[jboss-jira] [JBoss JIRA] (WFLY-7437) Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm
Ondrej Lukas (JIRA)
issues at jboss.org
Tue Nov 1 07:59:00 EDT 2016
Ondrej Lukas created WFLY-7437:
----------------------------------
Summary: Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm
Key: WFLY-7437
URL: https://issues.jboss.org/browse/WFLY-7437
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Priority: Minor
Attribute {{identity-mapping.otp-credential-mapper}} from Elytron ldap-realm should include Object which should contain four required attributes - algorithm-from, hash-from, seed-from, sequence-from. All of these attributes are set as nillable=false.
However CLI allows to run command where otp-credential-mapper attribute is added without any attributes which is inconsistent with their nillable=false. See following command:
{code}
/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={}})
{code}
Moreover, this command results to configuration xml without any otp-credential-mapper:
{code}
<ldap-realm name="ldap-realm" dir-context="ldap">
<identity-mapping rdn-identifier="uid"/>
</ldap-realm>
{code}
In case when at least one of otp-credential-mapper required attribute is added, then CLI command correctly fails:
{code}
/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={algorithm-from=atr}})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0155: hash-from may not be null",
"rolled-back" => true
}
{code}
Suggestion:
Do not allow to add {{identity-mapping.otp-credential-mapper}} without required attributes.
--
This message was sent by Atlassian JIRA
(v7.2.2#72004)
More information about the jboss-jira
mailing list