Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-7631

Elytron ldap-realm does not support recursive role search



    • Feature Request
    • Resolution: Done
    • Blocker
    • 11.0.0.Final
    • None
    • Security
    • None


      LDAP can include some roles which are members of other roles. I try to assigned also these "nested roles" to user during authentication/authorization process.

      In EAP 7.0 (with PicketBox) I am able to set configuration, which allows to assign these roles to user. LdapExtLoginModule with module option roleRecursion serves for this. It uses int value which determines how many levels should be searched and assigned to user. I am not able to achieve this scenario with Elytron and its ldap-realm.

      Missing this feature in Elytron can lead to situation when migration from PicketBox to Elytron will not be possible since LDAP structure for role assignment used by legacy solution will not be able to work correctly with Elytron.

      See example of LDIF for LDAP server:

      dn: ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: People
      dn: uid=jduke,ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: person
      objectclass: inetOrgPerson
      uid: jduke
      cn: Java Duke
      sn: Duke
      userPassword: Password1
      dn: ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: Roles
      dn: cn=R1,ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: groupOfNames
      cn: R1
      member: uid=jduke,ou=People,dc=jboss,dc=org
      description: the R1 group
      dn: cn=R2,ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: groupOfNames
      cn: R2
      member: cn=R1,ou=Roles,dc=jboss,dc=org
      description: the R2 group
      dn: cn=R3,ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: groupOfNames
      cn: R3
      member: cn=R2,ou=Roles,dc=jboss,dc=org
      description: the R3 group

      In Elytron I am able to assigned only R1 role to user jduke. Legacy solution is able to use for example roleRecursion=1 which results to assign roles R1 and R2 to user jduke.


        Issue Links



              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              0 Vote for this issue
              2 Start watching this issue