[jboss-jira] [JBoss JIRA] (ELY-903) Missing some role assignment for Elytron ldap-realm when role and user are members of the same role

Jan Kalina (JIRA) issues at jboss.org
Tue Feb 7 10:25:00 EST 2017 

    [ https://issues.jboss.org/browse/ELY-903?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13359855#comment-13359855 ] 

Jan Kalina commented on ELY-903:
--------------------------------

Probably problem: realm find R1, find it role R2 and its role R3 - add all of them to the set of already added groups. When later found R2, it does not find its roles, as it was already added...

> Missing some role assignment for Elytron ldap-realm when role and user are members of the same role
> ---------------------------------------------------------------------------------------------------
>
>                 Key: ELY-903
>                 URL: https://issues.jboss.org/browse/ELY-903
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Realms
>    Affects Versions: 1.1.0.Beta21
>            Reporter: Ondrej Lukas
>            Assignee: Jan Kalina
>            Priority: Critical
>         Attachments: print-roles.war
>
>
> In case when role recursion is configured for ldap-realm and given LDAP includes some role which has member some user and also another role, then some roles are intermittently not assigned. See Steps to Reproduce for more details about configuration.
> Most important part of ldif for reproduction is following:
> {code}
> dn: cn=R1,ou=Roles,dc=jboss,dc=org
> objectclass: top
> objectclass: groupOfNames
> cn: R1
> member: uid=jduke,ou=People,dc=jboss,dc=org
> description: the R1 group
> dn: cn=R2,ou=Roles,dc=jboss,dc=org
> objectclass: top
> objectclass: groupOfNames
> cn: R2
> member: uid=jduke,ou=People,dc=jboss,dc=org
> member: cn=R1,ou=Roles,dc=jboss,dc=org
> description: the R2 group
> dn: cn=R3,ou=Roles,dc=jboss,dc=org
> objectclass: top
> objectclass: groupOfNames
> cn: R3
> member: cn=R2,ou=Roles,dc=jboss,dc=org
> description: the R3 group
> {code}
> User jduke is direct member of roles R1 and R2. However role R2 is also member of role R1. In case when {{ldap-realm.identity-mapping.attribute-mapping.role-recursion}} is configured to {{2}}, then sometimes only roles R1, R2 and R3 are assigned (and role R4 is missing).
> The same behavior occurs when role mapping is configured in application server in opposite way (principal to group mapping which uses memberOf attribute).



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list