Loading...

jetspeed-dev@portals.apache.org

[Prev] Thread [Next]  |  [Prev] Date [Next]

[jira] Updated: (JS2-836) Lookup of LDAP users per role using a role membership attribute on a user is broken Dennis Dam (JIRA) Tue Feb 19 18:02:43 2008

     [ 
https://issues.apache.org/jira/browse/JS2-836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dennis Dam updated JS2-836:
---------------------------

    Attachment: JS2-836.patch

this patch extends the lookup query to look for a role DN as well as a role UID.

> Lookup of LDAP users per role using a role membership attribute on a user is 
> broken
> -----------------------------------------------------------------------------------
>
>                 Key: JS2-836
>                 URL: https://issues.apache.org/jira/browse/JS2-836
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.1.3
>            Reporter: Dennis Dam
>            Priority: Minor
>             Fix For: 2.1.3
>
>         Attachments: JS2-836.patch
>
>
> See the discussion on the Jetspeed user list starting on december 3rd, 2007 : 
> "Users and Roles definition with LDAP".
> The problem is that there is a conflict between how roles are assigned to 
> users, and the way users are found, which belong to a specific role. 
> When user-role membership attributes are used (i.e. you define in an 
> attribute on the user which roles the user has, by default this is the 
> 'j2-role' attribute), a role is assigned to a user using the role's DN, for 
> example 'uid=someRole,ou=Roles,o=sevenSeas'. However, to lookup the users for 
> a role (using the user-role membership attribute), the 
> LdapMembershipDaoImpl.searchUsersFromRoleByUser(roleUid) is used, which 
> constructs a LDAP query which searches for the role UID value in each user's 
> role attribute. Hence, no users are found because role attributes on the 
> users contain role DNs instead of UIDs.
> The reverse lookup, namely looking up which roles a user has works, because 
> the method assumes there can be *either* a role UID *or* a role DN in the 
> role attribute of a user (see method 
> LdapMembershipDaoImpl.searchRoleMemberShipByUser() )
> So basically, the LdapMembershipDaoImpl.searchUsersFromRoleByUser(roleUid) 
> should look for role DNs as well as UIDs

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]