Bug 1069127
Summary: | RBAC + LDAP needs to be able to work combined with <local/> | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Tom Fonteyne <tfonteyn> |
Component: | Security | Assignee: | Darran Lofthouse <darran.lofthouse> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Josef Cacek <jcacek> |
Severity: | high | Docs Contact: | Russell Dickenson <rdickens> |
Priority: | high | ||
Version: | 6.2.1 | CC: | brian.stansberry, darran.lofthouse, kkhan, olukas, sgilda, smumford |
Target Milestone: | ER2 | ||
Target Release: | EAP 6.3.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
In previous versions of JBoss EAP, LDAP group loading could fail if an authenticated user could not be mapped to an LDAP account. This issue could arise because the authentication process using security realms first negotiates a mechanism between the client and the server, then loads the group information for the user. Because the local authentication system represents the user with an artificial username, the second part of this process could fail if the LDAP server could not map the username to a user.
In this release of the product, a new attribute; 'skip-group-loading', has been added to the <local /> element that is used for local authentication. When this attribute is set to `true` group loading is skipped after local authentication has occurred, thus avoiding the error. If a different mechanism is used, however, group loading proceeds as normal.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-28 15:37:08 UTC | Type: | Enhancement |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tom Fonteyne
2014-02-24 09:38:51 UTC
Is the $local user mapped to any role, e.g. what we have in our standard configs? <role name="SuperUser"> <include> <user name="$local"/> </include> </role> I don't believe this is RBAC, just an issue loading groups where the local mechanism is also in play so investigating further on that basis. Verified on EAP 6.3.0.ER2. Using parameter skip-group-loading resolved this issue. Changed <literal></literal> tags in Doc Text to ticks (`) to fix Bug 1096865 |