-
Bug
-
Resolution: Done
-
Minor
-
7.0.0.ER4
Consider two MS Active Directory domains with configured crossRef to each other. EAP using LdapExtLoginModule for MS AD with referrals and rolesCtxDN is set to the referral DN where user account are stored; also EAP is configured for searching roles based on users entries (mapping users to roles).
If referral users (from EAP point of view - hostname is configured for original LDAP and user is obtained as referral user - from second of domains) authenticate then they have not assigned roles from AD attribute from 'roleAttributeID' option.
Example:
I have two MS AD domains - DC=jboss,DC=test (Domain A) and DC=jboss,DC=test2 (Domain B) with crossRef.
Part of ldif for Domain A:
... dn: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test objectClass: groupOfNames objectClass: top cn: TheDuke businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2 member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test ...
Part of ldif for Domain B:
... dn: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2 objectclass: top objectclass: person objectClass: inetOrgPerson cn: jduke sn: Duke description: CN=TheDuke,OU=Roles,O=eapqe,DC=jboss,DC=test description: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2 userPassword: Password1 dn: CN=Admin,OU=Roles,O=eapqe,DC=jboss,DC=test2 objectClass: groupOfNames objectClass: top cn: Admin businessCategory: CN=jduke,OU=People,O=eapqe,DC=jboss,DC=test2 member: CN=jdukeNotUsed,OU=People,O=eapqe,DC=jboss,DC=test2 ...
EAP LdapExtLoginModule is configured:
<security-domain name="LdapExtReferrals"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="java.naming.provider.url" value="HOSTNAME_OF_DOMAIN_A"/> <module-option name="bindDN" value="BIND_DN"/> <module-option name="bindCredential" value="PASSWORD"/> <module-option name="referralUserAttributeIDToCheck" value="businessCategory"/> <module-option name="roleAttributeIsDN" value="true"/> <module-option name="roleFilter" value="(CN={0})"/> <module-option name="roleAttributeID" value="description"/> <module-option name="baseCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B --> <module-option name="rolesCtxDN" value="OU=People,O=eapqe,DC=jboss,DC=test2"/> <!-- Domain B --> <module-option name="java.naming.security.authentication" value="simple"/> <module-option name="java.naming.referral" value="follow"/> <module-option name="distinguishedNameAttribute" value="whatever"/> <!-- workaround for https://issues.jboss.org/browse/JBEAP-3026 --> <module-option name="throwValidateError" value="true"/> <module-option name="baseFilter" value="(CN={0})"/> <module-option name="roleNameAttributeID" value="CN"/> </login-module> </authentication> </security-domain>
Then when jduke try to authenticate to application roles TheDuke and Admin should be assigned to him.
- is cloned by
-
-
- Closed
-
-
-
- Coding In Progress
-
- is incorporated by
-
JBEAP-23626 (7.4.z) Upgrade PicketBox from 5.0.3.Final-redhat-00008 to 5.0.3.Final-redhat-00009
-
- Closed
-
