Karaf
  1. Karaf
  2. KARAF-606

JAAS: Allow LDAPLoginModule to supply role "DN" from LDAP group search

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.2.1, 2.2.5, 3.0.0
    • Component/s: karaf-core
    • Labels:
      None
    • Environment:

      Windows/any

      Description

      The LDAPLoginModule has the ability to supply a configuration variable (role.name.attribute) to use when creating a role. This value can be changed from "cn" to any of a number LDAP attributes. However it cannot access the actual distinguished name of the queried groups while processing a login, as "dn" or "distinguishedName", "entryDN", etc., are not universally supported across LDAP implementations as an attribute.

      Proposal to special case "dn" and use javax.naming.directory.SearchResult.getNameInNamespace(), which returns the dn of the found groups when converting to a role.

      This is a very small change; will provide a patch.

      1. KARAF-606.patch
        0.7 kB
        Kurt Westerfeld

        Activity

        Hide
        Jean-Baptiste Onofré added a comment -

        Fixed on karaf-2.2.x: revision 1210938.

        Show
        Jean-Baptiste Onofré added a comment - Fixed on karaf-2.2.x: revision 1210938.
        Hide
        Jean-Baptiste Onofré added a comment -

        Fixed on trunk: revision 1210932.

        Show
        Jean-Baptiste Onofré added a comment - Fixed on trunk: revision 1210932.
        Hide
        Jean-Baptiste Onofré added a comment -

        Thanks for the update Guillaume, I fix it.

        Show
        Jean-Baptiste Onofré added a comment - Thanks for the update Guillaume, I fix it.
        Hide
        Guillaume Nodet added a comment -

        The roleNameAttribute is now mandatory but should stay optional.

        Show
        Guillaume Nodet added a comment - The roleNameAttribute is now mandatory but should stay optional.
        Hide
        Jean-Baptiste Onofré added a comment -

        Fix on trunk: revision 1099702.
        Fix on karaf-2.2.x: revision 1099704.

        Show
        Jean-Baptiste Onofré added a comment - Fix on trunk: revision 1099702. Fix on karaf-2.2.x: revision 1099704.
        Hide
        Kurt Westerfeld added a comment -

        Patch to handle non-default attributes by using SearchControls.setReturningAttributes() and supplying "roleNameAttribute" explicitly.

        This allows any non-default (ie. computed, synthetic) LDAP attribute to be retrieved.

        Previous version depended on the attribute being sent back as a result of the query. This change makes the attribute requirement explicit.

        To retrieve the distinguished name, the configuration must specify "entryDN" or "distinguishedName", depending on the directory implementation.

        Show
        Kurt Westerfeld added a comment - Patch to handle non-default attributes by using SearchControls.setReturningAttributes() and supplying "roleNameAttribute" explicitly. This allows any non-default (ie. computed, synthetic) LDAP attribute to be retrieved. Previous version depended on the attribute being sent back as a result of the query. This change makes the attribute requirement explicit. To retrieve the distinguished name, the configuration must specify "entryDN" or "distinguishedName", depending on the directory implementation.
        Hide
        Kurt Westerfeld added a comment -

        Just a note on why we need this improvement.

        In our application, we actually have areas of code which refer to external LDAP groups for fine-grained authorization support. For our application to use JAAS properly, we want to have access to the user's group memberships and tie the actual group's DN to ACLs. We would like to use the LDAPLoginModule to support this use-case.

        Show
        Kurt Westerfeld added a comment - Just a note on why we need this improvement. In our application, we actually have areas of code which refer to external LDAP groups for fine-grained authorization support. For our application to use JAAS properly, we want to have access to the user's group memberships and tie the actual group's DN to ACLs. We would like to use the LDAPLoginModule to support this use-case.

          People

          • Assignee:
            Jean-Baptiste Onofré
            Reporter:
            Kurt Westerfeld
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development