[security-dev] Adding a new child group to a parent group that has no children before

Diego Lin diegol at synnex.com
Tue Sep 15 04:13:51 EDT 2015


Hi all,

I don't think it's a bug. It's LDAP mechanism. You may create a member when you initialize your LDAP data, like this circled in red:
[cid:040450908 at 15092015-0BA0]


Thanks,
Diego
Software Engineer | IT Architecture | diegol at synnex.com<blocked::mailto:diegol at synnex.com> | 782370
________________________________
From: security-dev-bounces at lists.jboss.org [mailto:security-dev-bounces at lists.jboss.org] On Behalf Of Ehsan Zaery Moghaddam
Sent: Tuesday, September 15, 2015 3:55 PM
To: security-dev at lists.jboss.org
Subject: [security-dev] Adding a new child group to a parent group that has no children before

Hi guys

I'm trying to use the picketlink on top of LDAP server using the following configuration:

public void observeIdentityConfigurationEvent(@Observes IdentityConfigurationEvent event){
​    ​
IdentityConfigurationBuilder builder = event.getConfig();
​    ​
builder.named("default")
​    ​
.stores()
​    ​    ​
.ldap()
​​    ​    ​    ​
.baseDN("dc=moghaddam,dc=com")
​​    ​    ​    ​
.bindDN("cn=Directory Manager")
​​    ​    ​    ​
.bindCredential("111")
​​    ​    ​    ​
.url("ldap://localhost:389")
​​    ​    ​    ​
.supportCredentials(true)
​​    ​    ​    ​
.mapping(User.class)
​​    ​    ​    ​    ​
.baseDN("ou=Users,dc=moghaddam,dc=com")
​​    ​    ​    ​    ​
.objectClasses("inetOrgPerson")
​​    ​    ​    ​    ​
.attribute("firstName", "givenName")
​​    ​    ​    ​    ​
.attribute("lastName", "sn")
​​    ​    ​    ​    ​
.attribute("email", "mail")
​​    ​    ​    ​    ​
.attribute("loginName", "cn", true)
​​    ​    ​    ​    ​
.attribute("employeeNumber", "employeeNumber")
​
​
​
​
​
​
​
.mapping(Group.class)
​​    ​    ​    ​    ​
.hierarchySearchDepth(4)
​​    ​    ​    ​    ​
.baseDN("ou=Groups,dc=moghaddam,dc=com")
​​    ​    ​    ​    ​
.objectClasses("gamGroup")
​​    ​    ​    ​    ​
.attribute("name", "name", true)
​​    ​    ​    ​    ​
.parentMembershipAttributeName("member")
​​    ​    ​    ​
.mapping(GroupMembership.class)
​​    ​    ​    ​    ​
.forMapping(Group.class)
​​    ​    ​    ​    ​
.attribute("member", "member")
​​    ​
.build();
}

What I want to do is to create a new Group as a child of a parent Group object:

​
Group
​parentGroup
 = BasicModel.getGroup(identityManager, "/Group 1");
​
Group group = new Group(
​"Child Group"
,
​
parentGroup);

identityManager.add(group);

​If the "/Group 1" has at least one "member​" in LDAP, everything works fine. But if it has no members at all, when PicketLink's LDAPIdentityStore.<http://LDAPIdentityStore.>addToParentAsMember<https://github.com/picketlink/picketlink/blob/master/modules/idm/impl/src/main/java/org/picketlink/idm/ldap/internal/LDAPIdentityStore.java#L1008> tries to load it from LDAP server, there would be no Attribute object named "member" in its attributes list. So when it tries to call the add method of the retrieved attribute, a NullPointerException would be thrown.

I'm not sure this is intentional (that means a group should always have at least a member) or is just a bug. So decided to ask it here first and didn't created an issue in JIRA yet. If it's a bug, there should be a checking against null before adding the new child and if the member attribute is null, we have to first add "member" attribute to the parent object and then try to add the new child to it.

Regards
Ehsan


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20150915/f4af3480/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook.jpg
Type: image/jpeg
Size: 37942 bytes
Desc: Outlook.jpg
Url : http://lists.jboss.org/pipermail/security-dev/attachments/20150915/f4af3480/attachment-0001.jpg 


More information about the security-dev mailing list