[jboss-jira] [JBoss JIRA] (WFLY-7437) Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm

Darran Lofthouse (JIRA) issues at jboss.org
Mon Nov 28 10:12:03 EST 2016 

     [ https://issues.jboss.org/browse/WFLY-7437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated WFLY-7437:
-----------------------------------
    Affects Version/s:     (was: 11.0.0.Alpha1)


> Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm
> ------------------------------------------------------------------------
>
>                 Key: WFLY-7437
>                 URL: https://issues.jboss.org/browse/WFLY-7437
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>            Reporter: Ondrej Lukas
>            Assignee: Jan Kalina
>            Priority: Minor
>              Labels: user_experience
>             Fix For: 11.0.0.Alpha1
>
>
> Attribute {{identity-mapping.otp-credential-mapper}} from Elytron ldap-realm should include Object which should contain four required attributes - algorithm-from, hash-from, seed-from, sequence-from. All of these attributes are set as nillable=false.
> However CLI allows to run command where otp-credential-mapper attribute is added without any attributes which is inconsistent with their nillable=false. See following command:
> {code}
> /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={}})
> {code}
> Moreover, this command results to configuration xml without any otp-credential-mapper:
> {code}
> <ldap-realm name="ldap-realm" dir-context="ldap">
>     <identity-mapping rdn-identifier="uid"/>
> </ldap-realm>
> {code}
> In case when at least one of otp-credential-mapper required attribute is added, then CLI command correctly fails:
> {code}
> /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={algorithm-from=atr}})
> {
>     "outcome" => "failed",
>     "failure-description" => "WFLYCTL0155: hash-from may not be null",
>     "rolled-back" => true
> }
> {code}
> Suggestion:
> Do not allow to add {{identity-mapping.otp-credential-mapper}} without required attributes.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list