Details
-
Bug
-
Resolution: Done
-
Major
-
7.12.0.GA
-
version 7.12.0 image deployed by operator on OCP4
-
False
-
False
-
ER1
-
?
-
Workaround Exists
-
-
2022 Week 11-13 (from Mar 14)
Description
When ldap is integrated by operator on OCP4, direct-verification=true is not set in generated ldap-realm.
<ldap-realm name="KIELdapRealm" dir-context="KIELdapDC">
<identity-mapping rdn-identifier="uid" search-base-dn="dc=example,dc=com" use-recursive-search="true">
<attribute-mapping>
<attribute from="cn" to="Roles" filter="(uniqueMember={1})" filter-base-dn="dc=example,dc=com" role-recursion="1"/>
</attribute-mapping>
<user-password-mapper from="userPassword" writable="true"/>
</identity-mapping>
</ldap-realm>
According to the document A.1. Elytron subsystem components reference
direct-verification If true this realm supports verification of credentials by directly connecting to LDAP as the account being authenticated; otherwise, the password is retrieved from the LDAP server and verified in JBoss EAP. If enabled, the JBoss EAP server must be able to obtain the plain user password from the client, which requires either the PLAIN SASL or BASIC HTTP mechanism be used for authentication. Defaults to false.
this is required configuration when integrating with ActiveDifectoy and Red Hat Directory Server ( and the other typical LDAP servers) which does not allow to retrieve user password,
but operator does not have parameter to set this.
Please set this by default or provide the option to set this in CRD.
