[infinispan-issues] [JBoss JIRA] (ISPN-7712) LDAP Authorization Common RoleName Mapper Case Insensitive CN extraction

Ryan Emerson (JIRA) issues at jboss.org
Fri Apr 21 06:00:04 EDT 2017 

     [ https://issues.jboss.org/browse/ISPN-7712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ryan Emerson updated ISPN-7712:
-------------------------------
    Fix Version/s: 9.0.1.Final


>  LDAP Authorization Common RoleName Mapper Case Insensitive CN extraction
> -------------------------------------------------------------------------
>
>                 Key: ISPN-7712
>                 URL: https://issues.jboss.org/browse/ISPN-7712
>             Project: Infinispan
>          Issue Type: Bug
>          Components: Security
>            Reporter: Kamesh Sampath
>            Assignee: Tristan Tarrant
>            Priority: Critical
>              Labels: ldap, ldap-realm, role-mapping
>             Fix For: 9.1.0.Final, 9.0.1.Final
>
>         Attachments: example.com.ldif, jdg-security-demo.tar.gz, ldap_cluster_notworking.xml, ldap_cluster_workaround.xml
>
>
> When enabling security with Inifinispan with LDAP backend and when using `common-role-name-mapper` for authorisation, the extraction fails to extract the role name when the role name attribute e.g. "cn" is used instead of "CN" in the distinguished name. 
> Its identified that the `org.infinispan.security.impl.CommonRoleMapper` use a case sensitive search and extracts roles only when the DN is like "CN=Developers,ou=Groups,dc=example,dc=com"
> The current workaround is to use the use a ldap authorization like 
> {code:xml}
> <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">
>  <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="ou=Groups,dc=example,dc=com">
>                                 <membership-filter principal-attribute="uniqueMember"/>
>  </group-to-principal>
>  </group-search>
> {code}
> and define the cache-container authorisation like 
> {code:xml}
>  <security>
>       <authorization>
>                        <!-- This does not work as the role extraction uses case sensitive extraction of cn -->
>                         <!-- common-name-role-mapper/ -->
>                         <identity-role-mapper/>
>                         <role name="ClusterAdmins" permissions="ALL"/>
>                         <role name="Developers" permissions="WRITE"/>
>                         <role name="Business" permissions="READ"/>
>                         <role name="Managers" permissions="ALL_READ ALL_WRITE"/>
>        </authorization>
> </security>
> {code}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the infinispan-issues mailing list