[jboss-jira] [JBoss JIRA] Assigned: (JBPORTAL-2282) LDAP Role Retrieval Fails When Role Stored in Operational Attribute (LDAPStaticRoleMembershipModuleImpl)

Boleslaw Dawidowicz (JIRA) jira-events at lists.jboss.org
Tue Jan 27 05:26:44 EST 2009 

     [ https://jira.jboss.org/jira/browse/JBPORTAL-2282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Boleslaw Dawidowicz reassigned JBPORTAL-2282:
---------------------------------------------

    Assignee: Boleslaw Dawidowicz


> LDAP Role Retrieval Fails When Role Stored in Operational Attribute (LDAPStaticRoleMembershipModuleImpl)
> --------------------------------------------------------------------------------------------------------
>
>                 Key: JBPORTAL-2282
>                 URL: https://jira.jboss.org/jira/browse/JBPORTAL-2282
>             Project: JBoss Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Portal Identity
>    Affects Versions: 2.6.7 Final, 2.7.0 Final, 2.7.2 Final
>         Environment: Linux Kernel 2.6.9
> JDK 1.6u11
> JBoss Portal 2.7.2
> JBoss AS 4.2.3GA (bundled with Portal)
> OpenSSO 8
> SunDS 6.3 (with OpenSSO schema)
>            Reporter: Greg Wittel
>            Assignee: Boleslaw Dawidowicz
>
> I was working on OpenSSO integration / getting LDAP Roles working (i.e. role stored in LDAP User Attribute) and found a bug that causes the role retrieval to not work with certain LDAP directory structures.
> The module org.jboss.portal.identity.ldap.LDAPStaticRoleMembershipModuleImpl has a bug where it only retrieves regular attributes and not those defined as "Operational Attributes" by  javax.naming.directory.DirContext.  This means that in cases where the 'memberOfAttributeId' is stored in an operational attribute, the role will never be retrieved, and getRoles() incorrectly returns an empty role list.  An example of an attribute that is treated as operational is: nsRoleDN.  nsRoleDN is used by OpenSSO as the default attribute under which user roles are stored.
> The problem section:
> See: Rev 9064  LDAPStaticRoleMembershipModuleImpl.java (http://fisheye.jboss.org/browse/Portal/modules/identity/trunk/identity/src/main/java/org/jboss/portal/identity/ldap/LDAPStaticRoleMembershipModuleImpl.java?r=9064)
> 	101 	         Attributes attrs = ldapContext.getAttributes(ldapUser.getDn());
> 	102 	
> 	103 	         //log.debug("User attributes: " + attrs);
> 	104 	         if (attrs == null )
> 	105 	         {
> 	106 	            throw new IdentityException("Cannot find User with DN: " + ldapUser.getDn());
> 	107 	         }
> 	108 	
> 	109 	         Attribute memberOfAttribute = attrs.get(getMemberAttributeID());
> 	110 	
> 	111 	         //if there are no members
> 	112 	         if (memberOfAttribute == null)
> On line 101, the getAttributes() function only returns regular attributes and not operational attributes.  It will only return operational attributes when you request them by name.  In the case where the role is stored in an operational attribute, line 109 will return null, resulting in an empty role hash to be returned.
> Since an empty Role hash is returned unless MemberAttributeID is set, it makes sense to request the role attribute directly, rather than indirectly.  You can do this via changing the ldapContext.getAttributes line:
>    String[] memberAttrs = { getMemberAttributeID() };
>    Attributes attrs = ldapContext.getAttributes(ldapUser.getDn(), memberAttrs);

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list