1 Reply Latest reply on Jan 3, 2017 4:00 AM by Martin Choma

    Security-Realm Authorization over LDAP doesn't permit multiple Attribute names as filter.

    Daniel Draper Newbie

      When hooking up our Wildfly Application to our SSO (CAS) for authentication and delegating Authorization to a Security Realm and then using LDAP we ran into the following problem:

       

      Use Case

       

      We want to use authorization inside a Security-Realm through LDAP.

       

      In our LDAP setup we have a Group-To-Principal matching of the form "member=uid=x" OR "submember=uid=x" depending on if the user was added manually or through an autodomain.

      Unfortunately as far as we could tell using two attributes in the Polish Notation (as is required by LDAP) seems to be impossible for the wildfly configuration. We tried the following in the standalone-accounting.xml (in different iterations and ways to place the parenthesis) which all lead to an 'unbalanced Parenthesis' or similar error when starting up wildfly.

      <management>
              <security-realms>
                  <security-realm name="bla">
                      <authorization>
                          <ldap connection="ldap">
                              <username-to-dn>
                                  <username-is-dn/>
                              </username-to-dn>
      <group-search group-name="SIMPLE" iterative="false" group-dn-attribute="cn" group-name-attribute="cn">
                                  <group-to-principal search-by="SIMPLE" base-dn="ou=roles,***" recursive="false">
                                      <membership-filter principal-attribute="|(submember=uid={0})(member=uid={0})"/>
                                  </group-to-principal>
                              </group-search>
                          </ldap>
                      </authorization>
                  </security-realm>
                </security-realms>
              </management>
      

       

       

      We then found the filterString is parsed the following way: (See LdapGroupSearcherFactory#L115)

       

      this.filterString = String.format("(%s={0})", principalAttribute);
      

       

      which seems to make multiple attribute names as a filter impossible, which makes our use case as above impossible.

       

      Any ideas of how I can get it to work? Or is it a bug/feature request I should open?