]
Darran Lofthouse updated WFLY-7705:
-----------------------------------
Priority: Major (was: Blocker)
LdapRealm - referral mode: direct verification + THROW mode
------------------------------------------------------------
Key: WFLY-7705
URL:
https://issues.jboss.org/browse/WFLY-7705
Project: WildFly
Issue Type: Feature Request
Components: Security
Reporter: Jan Kalina
Assignee: Jan Kalina
Fix For: 11.0.0.Alpha1
*1) Log in as referral user is still not possible.*
Currently referral user can be found by ldap realm, but his password cannot be verified
=> log in is still not possible.
There are two possible ways how to authenticate user in ldap realm:
using direct verification - in this case after obtaining referral user, this referral
user is used in LDAP bindRequest against original LDAP server (not referenced LDAP server)
which results to invalid credentials bindResponse
not using direct verification - in this case after obtaining referral user, this user
is used as part of baseObject scope LDAP searchRequest for password attribute against
original LDAP server (not referenced LDAP server) which results to noSuchObject
searchResDone.
Comment [1] says that you are able to log in as user of referred server. Can you please
share your configuration? Since there is no related documentation, maybe I do something
wrong in using/not using of direct verification.
*2) Elytron does not handle THROW referral mode*
In case when dir-context uses THROW referral-mode then
com.sun.jndi.ldap.LdapReferralException is not caught in Elytron (which is LDAP client)
and is thrown to integration tier which also does not handle it, e.g. in case when
ldap-realm is used for authentication to application, then it results to status code 500
returned to the application.
[1]
https://issues.jboss.org/browse/WFLY-7322?focusedCommentId=13307815&p...
( Requested in
https://issues.jboss.org/browse/JBEAP-6450?focusedCommentId=13323387#comm... )