[jboss-jira] [JBoss JIRA] (ELY-804) LdapRealm - referral mode: direct verification + THROW mode

Jan Kalina (JIRA) issues at jboss.org
Thu Jan 19 18:41:00 EST 2017 

    [ https://issues.jboss.org/browse/ELY-804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13351388#comment-13351388 ] 

Jan Kalina commented on ELY-804:
--------------------------------

We would need to transmit DirContext from getIdentity()/getAttributes() to verifyEvidence().
As we cannot store DirContext in LdapIdentity (we have to close it), we need to search for identity in every such method (verifyEvidence/getCredential/getCredential/getCredentialAcquireSupport), which will be pretty ineffective.

(Or I can optimize it a bit - I can store boolean if the identity was found in referred context and continue as in current version if it was from default DirContext - but it will help for non-referred cases only.)

[~dlofthouse] Do you agree with solution above, or do you see better solution?

> LdapRealm - referral mode: direct verification + THROW  mode
> ------------------------------------------------------------
>
>                 Key: ELY-804
>                 URL: https://issues.jboss.org/browse/ELY-804
>             Project: WildFly Elytron
>          Issue Type: Feature Request
>          Components: Realms
>            Reporter: Jan Kalina
>            Assignee: Jan Kalina
>            Priority: Blocker
>             Fix For: 1.1.0.Beta17
>
>
> *1) Log in as referral user is still not possible.*
> Currently referral user can be found by ldap realm, but his password cannot be verified => log in is still not possible.
> There are two possible ways how to authenticate user in ldap realm:
>     using direct verification - in this case after obtaining referral user, this referral user is used in LDAP bindRequest against original LDAP server (not referenced LDAP server) which results to invalid credentials bindResponse
>     not using direct verification - in this case after obtaining referral user, this user is used as part of baseObject scope LDAP searchRequest for password attribute against original LDAP server (not referenced LDAP server) which results to noSuchObject searchResDone.
> Comment [1] says that you are able to log in as user of referred server. Can you please share your configuration? Since there is no related documentation, maybe I do something wrong in using/not using of direct verification.
> *2) Elytron does not handle THROW referral mode*
> In case when dir-context uses THROW referral-mode then com.sun.jndi.ldap.LdapReferralException is not caught in Elytron (which is LDAP client) and is thrown to integration tier which also does not handle it, e.g. in case when ldap-realm is used for authentication to application, then it results to status code 500 returned to the application.
> [1] https://issues.jboss.org/browse/WFLY-7322?focusedCommentId=13307815&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13307815
> ( Requested in https://issues.jboss.org/browse/JBEAP-6450?focusedCommentId=13323387#comment-13323387 )



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list