Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-7848

Elytron ldap-realm does not support principal to group mapping (memberOf)

    XMLWordPrintable

Details

    Description

      Elytron ldap-realm is not able to work with LDAP which uses principal to group mapping. It seems that there is currently no way how to configure principal to group mapping in application server.

      Simplified example:

      dn: uid=TestUserOne,ou=users,dc=principal-to-group,dc=example,dc=org
      objectClass: groupMember
      memberOf: uid=GroupOne,ou=groups,dc=principal-to-group,dc=example,dc=org
      memberOf: uid=Slashy/Group,ou=groups,dc=principal-to-group,dc=example,dc=org
      
      dn: uid=GroupOne,ou=groups,dc=principal-to-group,dc=example,dc=org
      objectClass: groupMember
      objectClass: group
      memberOf: uid=GroupFive,ou=subgroups,ou=groups,dc=principal-to-group,dc=example,dc=org
      

      Example for reproducing: (by olukas)
      Role SomeRole is currently not able to be assigned to user someUser when following ldif is used. In this case principal to group mapping is provided by attribute description, but in can be provided by any attribute (e.g. memberOf). User thisUserIsNotUsed is used only for simpler reproduction of issue.

      dn: ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: People
      
      dn: uid=someUser,ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: person
      objectclass: inetOrgPerson
      uid: someUser
      cn: some User
      sn: User
      userPassword: Password
      description: cn=SomeRole,ou=Roles,dc=jboss,dc=org
      
      dn: uid=thisUserIsNotUsed,ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: person
      objectclass: inetOrgPerson
      uid: thisUserIsNotUsed
      cn: this User Is Not Used
      sn: this User Is Not Used
      userPassword: Password
      
      dn: ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: Roles
      
      dn: cn=SomeRole,ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: groupOfNames
      cn: SomeRole
      member: uid=thisUserIsNotUsed,ou=People,dc=jboss,dc=org
      

      Mentioned ldif works with legacy security solution.

      This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.

      Attachments

        Issue Links

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: