[infinispan-issues] [JBoss JIRA] (ISPN-7712) LDAP Authorization Common RoleName Mapper Case Insensitive CN extraction
Kamesh Sampath (JIRA)
issues at jboss.org
Sat Apr 8 03:07:00 EDT 2017
Kamesh Sampath created ISPN-7712:
------------------------------------
Summary: LDAP Authorization Common RoleName Mapper Case Insensitive CN extraction
Key: ISPN-7712
URL: https://issues.jboss.org/browse/ISPN-7712
Project: Infinispan
Issue Type: Bug
Components: Security
Reporter: Kamesh Sampath
Priority: Critical
Attachments: example.com.ldif, jdg-security-demo.tar.gz, ldap_cluster_notworking.xml, ldap_cluster_workaround.xml
When enabling security with Inifinispan with LDAP backend and when using `common-role-name-mapper` for authorisation, the extraction fails to extract the role name when the role name attribute e.g. "cn" is used instead of "CN" in the distinguished name.
Its identified that the `org.infinispan.security.impl.CommonRoleMapper` use a case sensitive search and extracts roles only when the DN is like "CN=Developers,ou=Groups,dc=example,dc=com"
The current workaround is to use the use a ldap authorization like
{code:xml}
<group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">
<group-to-principal search-by="DISTINGUISHED_NAME" base-dn="ou=Groups,dc=example,dc=com">
<membership-filter principal-attribute="uniqueMember"/>
</group-to-principal>
</group-search>
{code}
and define the cache-container authorisation like
{code:xml}
<security>
<authorization>
<!-- This does not work as the role extraction uses case sensitive extraction of cn -->
<!-- common-name-role-mapper/ -->
<identity-role-mapper/>
<role name="ClusterAdmins" permissions="ALL"/>
<role name="Developers" permissions="WRITE"/>
<role name="Business" permissions="READ"/>
<role name="Managers" permissions="ALL_READ ALL_WRITE"/>
</authorization>
</security>
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the infinispan-issues
mailing list