[jboss-jira] [JBoss JIRA] (ELY-857) Elytron ldap-realm is not able to use LDAP attribute as principal

Jan Kalina (JIRA) issues at jboss.org
Wed Jan 11 09:47:00 EST 2017 

    [ https://issues.jboss.org/browse/ELY-857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13346558#comment-13346558 ] 

Jan Kalina commented on ELY-857:
--------------------------------

Well, if the identity principal is derived from user input by design, as its purpose is to allow re-obtain identity from realm later, described issue is *not a bug*.

Maybe the issue is, realm should provide two different principals - principal for re-obtaining and principal - user identifier for applications... Am I correct, [~dmlloyd] ?

> Elytron ldap-realm is not able to use LDAP attribute as principal
> -----------------------------------------------------------------
>
>                 Key: ELY-857
>                 URL: https://issues.jboss.org/browse/ELY-857
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Realms
>    Affects Versions: 1.1.0.Beta16
>            Reporter: Ondrej Lukas
>            Assignee: Jan Kalina
>            Priority: Blocker
>
> In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.
> It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.
> Example:
> It seems that ldap-realm cannot be configured for following scenario: User with credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password ':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is used:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=someUser,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: someUser
> cn: some User
> sn: AuthenticatedUser
> userPassword: Password
> {code}
> Mentioned ldif works correctly with legacy security solution.
> This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list