Loading...

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 1.1.0.Beta12
Affects Version/s: None
Component/s: Realms
Labels:
None

Steps to Reproduce:
Hide

1) start server with standalone-elytron.xml
2) use following CLI commands for setting LDAP authentication for application

/subsystem=elytron/dir-context=local-ldap:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential="secret") /subsystem=elytron/ldap-realm=ldap-auth:add(dir-context=local-ldap,identity-mapping={rdn-identifier=uid,search-base-dn="ou=People,dc=jboss,dc=org",user-password-mapper={from="userPassword",writable=true,verifiable=true},attribute-mapping=[{from=cn,to=myRole,filter="(member={0})",filter-base-dn="ou=Roles,dc=jboss,dc=org"}]}) /subsystem=elytron/simple-role-decoder=myRole-to-role:add(attribute=myRole) /subsystem=elytron/security-domain=LdapAuth:add(default-realm=ldap-auth,permission-mapper=login-permission-mapper,role-mapper=combined-role-mapper,realms=[{realm=ldap-auth,role-decoder=myRole-to-role}]) /subsystem=elytron/http-authentication-factory=ldap-http-authentication:add(http-server-mechanism-factory=global,security-domain=LdapAuth,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Ldap Realm"}]}]) /subsystem=undertow/application-security-domain=ldap:add(http-authentication-factory=ldap-http-authentication)

3) start LDAP server (it must be same server as was added to dir-context) with following ldif:

dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectclass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: JBossAdmin member: uid=jduke,ou=People,dc=jboss,dc=org description: the JBossAdmin group

4) deploy testing application (see Jira attachments)
5) try to login to http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin as uid=jduke,ou=People,dc=jboss,dc=org -> succeed
6) try to login to http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin as UID=jduke,ou=People,dc=jboss,dc=org -> fail
Show
1) start server with standalone-elytron.xml 2) use following CLI commands for setting LDAP authentication for application /subsystem=elytron/dir-context=local-ldap:add(url= "ldap: //127.0.0.1:10389" ,principal= "uid=admin,ou=system" ,credential= "secret" ) /subsystem=elytron/ldap-realm=ldap-auth:add(dir-context=local-ldap,identity-mapping={rdn-identifier=uid,search-base-dn= "ou=People,dc=jboss,dc=org" ,user-password-mapper={from= "userPassword" ,writable= true ,verifiable= true },attribute-mapping=[{from=cn,to=myRole,filter= "(member={0})" ,filter-base-dn= "ou=Roles,dc=jboss,dc=org" }]}) /subsystem=elytron/simple-role-decoder=myRole-to-role:add(attribute=myRole) /subsystem=elytron/security-domain=LdapAuth:add( default -realm=ldap-auth,permission-mapper=login-permission-mapper,role-mapper=combined-role-mapper,realms=[{realm=ldap-auth,role-decoder=myRole-to-role}]) /subsystem=elytron/http-authentication-factory=ldap-http-authentication:add(http-server-mechanism-factory=global,security-domain=LdapAuth,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Ldap Realm" }]}]) /subsystem=undertow/application-security-domain=ldap:add(http-authentication-factory=ldap-http-authentication) 3) start LDAP server (it must be same server as was added to dir-context) with following ldif: dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectclass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: JBossAdmin member: uid=jduke,ou=People,dc=jboss,dc=org description: the JBossAdmin group 4) deploy testing application (see Jira attachments) 5) try to login to http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin as uid=jduke,ou=People,dc=jboss,dc=org -> succeed 6) try to login to http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin as UID=jduke,ou=People,dc=jboss,dc=org -> fail
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/514

Description

Elytron ldap-realm allows to use DN as username (e.g. full uid=jduke,ou=People,dc=jboss,dc=org can be used instead of jduke). However implementation requires that used DN must start with rdn-identifier in the same case sensitivity as is used in server configuration. Otherwise authentication fails. It means when server configuration uses rdn-identifier=uid then only uid=jduke,... can be correctly used, UID=jduke,... will fail.

LDAP specification does not talk about case sensitivity of attributes, but most of LDAP servers work with attributes as case insensitive.

Attachments

Issue Links

clones

JBEAP-6420 Getting identity by DN in Elytron ldap-realm should be case insensitive

Verified

is related to

ELY-671 Usernames started with rdn-identifier works incorrectly in Elytron ldap-realm

Resolved

Getting identity by DN in Elytron ldap-realm should be case insensitive

Details

Description

Attachments

Issue Links

Activity

People

Dates