[jboss-jira] [JBoss JIRA] (WFCORE-2146) Security-Realm Authorization over LDAP doesn't permit multiple Attribute names as filter.
Darran Lofthouse (JIRA)
issues at jboss.org
Fri Jul 7 09:58:01 EDT 2017
[ https://issues.jboss.org/browse/WFCORE-2146?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse reassigned WFCORE-2146:
----------------------------------------
Assignee: (was: Darran Lofthouse)
> Security-Realm Authorization over LDAP doesn't permit multiple Attribute names as filter.
> -------------------------------------------------------------------------------------------
>
> Key: WFCORE-2146
> URL: https://issues.jboss.org/browse/WFCORE-2146
> Project: WildFly Core
> Issue Type: Feature Request
> Components: Security
> Environment: CentOS release 6.8 (Final)
> JBoss Admin Command-line Interface
> JBOSS_HOME: /opt/wildfly/10.1.0
> JBoss AS release: 2.2.0.Final "Kenny"
> JBoss AS product: WildFly Full 10.1.0.Final
> JAVA_HOME: null
> java.version: 1.8.0_40
> java.vm.vendor: Oracle Corporation
> java.vm.version: 25.40-b25
> os.name: Linux
> os.version: 4.6.3-1.el6.elrepo.x86_64
> Reporter: Daniel Draper
>
> When hooking up our Wildfly Application to our SSO (CAS) for authentication and delegating Authorization to a Security Realm and then using LDAP we ran into the following problem:
> *Use Case*
> We want to use authorization inside a Security-Realm through LDAP.
> In our LDAP setup we have a Group-To-Principal matching of the form "_member=uid=x" OR "submember=uid=x_" depending on if the user was added manually or through an autodomain.
> Unfortunately as far as we could tell using two attributes in the Polish Notation (as is required by [LDAP|https://ldapwiki.com/wiki/LDAP%20filters%20Syntax%20and%20Choices]) seems to be impossible for the wildfly configuration. We tried the following in the standalone-accounting.xml (in different iterations and ways to place the parenthesis) which all lead to an 'unbalanced Parenthesis' or similar error when starting up wildfly.
> {code:xml}
> <management>
> <security-realms>
> <security-realm name="bla">
> <authorization>
> <ldap connection="ldap">
> <username-to-dn>
> <username-is-dn/>
> </username-to-dn>
> <group-search group-name="SIMPLE" iterative="false" group-dn-attribute="cn" group-name-attribute="cn">
> <group-to-principal search-by="SIMPLE" base-dn="ou=roles,***" recursive="false">
> <membership-filter principal-attribute="|(submember=uid={0})(member=uid={0})"/>
> </group-to-principal>
> </group-search>
> </ldap>
> </authorization>
> </security-realm>
> </security-realms>
> </management>
> {code}
> We then found the filterString is parsed the following way: (See [LdapGroupSearcherFactory#L115|https://github.com/wildfly/wildfly-core/blob/master/domain-management/src/main/java/org/jboss/as/domain/management/security/LdapGroupSearcherFactory.java#L115])
> {code:java}
> this.filterString = String.format("(%s={0})", principalAttribute);
> {code}
> which seems to make multiple attribute names as a filter impossible, which makes our use case as above impossible.
> Asked in [Forums|https://developer.jboss.org/thread/273435], but since I didn't get any answers for 3 weeks opening here.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list