Uploaded image for project: 'Infinispan'
  1. Infinispan
  2. ISPN-7712

LDAP Authorization Common RoleName Mapper Case Insensitive CN extraction

    Details

    • Steps to Reproduce:
      Hide

      1. Import the ldif `example.com.ldif` into your LDAP server, be sure the update the passwords of the users as the exported passwords will work
      2. Define a LDAP security realm in cluster.xml
      3. Define authorisation using group-to-principal method
      4. Add authorisation to cache-container and cache with mapper as "common-role-name-mapper"

      for steps 2-5 you can use the `ldap_cluster_notworking.xml` from the attachments

      Run the JDGSecurityTest.java, you will get security exception of user not having the permissions, even though user is authorised to perform the required operations.

      Show
      1. Import the ldif `example.com.ldif` into your LDAP server, be sure the update the passwords of the users as the exported passwords will work 2. Define a LDAP security realm in cluster.xml 3. Define authorisation using group-to-principal method 4. Add authorisation to cache-container and cache with mapper as "common-role-name-mapper" for steps 2-5 you can use the `ldap_cluster_notworking.xml` from the attachments Run the JDGSecurityTest.java, you will get security exception of user not having the permissions, even though user is authorised to perform the required operations.
    • Workaround Description:
      Hide

      Now update the cluster.xml with cache-container mapper to `identity-role-mapper` ( you can use `ldap_cluster_workaround.xml`) for this update

      Re-run 'JDGSecurityTest.java' the test again and you will see the tests passing.

      Show
      Now update the cluster.xml with cache-container mapper to `identity-role-mapper` ( you can use `ldap_cluster_workaround.xml`) for this update Re-run 'JDGSecurityTest.java' the test again and you will see the tests passing.

      Description

      When enabling security with Inifinispan with LDAP backend and when using `common-role-name-mapper` for authorisation, the extraction fails to extract the role name when the role name attribute e.g. "cn" is used instead of "CN" in the distinguished name.

      Its identified that the `org.infinispan.security.impl.CommonRoleMapper` use a case sensitive search and extracts roles only when the DN is like "CN=Developers,ou=Groups,dc=example,dc=com"

      The current workaround is to use the use a ldap authorization like

      <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">
       <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="ou=Groups,dc=example,dc=com">
                                      <membership-filter principal-attribute="uniqueMember"/>
       </group-to-principal>
       </group-search>
      

      and define the cache-container authorisation like

       <security>
            <authorization>
                             <!-- This does not work as the role extraction uses case sensitive extraction of cn -->
                              <!-- common-name-role-mapper/ -->
                              <identity-role-mapper/>
                              <role name="ClusterAdmins" permissions="ALL"/>
                              <role name="Developers" permissions="WRITE"/>
                              <role name="Business" permissions="READ"/>
                              <role name="Managers" permissions="ALL_READ ALL_WRITE"/>
             </authorization>
      </security>
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  NadirX Tristan Tarrant
                  Reporter:
                  kamesh_sampath Kamesh Sampath
                  Involved:
                  Tristan Tarrant
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: