Many ActiveDirectory deployments seem to use sAMAccountName as the attribute for loginName of users. Picketlink supports using any LDAP attribute to be mapped as idProperty in particular LDAPMappingConfiguration for type User, so it's possible to map sAMAccountName for type User with something like:
.mapping(User.class)
.attribute("loginName", "sAMAccountName", true)
Problem is that for AD this setup is not working correctly as in AD deployments is sAMAccountName not used as part of DN, but AD is usually using CN attribute for that. So typical DN of user in AD looks like:
dn: CN=John Doe,OU=Users,DC=foo,DC=net
What I mean is, that Picketlink works correctly for LDAP deployments where attribute for loginName is part of DN. For example if loginName is mapped to attribute "uid" and DN of object looks like:
uid=john,ou=users,dc=foo,dc=net
But the case when loginName is not part of DN is not supported well by Picketlink as it assumes that loginName attribute will be part of DN. For example method LDAPIdentityStore.getBindingDN has this code:
return mappingConfig.getMappedProperties().get(idProperty.getName()) + EQUAL + idProperty.getValue(attributedType) + baseDN;
So if I have "sAMAccountName" mapped as idProperty, it returns DN like:
sAMAccountName=john,OU=Users,DC=foo,DC=net
which is not correct, as DNs are using CN instead of sAMAccountName.
|