]
Jan Kalina edited comment on WFLY-7437 at 11/15/16 9:39 AM:
------------------------------------------------------------
The second problem reported as problem of CLI: WFCORE-1992
was (Author: honza889):
The second problem reported as problem of CLI.
Inconsistencies in otp-credential-mapper attribute of Elytron
ldap-realm
------------------------------------------------------------------------
Key: WFLY-7437
URL:
https://issues.jboss.org/browse/WFLY-7437
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 11.0.0.Alpha1
Reporter: Ondrej Lukas
Assignee: Jan Kalina
Priority: Minor
Labels: user_experience
Attribute {{identity-mapping.otp-credential-mapper}} from Elytron ldap-realm should
include Object which should contain four required attributes - algorithm-from, hash-from,
seed-from, sequence-from. All of these attributes are set as nillable=false.
However CLI allows to run command where otp-credential-mapper attribute is added without
any attributes which is inconsistent with their nillable=false. See following command:
{code}
/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={}})
{code}
Moreover, this command results to configuration xml without any otp-credential-mapper:
{code}
<ldap-realm name="ldap-realm" dir-context="ldap">
<identity-mapping rdn-identifier="uid"/>
</ldap-realm>
{code}
In case when at least one of otp-credential-mapper required attribute is added, then CLI
command correctly fails:
{code}
/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={algorithm-from=atr}})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0155: hash-from may not be
null",
"rolled-back" => true
}
{code}
Suggestion:
Do not allow to add {{identity-mapping.otp-credential-mapper}} without required
attributes.