Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-7705

LdapRealm - referral mode: direct verification + THROW mode

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Done
    • Major
    • 11.0.0.Alpha1
    • None
    • Security
    • None

    Description

      1) Log in as referral user is still not possible.
      Currently referral user can be found by ldap realm, but his password cannot be verified => log in is still not possible.
      There are two possible ways how to authenticate user in ldap realm:

      using direct verification - in this case after obtaining referral user, this referral user is used in LDAP bindRequest against original LDAP server (not referenced LDAP server) which results to invalid credentials bindResponse
      not using direct verification - in this case after obtaining referral user, this user is used as part of baseObject scope LDAP searchRequest for password attribute against original LDAP server (not referenced LDAP server) which results to noSuchObject searchResDone.

      Comment [1] says that you are able to log in as user of referred server. Can you please share your configuration? Since there is no related documentation, maybe I do something wrong in using/not using of direct verification.

      2) Elytron does not handle THROW referral mode
      In case when dir-context uses THROW referral-mode then com.sun.jndi.ldap.LdapReferralException is not caught in Elytron (which is LDAP client) and is thrown to integration tier which also does not handle it, e.g. in case when ldap-realm is used for authentication to application, then it results to status code 500 returned to the application.

      [1] https://issues.jboss.org/browse/WFLY-7322?focusedCommentId=13307815&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13307815

      ( Requested in https://issues.jboss.org/browse/JBEAP-6450?focusedCommentId=13323387#comment-13323387 )

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. WFLY-7322 LDAP referrals does not work in Elytron ldap-realm

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is cloned by

          Feature Request - Feature requests from customers and/or users ELY-804 LdapRealm - referral mode: direct verification + THROW mode

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-7853 Upgrade to Elytron Subsystem 1.0.0.Alpha18

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: