[JBoss JIRA] (ELY-756) Elytron ldap-realm does not support recursive role search

Thursday, 17 November 2016

    [
https://issues.jboss.org/browse/ELY-756?page=com.atlassian.jira.plugin.sy...
] 

Jan Kalina commented on ELY-756:
--------------------------------

Should be sufficient to just add attribute "recursive-depth" to the filtered
attribute. It would look like:
{code:xml}
<attribute recursive-depth="1" as-rdn="cn"
filter="(&amp;(objectClass=groupOfNames)(member={0}))"
filter-base-dn="ou=Roles,dc=jboss,dc=org" to="roles"/>
{code}
* Default value of "recursive-depth" woud be 0 = no recursion, only direct
groups
* Value 1 for R1,R2 as above.
Recursive group will be searched using the same filter-base-dn+filter, only into wildcard
will be passed DN of the group instead of user
* Or do you think standalone filter+base-dn for search of group of group can be useful?
(different "member" attribute for users and for another groups?)

...
 Elytron ldap-realm does not support recursive role search
 ---------------------------------------------------------

                 Key: ELY-756
                 URL: https://issues.jboss.org/browse/ELY-756
             Project: WildFly Elytron
          Issue Type: Bug
          Components: Realms
    Affects Versions: 1.1.0.Beta13
            Reporter: Ondrej Lukas
            Assignee: Jan Kalina
            Priority: Blocker

 Scenario:
 LDAP can include some roles which are members of other roles. I try to assigned also
these "nested roles" to user during authentication/authorization process. 
 In EAP 7.0 (with PicketBox) I am able to set configuration, which allows to assign these
roles to user. LdapExtLoginModule with module option {{roleRecursion}} serves for this. It
uses int value which determines how many levels should be searched and assigned to user. I
am not able to achieve this scenario with Elytron and its ldap-realm.
 Missing this feature in Elytron can lead to situation when migration from PicketBox to
Elytron will not be possible since LDAP structure for role assignment used by legacy
solution will not be able to work correctly with Elytron.  
 See example of LDIF for LDAP server:
 {code}
 dn: ou=People,dc=jboss,dc=org
 objectclass: top
 objectclass: organizationalUnit
 ou: People
 dn: uid=jduke,ou=People,dc=jboss,dc=org
 objectclass: top
 objectclass: person
 objectclass: inetOrgPerson
 uid: jduke
 cn: Java Duke
 sn: Duke
 userPassword: Password1
 dn: ou=Roles,dc=jboss,dc=org
 objectclass: top
 objectclass: organizationalUnit
 ou: Roles
 dn: cn=R1,ou=Roles,dc=jboss,dc=org
 objectclass: top
 objectclass: groupOfNames
 cn: R1
 member: uid=jduke,ou=People,dc=jboss,dc=org
 description: the R1 group
 dn: cn=R2,ou=Roles,dc=jboss,dc=org
 objectclass: top
 objectclass: groupOfNames
 cn: R2
 member: cn=R1,ou=Roles,dc=jboss,dc=org
 description: the R2 group
 dn: cn=R3,ou=Roles,dc=jboss,dc=org
 objectclass: top
 objectclass: groupOfNames
 cn: R3
 member: cn=R2,ou=Roles,dc=jboss,dc=org
 description: the R3 group
 {code}
 In Elytron I am able to assigned only {{R1}} role to user jduke. Legacy solution is able
to use for example {{roleRecursion=1}} which results to assign roles {{R1}} and {{R2}} to
user jduke. 

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006