Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8030

Elytron ldap-realm is not able to use LDAP attribute as principal

    XMLWordPrintable

Details

    Description

      In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.

      It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.

      Example:
      It seems that ldap-realm cannot be configured for following scenario: User with credentials someUser/Password is authenticated and name AuthenticatedUser is assigned to them (e.g. when calling ./jboss-cli.sh -c -u=someUser -p=Password ':whoami', then AuthenticatedUser should be printed). Following ldif is used:

      dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=someUser,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: someUser
cn: some User
sn: AuthenticatedUser
userPassword: Password

      Mentioned ldif works correctly with legacy security solution.

      This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-857 Elytron ldap-realm is not able to use LDAP attribute as principal

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11303 Elytron - Unable to customize identity name when authenticating using Kerberos

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              Unassigned Unassigned
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: