Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1132742

Summary: (6.4.0) For better compatibility PL IDP should combine multiple AttributeStatemnt's into a single AttributeStatement
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Hisanobu Okuda <hokuda>
Component: PicketLinkAssignee: Peter Skopek <pskopek>
Status: CLOSED EOL QA Contact: Ondrej Kotek <okotek>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: 6.3.0CC: anmiller, bbaranow, bdawidow, dandread, kkhan, okotek, rsvoboda
Target Milestone: ER2   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1176542 (view as bug list) Environment:
Last Closed: 2019-08-19 12:49:14 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1166062, 1176542, 1181655    

Description Hisanobu Okuda 2014-08-22 01:08:05 UTC 
Description of problem:

We are trying to integrate a PL IDP with a vendor SP that we don't have any control over. Their SP is rejecting our response assertion because it includes 2 AttributeStatement blocks and they are expecting 1.

While the spec at http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf on line 2077 seems to indicate that multiple AttributeStatements are a technically correct approach, I'm not sure it is a "normal" approach. I know simplesamlphp IDP doesn't do multiple AttributeStatements out of the box. If you happen to know that other IDPs take the multiple AttributeStatements approach feel free to close this ticket. If you aren't sure, please decide if you think PL should be changed to issue a single AttributeStatement instead of multiple so it can be technically correct and potentially more "normal" so that we would have better compatibility with 3rd party SPs.

We have now had 2 vendors complain about this. The 2nd one was savvy enough to patch the pysaml2 library they were using https://github.com/BetterWorks/pysaml2/commit/64a2078aa19535cc8825282a4e16353c4448303b?w=1. This however does make me think more and more that what we are doing isn't "normal" and needs to be changed. I'll try and figure out what SP the other vendor uses OpenSAML https://wiki.shibboleth.net/confluence/display/OpenSAML/Home which I imagine is being used by quite a few people.

Example assertion:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="https://rewardzone.redhat.com/saml/acs"
ID="ID_0afaf150-4283-41a1-860b-b59b1143d41a"
InResponseTo="_eb9c6ba835d80e20f1f36c1ac0956fe24c474090a0"
IssueInstant="2014-08-11T13:30:51.468Z"
Version="2.0"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.redhat.com/idp/</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#ID_0afaf150-4283-41a1-860b-b59b1143d41a">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>r4i33KDAC59Nm3gQ4Zw2ym9h1S0=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>H3wMzpBqcjmniKGPaijo+XnyI6GYoE6TN2u8LFRFsJamzIVPCGsiL5+rqQVcirKqIO0jEQQF5ICcTX/dmvVg1P2CA5ZXSGX2mC8zk1Kn9tbQfsjZZ1+3ywNim4w33tbOI6TTPqDOKDx7R0JqJWjTEXH7oPoR835xEkcak++LqdPJZC5fQk7nu6/B1+buqME4/q2rL/kMRXEtPUAX5dWfkFr0bvtrQ945ospb+JhWTG1Rid2Y2YimNLaWBaz/IKVDpSX8onRqhLEhfEZs5FubqA+GkkLqdjC0bnVYnmGX7Vn86mLwU/TiCIeodBLCj8p4vU8/opaUJARL44LHTeo8Xg==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIID1jCCAz+gAwIBAgICCB4wDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjELMAkGA1UECxMCSVMxFjAUBgNVBAMTDVJlZCBIYXQgSVMgQ0ExJjAkBgkqhkiG9w0BCQEWF3N5c2FkbWluLXJkdUByZWRoYXQuY29tMB4XDTEzMDMxOTIzNDU0NloXDTE1MDMxOTIzNDU0NlowgZsxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjEfMB0GA1UECxMWSW5mb3JtYXRpb24gVGVjaG5vbG9neTESMBAGA1UEAxMJU2hhZG93bWFuMSYwJAYJKoZIhvcNAQkBFhdzeXNhZG1pbi1yZHVAcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOxWX//OxKYcYHF7mlaG6wjMW9U5q4pRxzpPceOhqXtxltABtb/4WqWmwbuqGPDfz6FEF4zdPZ3BMpp+m2KmDyUd9TqRcZTqTqJg/+Xsdy8FV/WoqrBlCaH2BEzFgdHSZw2okhgVlui3l1utKNMvnsl5TSa2b5+KyNmMkRZ3EOBlPyZMH+2eWlmHQZvwqVtYyd/uA9+oVAvcUjtnZqPomLiCibPyVukpONx9JdOR5oiVPndCdyVnsg+yTDNMJ73yrTU14jvO47Hy39E9+MjGOGb95i7jkIZe6vFu/4voeNJQT7VabqE8iE0jhyU0BHkZV0qGbwknipmBzKp6C2y5Yc0CAwEAAaOBoDCBnTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUMMy5gw3OtRTSLfum1YaoFOcP3iUwHwYDVR0jBBgwFoAUDawZcO0Ep154q/6LqDTrISbBVjUwIgYDVR0RBBswGYEXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEFBQADgYEAEnq36DPdlHIb1HoE89cF87WVHtPiqXlDv73N6GONo5KQAWTXh86z4JPKDfNBMpArz1bh6h2cmerpEEuMLPzTJs1PvVkCZt8eO059PuSlZN/8xi6ZdkjBAHuWPm84C/WYrEPKTV71kXrt/UfG0pKsZcV5wpSLqoy2B5WhmfentR8=</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>7FZf/87EphxgcXuaVobrCMxb1TmrilHHOk9x46Gpe3GW0AG1v/hapabBu6oY8N/PoUQXjN09ncEymn6bYqYPJR31OpFxlOpOomD/5ex3LwVX9aiqsGUJofYETMWB0dJnDaiSGBWW6LeXW60o0y+eyXlNJrZvn4rI2YyRFncQ4GU/Jkwf7Z5aWYdBm/CpW1jJ3+4D36hUC9xSO2dmo+iYuIKJs/JW6Sk43H0l05HmiJU+d0J3JWeyD7JMM0wnvfKtNTXiO87jsfLf0T34yMY4Zv3mLuOQhl7q8W7/i+h40lBPtVpuoTyITSOHJTQEeRlXSoZvCSeKmYHMqnoLbLlhzQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_0ec528d8-a732-4b14-9ac6-7149fbe0acca"
IssueInstant="2014-08-11T13:30:51.467Z"
Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.redhat.com/idp/</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#ID_0ec528d8-a732-4b14-9ac6-7149fbe0acca">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>g4R5y0+EgSCOsR/fgNzJeIOxPJI=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>ncCz34kkDcl+h+K6DHP/Cg1u03fLdCbm+6VBjQEv/mbRQvpIsf9M+3GajKcuKm0H+jP0c3Oo7IkSQw4SjWxfezd3KmSLVWvFVg5MPlJ2a4udEAyLAxlRoqbVZ9PBOtZ1m9d0vfMdj6S1w+ckyWeoCc5t7S17WrPrbFpZRybixeNuXZOvFCnkOfrpjvcdwPZmVuwB9858vRHZch3kDt2qJ+UjTPekmexXnx87JzrXHJv7Wz7oUya8F7uN5tRTgvUV+4e5dijsWZMTgXVnwtlQstMZ8KCaxRdyz/71SzkKcaWKAZfbnXRkGg0KR6h2IikNeNPiguzQmYzKDA1S9dHeTQ==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIID1jCCAz+gAwIBAgICCB4wDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjELMAkGA1UECxMCSVMxFjAUBgNVBAMTDVJlZCBIYXQgSVMgQ0ExJjAkBgkqhkiG9w0BCQEWF3N5c2FkbWluLXJkdUByZWRoYXQuY29tMB4XDTEzMDMxOTIzNDU0NloXDTE1MDMxOTIzNDU0NlowgZsxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjEfMB0GA1UECxMWSW5mb3JtYXRpb24gVGVjaG5vbG9neTESMBAGA1UEAxMJU2hhZG93bWFuMSYwJAYJKoZIhvcNAQkBFhdzeXNhZG1pbi1yZHVAcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOxWX//OxKYcYHF7mlaG6wjMW9U5q4pRxzpPceOhqXtxltABtb/4WqWmwbuqGPDfz6FEF4zdPZ3BMpp+m2KmDyUd9TqRcZTqTqJg/+Xsdy8FV/WoqrBlCaH2BEzFgdHSZw2okhgVlui3l1utKNMvnsl5TSa2b5+KyNmMkRZ3EOBlPyZMH+2eWlmHQZvwqVtYyd/uA9+oVAvcUjtnZqPomLiCibPyVukpONx9JdOR5oiVPndCdyVnsg+yTDNMJ73yrTU14jvO47Hy39E9+MjGOGb95i7jkIZe6vFu/4voeNJQT7VabqE8iE0jhyU0BHkZV0qGbwknipmBzKp6C2y5Yc0CAwEAAaOBoDCBnTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUMMy5gw3OtRTSLfum1YaoFOcP3iUwHwYDVR0jBBgwFoAUDawZcO0Ep154q/6LqDTrISbBVjUwIgYDVR0RBBswGYEXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEFBQADgYEAEnq36DPdlHIb1HoE89cF87WVHtPiqXlDv73N6GONo5KQAWTXh86z4JPKDfNBMpArz1bh6h2cmerpEEuMLPzTJs1PvVkCZt8eO059PuSlZN/8xi6ZdkjBAHuWPm84C/WYrEPKTV71kXrt/UfG0pKsZcV5wpSLqoy2B5WhmfentR8=</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>7FZf/87EphxgcXuaVobrCMxb1TmrilHHOk9x46Gpe3GW0AG1v/hapabBu6oY8N/PoUQXjN09ncEymn6bYqYPJR31OpFxlOpOomD/5ex3LwVX9aiqsGUJofYETMWB0dJnDaiSGBWW6LeXW60o0y+eyXlNJrZvn4rI2YyRFncQ4GU/Jkwf7Z5aWYdBm/CpW1jJ3+4D36hUC9xSO2dmo+iYuIKJs/JW6Sk43H0l05HmiJU+d0J3JWeyD7JMM0wnvfKtNTXiO87jsfLf0T34yMY4Zv3mLuOQhl7q8W7/i+h40lBPtVpuoTyITSOHJTQEeRlXSoZvCSeKmYHMqnoLbLlhzQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>dminnich</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_eb9c6ba835d80e20f1f36c1ac0956fe24c474090a0"
NotOnOrAfter="2014-08-11T13:31:00.667Z"
Recipient="https://rewardzone.redhat.com/saml/acs"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-08-11T13:30:49.467Z"
NotOnOrAfter="2014-08-11T13:31:00.667Z"
>
<saml:AudienceRestriction>
<saml:Audience>https://rewardzone.redhat.com/saml/spMetadata</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-08-11T13:30:51.468Z"
SessionIndex="ID_0ec528d8-a732-4b14-9ac6-7149fbe0acca"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Contingent Worker</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Users</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>authenticated</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>devlab-tower-iam-access</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="uid"
Name="urn:oid:0.9.2342.19200300.100.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>dminnich</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="sn"
Name="urn:oid:2.5.4.4"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Minnich</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="rhatPersonType"
Name="rhatPersonType"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Contingent Worker</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="cn"
Name="urn:oid:2.5.4.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Dustin Minnich</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="email"
Name="urn:oid:1.2.840.113549.1.9.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>dminnich</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="givenName"
Name="urn:oid:2.5.4.42"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Dustin</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

------
standalone-ha bits:
<security-domain name="RedHatSAMLIDP" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="optional">
<module-option name="password-stacking" value="useFirstPass" />
<module-option name="serverSecurityDomain" value="host" />
<module-option name="removeRealmFromPrincipal" value="true" />
<module-option name="debug" value="true" />
</login-module>

<login-module code="com.redhat.it.jboss.loginModules.JbossRadiusLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="hostName" value="linotp01.authmgr.prod.int.rdu2.redhat.com"/>
<module-option name="secondaryHostName" value="linotp01.authmgr.prod.int.ams2.redhat.com"/>
<module-option name="sharedSecret" value="NO"/>
<module-option name="authRoleName" value="authenticated"/>
<module-option name="authPort" value="1812"/>
<module-option name="acctPort" value="1813"/>
<module-option name="numRetries" value="3"/>
</login-module>
<!-- fake role login module - makes sure all authenticated users have a default role, otherwise jboss gets unhappy -->
<login-module code="com.redhat.it.jboss.loginModules.StaticRoleLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="authRoleName" value="authenticated"/>
</login-module>
<login-module code="com.redhat.it.jboss.loginModules.StaticRoleLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="authRoleName" value="Users"/>
</login-module>
</authentication>

<audit>
<provider-module code="org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider"/>
</audit>
<mapping>
<mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute">
<module-option name="java.naming.provider.url" value="ldaps://ldap01.intranet.dev.int.phx1.redhat.com"/>
<module-option name="bindDN" value="uid=picketlink,ou=serviceaccounts,dc=redhat,dc=com"/>
<module-option name="bindCredential" value="NO"/>
<module-option name="baseCtxDN" value="ou=users,dc=redhat,dc=com"/>
<module-option name="baseFilter" value="(uid=
{0})"/>
<module-option name="attributeList" value="mail,cn,givenName,sn,rhatPersonType,uid"/>
<module-option name="searchTimeLimit" value="10000"/>
</mapping-module>
<mapping-module code="org.jboss.security.mapping.providers.role.LdapRolesMappingProvider" type="role">
<module-option name="java.naming.provider.url" value="ldaps://ldap01.intranet.dev.int.phx1.redhat.com"/>
<module-option name="bindDN" value="uid=picketlink,ou=serviceaccounts,dc=redhat,dc=com"/>
<module-option name="bindCredential" value="NO"/>
<module-option name="rolesCtxDN" value="ou=users,dc=redhat,dc=com"/>
<module-option name="roleFilter" value="(uid={0}

)"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="searchTimeLimit" value="10000"/>
</mapping-module>
</mapping>

</security-domain>


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 JBoss JIRA Server 2014-10-07 12:52:43 UTC 
Pedro Igor <pigor.craveiro> updated the status of jira PLINK-543 to Resolved
Comment 2 Dimitris Andreadis 2014-11-20 16:31:12 UTC 
RFE, certainly not blocker.
Comment 3 Kabir Khan 2015-01-07 15:17:15 UTC 
Should be fixed by PL upgrade 2.5.3.SP14 BZ1166062
Comment 4 Ondrej Kotek 2015-01-15 12:42:03 UTC 
Commits are not included in PL upgrade 2.5.3.SP14 (ER1), but in 2.5.3.SP15. Verification failed.