[jboss-jira] [JBoss JIRA] (ELY-771) Elytron ldap-realm does not support recursive role search

Jan Kalina (JIRA) issues at jboss.org
Sat Nov 19 07:14:00 EST 2016 

Jan Kalina created ELY-771:
------------------------------

             Summary: Elytron ldap-realm does not support recursive role search
                 Key: ELY-771
                 URL: https://issues.jboss.org/browse/ELY-771
             Project: WildFly Elytron
          Issue Type: Bug
          Components: Realms
    Affects Versions: 1.1.0.Beta13
            Reporter: Jan Kalina
            Assignee: Jan Kalina
            Priority: Blocker


Scenario:
LDAP can include some roles which are members of other roles. I try to assigned also these "nested roles" to user during authentication/authorization process. 

In EAP 7.0 (with PicketBox) I am able to set configuration, which allows to assign these roles to user. LdapExtLoginModule with module option {{roleRecursion}} serves for this. It uses int value which determines how many levels should be searched and assigned to user. I am not able to achieve this scenario with Elytron and its ldap-realm.

Missing this feature in Elytron can lead to situation when migration from PicketBox to Elytron will not be possible since LDAP structure for role assignment used by legacy solution will not be able to work correctly with Elytron.  

See example of LDIF for LDAP server:
{code}
dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: jduke
cn: Java Duke
sn: Duke
userPassword: Password1

dn: ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Roles

dn: cn=R1,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: R1
member: uid=jduke,ou=People,dc=jboss,dc=org
description: the R1 group

dn: cn=R2,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: R2
member: cn=R1,ou=Roles,dc=jboss,dc=org
description: the R2 group

dn: cn=R3,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: R3
member: cn=R2,ou=Roles,dc=jboss,dc=org
description: the R3 group
{code}

In Elytron I am able to assigned only {{R1}} role to user jduke. Legacy solution is able to use for example {{roleRecursion=1}} which results to assign roles {{R1}} and {{R2}} to user jduke.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list