Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-7849

Missing input username wildcard for role/attribute search in Elytron ldap-realm

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 11.0.0.Alpha1
    • None
    • Security
    • None

    Description

      Scenario: I am trying to assign role from LDAP to user. I would like to use input username (e.g. admin) in filter, not full user DN (e.g. uid=admin,ou=People,dc=jboss,dc=org). It seems Elytron ldap-realm does not provide any wildcard which can be used for input username.

      In EAP 7.0 (with PicketBox), LdapExtLoginModule provides roleFilter option which filter can contain following wildcards:

      • {0} - for input username
      • {1} - for authenticated full user DN

      It seems that Elytron supports only wildcard for authenticated full user DN (through {0} wildcard). Wildcard for input username should be added.

      It would be useful, when order of wildcards will be the same as in EAP 7.0 - i.e. not just add the new {1} for input username, but use {0} for input username and {1} for authenticated full user DN. This order is also better due to wildcard {0} will mean the same in identity filter and in role/attribute filter.

      Missing this feature in Elytron can lead to situation when migration from PicketBox to Elytron will not be possible since LDAP structure for role assignment used by legacy solution will not be able to work correctly with Elytron.

      Example of usage:
      I would like to use filter like (description=SOME_INPUT_USERNAME_WILDCARD) for assigning role JBossAdmin to user jduke in following ldif:

      dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: jduke
cn: Java Duke
sn: Duke
userPassword: Password

dn: uid=notUsedUser,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: notUsedUser
cn: not used user
sn: notUsedUser
userPassword: Password

dn: ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Roles

dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: JBossAdmin
member: uid=notUsedUser,ou=People,dc=jboss,dc=org
description: jduke

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. ELY-794 Missing input username wildcard for role/attribute search in Elytron ldap-realm

          • Critical - To be worked on immediately following BLOCKER issues.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-7883 Upgrade to Elytron Subsystem 1.0.0.Alpha20

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: