[jboss-jira] [JBoss JIRA] (WFLY-7437) Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm

Jan Kalina (JIRA) issues at jboss.org
Thu Nov 3 10:22:00 EDT 2016 

    [ https://issues.jboss.org/browse/WFLY-7437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13316916#comment-13316916 ] 

Jan Kalina commented on WFLY-7437:
----------------------------------

otp-credential-mapper={} is equivalent to undefined otp-credential-mapper, which is allowed - you can have an ldap-realm without OTP credentials.
The only forbidden thing is to have defined OTP credential mapping without attributes required for it.
This is not inconsistency.

> Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm
> ------------------------------------------------------------------------
>
>                 Key: WFLY-7437
>                 URL: https://issues.jboss.org/browse/WFLY-7437
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 11.0.0.Alpha1
>            Reporter: Ondrej Lukas
>            Assignee: Jan Kalina
>            Priority: Minor
>              Labels: user_experience
>
> Attribute {{identity-mapping.otp-credential-mapper}} from Elytron ldap-realm should include Object which should contain four required attributes - algorithm-from, hash-from, seed-from, sequence-from. All of these attributes are set as nillable=false.
> However CLI allows to run command where otp-credential-mapper attribute is added without any attributes which is inconsistent with their nillable=false. See following command:
> {code}
> /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={}})
> {code}
> Moreover, this command results to configuration xml without any otp-credential-mapper:
> {code}
> <ldap-realm name="ldap-realm" dir-context="ldap">
>     <identity-mapping rdn-identifier="uid"/>
> </ldap-realm>
> {code}
> In case when at least one of otp-credential-mapper required attribute is added, then CLI command correctly fails:
> {code}
> /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={algorithm-from=atr}})
> {
>     "outcome" => "failed",
>     "failure-description" => "WFLYCTL0155: hash-from may not be null",
>     "rolled-back" => true
> }
> {code}
> Suggestion:
> Do not allow to add {{identity-mapping.otp-credential-mapper}} without required attributes.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list