` for authorisation, the extraction fails to extract the role name when the role name attribute e.g. "cn" is used instead of "CN" in the distinguished name. Its identified that the `org.infinispan.security.impl.CommonRoleMapper` use a case sensitive search and extracts roles only when the DN is like "CN=Developers,ou=Groups,dc=example,dc=com" The current workaround is to use the use a ldap authorization like {code:xml} <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn"> <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="ou=Groups,dc=example,dc=com"> <membership-filter principal-attribute="uniqueMember"/> </group-to-principal> </group-search> {code} and define the cache-container authorisation like {code:xml} <security> <authorization> <!-- This does not work as the role extraction uses case sensitive extraction of cn --> <!-- common-name-role-mapper/ --> <identity-role-mapper/> <role name="ClusterAdmins" permissions="ALL"/> <role name="Developers" permissions="WRITE"/> <role name="Business" permissions="READ"/> <role name="Managers" permissions="ALL_READ ALL_WRITE"/> </authorization> </security> {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)