[jboss-jira] [JBoss JIRA] (ELY-857) Elytron ldap-realm is not able to use LDAP attribute as principal

David Lloyd (JIRA) issues at jboss.org
Wed Jan 11 08:08:00 EST 2017 

    [ https://issues.jboss.org/browse/ELY-857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13346158#comment-13346158 ] 

David Lloyd commented on ELY-857:
---------------------------------

Note that the principal derived from the realm is not used in the final SecurityIdentity at all today.  It is only used to be able to locate the identity within the realm itself, which may have a later function relating to self-service.

> Elytron ldap-realm is not able to use LDAP attribute as principal
> -----------------------------------------------------------------
>
>                 Key: ELY-857
>                 URL: https://issues.jboss.org/browse/ELY-857
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Realms
>    Affects Versions: 1.1.0.Beta16
>            Reporter: Ondrej Lukas
>            Assignee: Jan Kalina
>            Priority: Blocker
>
> In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.
> It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.
> Example:
> It seems that ldap-realm cannot be configured for following scenario: User with credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password ':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is used:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=someUser,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: someUser
> cn: some User
> sn: AuthenticatedUser
> userPassword: Password
> {code}
> Mentioned ldif works correctly with legacy security solution.
> This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list