Bug 1084597
| Summary: | [GSS] (6.2.x) Backport PLINK-405 | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Derek Horton <dehort> |
| Component: | PicketLink | Assignee: | Peter Skopek <pskopek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Josef Cacek <jcacek> |
| Severity: | unspecified | Docs Contact: | Nichola Moore <nmoore> |
| Priority: | unspecified | ||
| Version: | 6.2.1 | CC: | bbaranow, smumford |
| Target Milestone: | CR2 | ||
| Target Release: | EAP 6.2.3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: |
A new feature has been incorporated into the PicketLink component of this version of JBoss EAP 6. In this release the the principal that gets sent to the AttributeManager has been made configurable.
When using PicketLink with JBoss Negotiation, the principal that is sent to the AttributeManager is a hashed string and not the username. This can result failed lookups if the mapping provider uses the principal to look up any attributes.
The ability to configure the principle ameliorates this issue.
|
Story Points: | --- |
| Clone Of: | 1084595 | Environment: | |
| Last Closed: | 2014-06-09 12:48:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1084601 | ||
| Bug Blocks: | 1067532, 1084584 | ||
|
Description
Derek Horton
2014-04-04 19:22:29 UTC
Reproducer notes for hashed user principal PL issue:
idp.war/WEB-INF/picketlink.xml (set the AttributeManager):
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"
StrictPostBinding="true">
idp.war/WEB-INF/jboss-web.xml:
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
<param>
<param-name>passUserPrincipalToAttributeManager</param-name>
<param-value>true</param-value>
</param>
</valve>
standalone.xml:
<mapping>
<mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute">
="java.naming.provider.url" value="ldaps://imatestldapserver.redhat.com"/>
<module-option name="bindDN" value="uid=imauser,dc=test,dc=redhat,dc=com"/>
<module-option name="bindCredential" value="imapassword"/>
<module-option name="baseCtxDN" value="ou=users,dc=test,dc=redhat,dc=com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="attributeList" value="mail,cn,sn,UserType"/>
<module-option name="searchTimeLimit" value="10000"/>
</mapping-module>
</mapping>
Assigning to pskopek since he pleaded to PL issues for EAP6 Committed to the prod-eap6.2.3 branch Verified in 623CR2. |