Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1069127 - RBAC + LDAP needs to be able to work combined with <local/>
RBAC + LDAP needs to be able to work combined with <local/>
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.2.1
Unspecified Unspecified
high Severity high
: ER2
: EAP 6.3.0
Assigned To: Darran Lofthouse
Josef Cacek
Russell Dickenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-24 04:38 EST by Tom Fonteyne
Modified: 2014-06-28 11:37 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP, LDAP group loading could fail if an authenticated user could not be mapped to an LDAP account. This issue could arise because the authentication process using security realms first negotiates a mechanism between the client and the server, then loads the group information for the user. Because the local authentication system represents the user with an artificial username, the second part of this process could fail if the LDAP server could not map the username to a user. In this release of the product, a new attribute; 'skip-group-loading', has been added to the <local /> element that is used for local authentication. When this attribute is set to `true` group loading is skipped after local authentication has occurred, thus avoiding the error. If a different mechanism is used, however, group loading proceeds as normal.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-28 11:37:08 EDT
Type: Enhancement
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-3048 Major Closed "Local" authentication fails when LDAP is used for ManagementRealm 2017-12-12 20:21 EST

  None (edit)
Description Tom Fonteyne 2014-02-24 04:38:51 EST 
When RBAC is not enabled, a security realm in the management section allows the use of the "<local />" login mechanism to work fine in conjunction with an LDAP user store.

When RBAC is enabled, the "<local />" login mechanism can still be configured but will not work.

The request is to allow this to work even when RBAC is enabled.

Why does the customer need this?

automated local scripts should use the "local" mechanisme, while actual management users need to use LDAP authentication/authorization
Comment 1 Brian Stansberry 2014-03-05 11:22:34 EST 
Is the $local user mapped to any role, e.g. what we have in our standard configs?


                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                    </include>
                </role>
Comment 3 Darran Lofthouse 2014-03-05 11:34:48 EST 
I don't believe this is RBAC, just an issue loading groups where the local mechanism is also in play so investigating further on that basis.
Comment 11 Ondrej Lukas 2014-04-30 04:45:46 EDT 
Verified on EAP 6.3.0.ER2. Using parameter skip-group-loading resolved this issue.
Comment 12 sgilda 2014-05-12 16:12:52 EDT 
Changed <literal></literal> tags in Doc Text to ticks (`) to fix Bug 1096865
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.