[jboss-jira] [JBoss JIRA] (ELY-1668) LDAP searchScope=OBJECT_SCOPE Elytron alternative

Darran Lofthouse (JIRA) issues at jboss.org
Wed Sep 26 14:46:00 EDT 2018 

    [ https://issues.jboss.org/browse/ELY-1668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13639038#comment-13639038 ] 

Darran Lofthouse commented on ELY-1668:
---------------------------------------

Looking into this one I am also questioning the usefulness of this.

An OBJECT_SEARCH scope really means we are searching a single entry only to see if it a match, whilst the legacy security permutations may have made this a possibility if we approach testing from the perspective of testing all the permutations I don't see it is a useful feature on it's own.

When it comes to configuring these searches the important scopes would be ONELEVEL_SCOPE and SUBTREE_SCOPE to control if children should be returned in the search or not.

I don't mind leaving this issue open for a while to see if we can obtain some further feedback but at this point I don't believe we should look into this further,

> LDAP searchScope=OBJECT_SCOPE Elytron alternative
> -------------------------------------------------
>
>                 Key: ELY-1668
>                 URL: https://issues.jboss.org/browse/ELY-1668
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Realms
>    Affects Versions: 1.6.1.Final
>            Reporter: Martin Choma
>            Priority: Critical
>             Fix For: 1.7.0.CR3
>
>
> During comparing PicketBox an Elytron we came to one scenario which I am not sure if is covered by Elytron.
> "As a user I am able to authenticate and authorize into web application secured by LDAP (where the same is used for storing identities and roles) and roles are stored in tree structure and should be only referenced object." Author is Ondra Lukas which is not with us anymore so I tried to think about what could this be about? Based on context I came to conclusion this is about OBJECT_SCOPE value of property searchScope.
> Could you revise if same is possible with Elytron? But anyway I am not sure how that feature can be useful. But maybe there is some corner case it can be useful I am not aware of.
> {code}
> dn: ou=People,${dnSuffix}
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=jduke,ou=People,${dnSuffix}
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: jduke
> cn: Java Duke
> sn: Duke
> userPassword: Password1
> dn: ou=RolesLevel1,${dnSuffix}
> objectclass: top
> objectclass: organizationalUnit
> ou: RolesLevel1
> dn: cn=RoleUnderLevel1,ou=RolesLevel1,${dnSuffix}
> objectclass: top
> objectclass: groupOfNames
> cn: RoleUnderLevel1
> member: uid=jduke,ou=People,${dnSuffix}
> description: the RoleUnderLevel1 group
> {code}
> [1] https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/login_module_reference/



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list