[JBoss JIRA] (ELY-857) Elytron ldap-realm is not able to use LDAP attribute as principal

Tuesday, 10 January 2017

    [
https://issues.jboss.org/browse/ELY-857?page=com.atlassian.jira.plugin.sy...
] 

Jan Kalina edited comment on ELY-857 at 1/10/17 1:45 PM:
---------------------------------------------------------

Notes: result of WhoAmIOperation is obtained as:
{code:java}securityIdentity.getPrincipal().getName(){code}
The principal is really output of realm: (see ServerAuthenticationContext class)
{code:java}principal =
getSecurityRealm().getRealmIdentity(evidence).getRealmIdentityPrincipal(){code}
But in LdapRealm (and FileSystem and Jdbc too) it is currently hardcoded as username -
input of the realm.
*Possible solution:*
a) add mapping from identity attribute to identity principal into LdapRealm (add
"username-attribute into ldap-realm and map this identity attribute to NamePrincipal
when defined)
b) to use identity attribute instead of special method for principal to add this
possibility into all realms at once?
[~dlofthouse] do you think this should be solved for LDAP only, or on higher level?

was (Author: honza889):
Notes: result of WhoAmIOperation is obtained as:
{code:java}securityIdentity.getPrincipal().getName(){code}
The principal is really output of realm: (see ServerAuthenticationContext class)
{code:java}principal =
getSecurityRealm().getRealmIdentity(evidence).getRealmIdentityPrincipal(){code}
But in LdapRealm (and FileSystem and Jdbc too) it is currently hardcoded as username -
input of the realm.
*Possible solution:*
a) add mapping from identity attribute to identity principal into LdapRealm (add
"username-attribute into ldap-realm and map this identity attribute to NamePrincipal
when defined)
b) to use identity attribute instead of special method for principal to add this
possibility into all realms at once?
[~dlofthouse] do you think this should be solved for LDAP only, or on higher level?

Not sure but mabe the problem can occure also in FileSystemRealm - if there is user
"firstUser", user can log in successfully as "FIRSTUSER" on Windows
too - so he can obtain two different principals - realm should normalize it, or better use
user input only for search, but the principal obtain from database :(

...
 Elytron ldap-realm is not able to use LDAP attribute as principal
 -----------------------------------------------------------------

                 Key: ELY-857
                 URL: https://issues.jboss.org/browse/ELY-857
             Project: WildFly Elytron
          Issue Type: Bug
          Components: Realms
    Affects Versions: 1.1.0.Beta16
            Reporter: Ondrej Lukas
            Assignee: Jan Kalina
            Priority: Blocker

 In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute
which is different than rdn-identifier. It means that username of identity is always the
same as value of rdn-identifier attribute.
 It can cause issues when ldap-realm is used for authentication and another realm is used
for authorization since data for realm authorization can depend on assigned name during
authentication.
 Example:
 It seems that ldap-realm cannot be configured for following scenario: User with
credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is
assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password
':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is
used:
 {code}
 dn: ou=People,dc=jboss,dc=org
 objectclass: top
 objectclass: organizationalUnit
 ou: People
 dn: uid=someUser,ou=People,dc=jboss,dc=org
 objectclass: top
 objectclass: person
 objectclass: inetOrgPerson
 uid: someUser
 cn: some User
 sn: AuthenticatedUser
 userPassword: Password
 {code}
 Mentioned ldif works correctly with legacy security solution.
 This missing feature can cause that migration from legacy security solution will not be
possible -> we request blocker. 

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006