[jboss-jira] [JBoss JIRA] (SECURITY-819) LdapExt login module fetches to many attributes in RoleSearch
RH Bugzilla Integration (JIRA)
issues at jboss.org
Mon Jun 16 13:42:29 EDT 2014
[ https://issues.jboss.org/browse/SECURITY-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12976707#comment-12976707 ]
RH Bugzilla Integration commented on SECURITY-819:
--------------------------------------------------
Vaclav Tunka <vtunka at redhat.com> changed the Status of [bug 1086795|https://bugzilla.redhat.com/show_bug.cgi?id=1086795] from MODIFIED to ON_QA
> LdapExt login module fetches to many attributes in RoleSearch
> -------------------------------------------------------------
>
> Key: SECURITY-819
> URL: https://issues.jboss.org/browse/SECURITY-819
> Project: PicketBox
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: JBossSX
> Affects Versions: PicketBox_4_0_21.Beta3
> Reporter: Tom Fonteyne
> Assignee: Tom Fonteyne
>
> An LDAP server with (lets say) 1000 users in a group.
> When authentication, a query is done to retrieve the groups for the user.
> Most LDAP servers will limit the attributes send back based on authorization of the user, but can be configured to return *all* information.
> The cause is:
> / Query for roles matching the role filter
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(searchScope);
> constraints.setTimeLimit(searchTimeLimit);
> rolesSearch(ctx, constraints, username, userDN, recursion, 0);
> this used to also have:
> constraints.setReturningAttributes(new String[0]);
> at some time this was taken out.
> It needs to go back in
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
More information about the jboss-jira
mailing list