-
Bug
-
Resolution: Done
-
Critical
-
JDG 7.0.0 GA, JDG 7.1.0 GA
When enabling security with Inifinispan with LDAP backend and when using `common-role-name-mapper` for authorisation, the extraction fails to extract the role name when the role name attribute e.g. "cn" is used instead of "CN" in the distinguished name.
Its identified that the `org.infinispan.security.impl.CommonRoleMapper` use a case sensitive search and extracts roles only when the DN is like "CN=Developers,ou=Groups,dc=example,dc=com"
The current workaround is to use the use a ldap authorization like
<group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn"> <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="ou=Groups,dc=example,dc=com"> <membership-filter principal-attribute="uniqueMember"/> </group-to-principal> </group-search>
and define the cache-container authorisation like
<security> <authorization> <!-- This does not work as the role extraction uses case sensitive extraction of cn --> <!-- common-name-role-mapper/ --> <identity-role-mapper/> <role name="ClusterAdmins" permissions="ALL"/> <role name="Developers" permissions="WRITE"/> <role name="Business" permissions="READ"/> <role name="Managers" permissions="ALL_READ ALL_WRITE"/> </authorization> </security>