-
Bug
-
Resolution: Done
-
Critical
-
None
-
1.1.0.Beta13
-
None
Scenario: I am trying to assign role from LDAP to user. I would like to use input username (e.g. admin) in filter, not full user DN (e.g. uid=admin,ou=People,dc=jboss,dc=org). It seems Elytron ldap-realm does not provide any wildcard which can be used for input username.
In EAP 7.0 (with PicketBox), LdapExtLoginModule provides roleFilter option which filter can contain following wildcards:
- {0} - for input username
- {1} - for authenticated full user DN
It seems that Elytron supports only wildcard for authenticated full user DN (through {0} wildcard). Wildcard for input username should be added.
It would be useful, when order of wildcards will be the same as in EAP 7.0 - i.e. not just add the new {1} for input username, but use {0} for input username and {1} for authenticated full user DN. This order is also better due to wildcard {0} will mean the same in identity filter and in role/attribute filter.
Missing this feature in Elytron can lead to situation when migration from PicketBox to Elytron will not be possible since LDAP structure for role assignment used by legacy solution will not be able to work correctly with Elytron.
Example of usage:
I would like to use filter like (description=SOME_INPUT_USERNAME_WILDCARD) for assigning role JBossAdmin to user jduke in following ldif:
dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectclass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password dn: uid=notUsedUser,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectclass: inetOrgPerson uid: notUsedUser cn: not used user sn: notUsedUser userPassword: Password dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: JBossAdmin member: uid=notUsedUser,ou=People,dc=jboss,dc=org description: jduke
- clones
-
JBEAP-7505 Missing input username wildcard for role/attribute search in Elytron ldap-realm
- Closed
- is cloned by
-
WFLY-7849 Missing input username wildcard for role/attribute search in Elytron ldap-realm
- Closed
- relates to
-
ELY-856 Elytron ldap-realm does not support principal to group mapping (memberOf)
- Resolved