Uploaded image for project: 'JBoss Data Grid'
  1. JBoss Data Grid
  2. JDG-951

LDAP Authorization Common RoleName Mapper Case Insensitive CN extraction

    XMLWordPrintable

    Details

    • Target Release:
    • Fix Build:
      DR2
    • Steps to Reproduce:
      Hide

      1. Import the ldif `example.com.ldif` into your LDAP server, be sure the update the passwords of the users as the exported passwords will work
      2. Define a LDAP security realm in cluster.xml
      3. Define authorisation using group-to-principal method
      4. Add authorisation to cache-container and cache with mapper as "common-role-name-mapper"

      for steps 2-5 you can use the `ldap_cluster_notworking.xml` from the attachments

      Run the JDGSecurityTest.java, you will get security exception of user not having the permissions, even though user is authorised to perform the required operations.

      Show
      1. Import the ldif `example.com.ldif` into your LDAP server, be sure the update the passwords of the users as the exported passwords will work 2. Define a LDAP security realm in cluster.xml 3. Define authorisation using group-to-principal method 4. Add authorisation to cache-container and cache with mapper as "common-role-name-mapper" for steps 2-5 you can use the `ldap_cluster_notworking.xml` from the attachments Run the JDGSecurityTest.java, you will get security exception of user not having the permissions, even though user is authorised to perform the required operations.
    • Workaround Description:
      Hide

      Now update the cluster.xml with cache-container mapper to `identity-role-mapper` ( you can use `ldap_cluster_workaround.xml`) for this update

      Re-run 'JDGSecurityTest.java' the test again and you will see the tests passing.

      Show
      Now update the cluster.xml with cache-container mapper to `identity-role-mapper` ( you can use `ldap_cluster_workaround.xml`) for this update Re-run 'JDGSecurityTest.java' the test again and you will see the tests passing.
    • Git Pull Request:

      Description

      When enabling security with Inifinispan with LDAP backend and when using `common-role-name-mapper` for authorisation, the extraction fails to extract the role name when the role name attribute e.g. "cn" is used instead of "CN" in the distinguished name.

      Its identified that the `org.infinispan.security.impl.CommonRoleMapper` use a case sensitive search and extracts roles only when the DN is like "CN=Developers,ou=Groups,dc=example,dc=com"

      The current workaround is to use the use a ldap authorization like 

      <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">
      		 
       <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="ou=Groups,dc=example,dc=com">
      		 
                                      <membership-filter principal-attribute="uniqueMember"/>
      		 
       </group-to-principal>
      		 
       </group-search>

      and define the cache-container authorisation like 

       <security>
      		 
            <authorization>
      		 
                             <!-- This does not work as the role extraction uses case sensitive extraction of cn -->
      		 
                              <!-- common-name-role-mapper/ -->
      		 
                              <identity-role-mapper/>
      		 
                              <role name="ClusterAdmins" permissions="ALL"/>
      		 
                              <role name="Developers" permissions="WRITE"/>
      		 
                              <role name="Business" permissions="READ"/>
      		 
                              <role name="Managers" permissions="ALL_READ ALL_WRITE"/>
      		 
             </authorization>
      		 
      </security>

        Gliffy Diagrams

          Attachments

            Issue Links

            cloned from

            Bug - A problem which impairs or prevents the functions of the product. ISPN-7712 LDAP Authorization Common RoleName Mapper Case Insensitive CN extraction

            • Critical - An upcoming version that is affected by this issue cannot be released until it's addressed. A critical bug is one that crashes the application, causes loss of data or severe memory leak.
            • Resolved
            cloned to

            Bug - A problem which impairs or prevents the functions of the product. JDG-1084 LDAP Authorization Common RoleName Mapper Case Insensitive CN extraction

            • Critical - An upcoming version that is affected by this issue cannot be released until it's addressed. A critical bug is one that crashes the application, causes loss of data or severe memory leak.
            • Verified

            Bug - A problem which impairs or prevents the functions of the product. JDG-1126 LDAP Authorization Common RoleName Mapper Case Insensitive CN extraction

            • Critical - An upcoming version that is affected by this issue cannot be released until it's addressed. A critical bug is one that crashes the application, causes loss of data or severe memory leak.
            • Verified

              Activity

                People

                • Assignee:
                  NadirX Tristan Tarrant
                  Reporter:
                  kamesh_sampath Kamesh Sampath
                  Involved:
                  Tristan Tarrant
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: