[jboss-jira] [JBoss JIRA] (ELY-857) Elytron ldap-realm is able to obtain username only from rdn-identifier attribute
Ondrej Lukas (JIRA)
issues at jboss.org
Mon Jan 2 07:00:00 EST 2017
Ondrej Lukas created ELY-857:
--------------------------------
Summary: Elytron ldap-realm is able to obtain username only from rdn-identifier attribute
Key: ELY-857
URL: https://issues.jboss.org/browse/ELY-857
Project: WildFly Elytron
Issue Type: Bug
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Priority: Blocker
In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.
It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.
Example:
It seems that ldap-realm cannot be configured for following scenario: User with credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password ':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is used:
{code}
dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People
dn: uid=someUser,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: someUser
cn: some User
sn: AuthenticatedUser
userPassword: Password
{code}
Mentioned ldif works correctly with legacy security solution.
This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list