[jboss-jira] [JBoss JIRA] Created: (JBPORTAL-2282) LDAP Role Retrieval Fails When Role Stored in Operational Attribute (LDAPStaticRoleMembershipModuleImpl)

Greg Wittel (JIRA) jira-events at lists.jboss.org
Mon Jan 26 19:33:44 EST 2009 

LDAP Role Retrieval Fails When Role Stored in Operational Attribute (LDAPStaticRoleMembershipModuleImpl)
--------------------------------------------------------------------------------------------------------

                 Key: JBPORTAL-2282
                 URL: https://jira.jboss.org/jira/browse/JBPORTAL-2282
             Project: JBoss Portal
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Portal Identity
    Affects Versions: 2.7.0 Final, 2.6.7 Final, 2.7.2 Final
         Environment: Linux Kernel 2.6.9
JDK 1.6u11
JBoss Portal 2.7.2
JBoss AS 4.2.3GA (bundled with Portal)
OpenSSO 8
SunDS 6.3 (with OpenSSO schema)
            Reporter: Greg Wittel


I was working on OpenSSO integration / getting LDAP Roles working (i.e. role stored in LDAP User Attribute) and found a bug that causes the role retrieval to not work with certain LDAP directory structures.

The module org.jboss.portal.identity.ldap.LDAPStaticRoleMembershipModuleImpl has a bug where it only retrieves regular attributes and not those defined as "Operational Attributes" by  javax.naming.directory.DirContext.  This means that in cases where the 'memberOfAttributeId' is stored in an operational attribute, the role will never be retrieved, and getRoles() incorrectly returns an empty role list.  An example of an attribute that is treated as operational is: nsRoleDN.  nsRoleDN is used by OpenSSO as the default attribute under which user roles are stored.

The problem section:

See: Rev 9064  LDAPStaticRoleMembershipModuleImpl.java (http://fisheye.jboss.org/browse/Portal/modules/identity/trunk/identity/src/main/java/org/jboss/portal/identity/ldap/LDAPStaticRoleMembershipModuleImpl.java?r=9064)

	101 	         Attributes attrs = ldapContext.getAttributes(ldapUser.getDn());
	102 	
	103 	         //log.debug("User attributes: " + attrs);
	104 	         if (attrs == null )
	105 	         {
	106 	            throw new IdentityException("Cannot find User with DN: " + ldapUser.getDn());
	107 	         }
	108 	
	109 	         Attribute memberOfAttribute = attrs.get(getMemberAttributeID());
	110 	
	111 	         //if there are no members
	112 	         if (memberOfAttribute == null)

On line 101, the getAttributes() function only returns regular attributes and not operational attributes.  It will only return operational attributes when you request them by name.  In the case where the role is stored in an operational attribute, line 109 will return null, resulting in an empty role hash to be returned.

Since an empty Role hash is returned unless MemberAttributeID is set, it makes sense to request the role attribute directly, rather than indirectly.  You can do this via changing the ldapContext.getAttributes line:
   String[] memberAttrs = { getMemberAttributeID() };
   Attributes attrs = ldapContext.getAttributes(ldapUser.getDn(), memberAttrs);


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list