]
Boleslaw Dawidowicz commented on JBPORTAL-2282:
-----------------------------------------------
Thanks, this also should help for performance a bit.
LDAP Role Retrieval Fails When Role Stored in Operational Attribute
(LDAPStaticRoleMembershipModuleImpl)
--------------------------------------------------------------------------------------------------------
Key: JBPORTAL-2282
URL:
https://jira.jboss.org/jira/browse/JBPORTAL-2282
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal Identity
Affects Versions: 2.6.7 Final, 2.7.0 Final, 2.7.2 Final
Environment: Linux Kernel 2.6.9
JDK 1.6u11
JBoss Portal 2.7.2
JBoss AS 4.2.3GA (bundled with Portal)
OpenSSO 8
SunDS 6.3 (with OpenSSO schema)
Reporter: Greg Wittel
Assignee: Boleslaw Dawidowicz
I was working on OpenSSO integration / getting LDAP Roles working (i.e. role stored in
LDAP User Attribute) and found a bug that causes the role retrieval to not work with
certain LDAP directory structures.
The module org.jboss.portal.identity.ldap.LDAPStaticRoleMembershipModuleImpl has a bug
where it only retrieves regular attributes and not those defined as "Operational
Attributes" by javax.naming.directory.DirContext. This means that in cases where
the 'memberOfAttributeId' is stored in an operational attribute, the role will
never be retrieved, and getRoles() incorrectly returns an empty role list. An example of
an attribute that is treated as operational is: nsRoleDN. nsRoleDN is used by OpenSSO as
the default attribute under which user roles are stored.
The problem section:
See: Rev 9064 LDAPStaticRoleMembershipModuleImpl.java
(
http://fisheye.jboss.org/browse/Portal/modules/identity/trunk/identity/sr...)
101 Attributes attrs = ldapContext.getAttributes(ldapUser.getDn());
102
103 //log.debug("User attributes: " + attrs);
104 if (attrs == null )
105 {
106 throw new IdentityException("Cannot find User with DN: " +
ldapUser.getDn());
107 }
108
109 Attribute memberOfAttribute = attrs.get(getMemberAttributeID());
110
111 //if there are no members
112 if (memberOfAttribute == null)
On line 101, the getAttributes() function only returns regular attributes and not
operational attributes. It will only return operational attributes when you request them
by name. In the case where the role is stored in an operational attribute, line 109 will
return null, resulting in an empty role hash to be returned.
Since an empty Role hash is returned unless MemberAttributeID is set, it makes sense to
request the role attribute directly, rather than indirectly. You can do this via changing
the ldapContext.getAttributes line:
String[] memberAttrs = { getMemberAttributeID() };
Attributes attrs = ldapContext.getAttributes(ldapUser.getDn(), memberAttrs);
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: