]
Darran Lofthouse resolved WFCORE-2146.
--------------------------------------
Assignee: Darran Lofthouse
Resolution: Won't Do
Marked as 'Won't Do' as security realms are deprecated so we will not be
adding any future enhancements.
Security-Realm Authorization over LDAP doesn't permit multiple
Attribute names as filter.
-------------------------------------------------------------------------------------------
Key: WFCORE-2146
URL:
https://issues.jboss.org/browse/WFCORE-2146
Project: WildFly Core
Issue Type: Feature Request
Components: Security
Environment: CentOS release 6.8 (Final)
JBoss Admin Command-line Interface
JBOSS_HOME: /opt/wildfly/10.1.0
JBoss AS release: 2.2.0.Final "Kenny"
JBoss AS product: WildFly Full 10.1.0.Final
JAVA_HOME: null
java.version: 1.8.0_40
java.vm.vendor: Oracle Corporation
java.vm.version: 25.40-b25
os.name: Linux
os.version: 4.6.3-1.el6.elrepo.x86_64
Reporter: Daniel Draper
Assignee: Darran Lofthouse
Priority: Major
When hooking up our Wildfly Application to our SSO (CAS) for authentication and
delegating Authorization to a Security Realm and then using LDAP we ran into the following
problem:
*Use Case*
We want to use authorization inside a Security-Realm through LDAP.
In our LDAP setup we have a Group-To-Principal matching of the form
"_member=uid=x" OR "submember=uid=x_" depending on if the user was
added manually or through an autodomain.
Unfortunately as far as we could tell using two attributes in the Polish Notation (as is
required by [
LDAP|https://ldapwiki.com/wiki/LDAP%20filters%20Syntax%20and%20Choices])
seems to be impossible for the wildfly configuration. We tried the following in the
standalone-accounting.xml (in different iterations and ways to place the parenthesis)
which all lead to an 'unbalanced Parenthesis' or similar error when starting up
wildfly.
{code:xml}
<management>
<security-realms>
<security-realm name="bla">
<authorization>
<ldap connection="ldap">
<username-to-dn>
<username-is-dn/>
</username-to-dn>
<group-search group-name="SIMPLE" iterative="false"
group-dn-attribute="cn" group-name-attribute="cn">
<group-to-principal search-by="SIMPLE"
base-dn="ou=roles,***" recursive="false">
<membership-filter
principal-attribute="|(submember=uid={0})(member=uid={0})"/>
</group-to-principal>
</group-search>
</ldap>
</authorization>
</security-realm>
</security-realms>
</management>
{code}
We then found the filterString is parsed the following way: (See
[
LdapGroupSearcherFactory#L115|https://github.com/wildfly/wildfly-core/blo...])
{code:java}
this.filterString = String.format("(%s={0})", principalAttribute);
{code}
which seems to make multiple attribute names as a filter impossible, which makes our use
case as above impossible.
Asked in [
Forums|https://developer.jboss.org/thread/273435], but since I didn't get
any answers for 3 weeks opening here.