Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-804

LdapRealm - referral mode: direct verification + THROW mode

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Blocker Blocker
    • 1.1.0.Beta23
    • None
    • Realms
    • None

      1) Log in as referral user is still not possible.
      Currently referral user can be found by ldap realm, but his password cannot be verified => log in is still not possible.
      There are two possible ways how to authenticate user in ldap realm:

      using direct verification - in this case after obtaining referral user, this referral user is used in LDAP bindRequest against original LDAP server (not referenced LDAP server) which results to invalid credentials bindResponse
      not using direct verification - in this case after obtaining referral user, this user is used as part of baseObject scope LDAP searchRequest for password attribute against original LDAP server (not referenced LDAP server) which results to noSuchObject searchResDone.

      Comment [1] says that you are able to log in as user of referred server. Can you please share your configuration? Since there is no related documentation, maybe I do something wrong in using/not using of direct verification.

      2) Elytron does not handle THROW referral mode
      In case when dir-context uses THROW referral-mode then com.sun.jndi.ldap.LdapReferralException is not caught in Elytron (which is LDAP client) and is thrown to integration tier which also does not handle it, e.g. in case when ldap-realm is used for authentication to application, then it results to status code 500 returned to the application.

      [1] https://issues.jboss.org/browse/WFLY-7322?focusedCommentId=13307815&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13307815

      ( Requested in https://issues.jboss.org/browse/JBEAP-6450?focusedCommentId=13323387#comment-13323387 )

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: