[JBoss JIRA] (ELY-794) Missing input username wildcard for role/attribute search in Elytron ldap-realm

Friday, 25 November 2016

     [
https://issues.jboss.org/browse/ELY-794?page=com.atlassian.jira.plugin.sy...
]

Ondrej Lukas updated ELY-794:
-----------------------------
    Affects Version/s: 1.1.0.Beta13

...
 Missing input username wildcard for role/attribute search in Elytron
ldap-realm
 -------------------------------------------------------------------------------

                 Key: ELY-794
                 URL: https://issues.jboss.org/browse/ELY-794
             Project: WildFly Elytron
          Issue Type: Bug
    Affects Versions: 1.1.0.Beta13
            Reporter: Ondrej Lukas
            Assignee: Darran Lofthouse
            Priority: Critical

 Scenario: I am trying to assign role from LDAP to user. I would like to use input
username (e.g. admin) in filter, not full user DN (e.g.
uid=admin,ou=People,dc=jboss,dc=org). It seems Elytron ldap-realm does not provide any
wildcard which can be used for input username.
 In EAP 7.0 (with PicketBox), LdapExtLoginModule provides roleFilter option which filter
can contain following wildcards:
 * {{\{0\}}} - for input username
 * {{\{1\}}} - for authenticated full user DN
 It seems that Elytron supports only wildcard for authenticated full user DN (through
{{\{0\}}} wildcard). Wildcard for input username should be added. 
 It would be useful, when order of wildcards will be the same as in EAP 7.0 - i.e. not
just add the new {{\{1\}}} for input username, but use {{\{0\}}} for input username and
{{\{1\}}} for authenticated full user DN. This order is also better due to wildcard
{{\{0\}}} will mean the same in identity filter and in role/attribute filter.  
 Missing this feature in Elytron can lead to situation when migration from PicketBox to
Elytron will not be possible since LDAP structure for role assignment used by legacy
solution will not be able to work correctly with Elytron.
 Example of usage:
 I would like to use filter like {{(description=SOME_INPUT_USERNAME_WILDCARD)}} for
assigning role JBossAdmin to user jduke in following ldif:
 {code}
 dn: ou=People,dc=jboss,dc=org
 objectclass: top
 objectclass: organizationalUnit
 ou: People
 dn: uid=jduke,ou=People,dc=jboss,dc=org
 objectclass: top
 objectclass: person
 objectclass: inetOrgPerson
 uid: jduke
 cn: Java Duke
 sn: Duke
 userPassword: Password
 dn: uid=notUsedUser,ou=People,dc=jboss,dc=org
 objectclass: top
 objectclass: person
 objectclass: inetOrgPerson
 uid: notUsedUser
 cn: not used user
 sn: notUsedUser
 userPassword: Password
 dn: ou=Roles,dc=jboss,dc=org
 objectclass: top
 objectclass: organizationalUnit
 ou: Roles
 dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org
 objectclass: top
 objectclass: groupOfNames
 cn: JBossAdmin
 member: uid=notUsedUser,ou=People,dc=jboss,dc=org
 description: jduke
 {code} 

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006