[jboss-jira] [JBoss JIRA] (ELY-857) Elytron ldap-realm is not able to use LDAP attribute as principal

David Lloyd (JIRA) issues at jboss.org
Wed Jan 11 08:05:01 EST 2017 

    [ https://issues.jboss.org/browse/ELY-857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13346155#comment-13346155 ] 

David Lloyd commented on ELY-857:
---------------------------------

Today the principal is derived from the input for good reason: so that a SecurityIdentity's principal can always be used to recreate that identity.  If we derive the authenticated principal from the output we can end up in situations where the principal from an SI results in a different identity when used to authenticate, whose principal in turn can result in another different identity, etc.

So we'd need to solve this basic problem first.

> Elytron ldap-realm is not able to use LDAP attribute as principal
> -----------------------------------------------------------------
>
>                 Key: ELY-857
>                 URL: https://issues.jboss.org/browse/ELY-857
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Realms
>    Affects Versions: 1.1.0.Beta16
>            Reporter: Ondrej Lukas
>            Assignee: Jan Kalina
>            Priority: Blocker
>
> In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.
> It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.
> Example:
> It seems that ldap-realm cannot be configured for following scenario: User with credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password ':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is used:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=someUser,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: someUser
> cn: some User
> sn: AuthenticatedUser
> userPassword: Password
> {code}
> Mentioned ldif works correctly with legacy security solution.
> This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list