-
Bug
-
Resolution: Done
-
Critical
-
1.1.0.Beta21
-
None
In case when role recursion is configured for ldap-realm and given LDAP includes some role which has member some user and also another role, then some roles are intermittently not assigned. See Steps to Reproduce for more details about configuration.
Most important part of ldif for reproduction is following:
dn: cn=R1,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: R1 member: uid=jduke,ou=People,dc=jboss,dc=org description: the R1 group dn: cn=R2,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: R2 member: uid=jduke,ou=People,dc=jboss,dc=org member: cn=R1,ou=Roles,dc=jboss,dc=org description: the R2 group dn: cn=R3,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: R3 member: cn=R2,ou=Roles,dc=jboss,dc=org description: the R3 group
User jduke is direct member of roles R1 and R2. However role R2 is also member of role R1. In case when ldap-realm.identity-mapping.attribute-mapping.role-recursion is configured to 2, then sometimes only roles R1, R2 and R3 are assigned (and role R4 is missing).
The same behavior occurs when role mapping is configured in application server in opposite way (principal to group mapping which uses memberOf attribute).
- clones
-
-
- Closed
-
