1132742 – (6.4.0) For better compatibility PL IDP should combine multiple AttributeStatemnt's into a single AttributeStatement

Bug 1132742 - (6.4.0) For better compatibility PL IDP should combine multiple AttributeStatemnt's into a single AttributeStatement

Summary: (6.4.0) For better compatibility PL IDP should combine multiple AttributeStat...

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	PicketLink
Sub Component:
Version:	6.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	unspecified
Target Milestone:	ER2
Target Release:	EAP 6.4.0
Assignee:	Peter Skopek
QA Contact:	Ondrej Kotek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1166062 1176542 1181655
TreeView+	depends on / blocked

Reported:	2014-08-22 01:08 UTC by Hisanobu Okuda
Modified:	2019-08-19 12:49 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1176542 (view as bug list)
Environment:
Last Closed:	2019-08-19 12:49:14 UTC
Type:	Feature Request
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	PLINK-543	0	Minor	Resolved	For better compatibility PL IDP should combine multiple AttributeStatemnt's into a single AttributeStatement	2018-02-07 06:39:25 UTC

Description Hisanobu Okuda 2014-08-22 01:08:05 UTC

Description of problem:

We are trying to integrate a PL IDP with a vendor SP that we don't have any control over. Their SP is rejecting our response assertion because it includes 2 AttributeStatement blocks and they are expecting 1.

While the spec at http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf on line 2077 seems to indicate that multiple AttributeStatements are a technically correct approach, I'm not sure it is a "normal" approach. I know simplesamlphp IDP doesn't do multiple AttributeStatements out of the box. If you happen to know that other IDPs take the multiple AttributeStatements approach feel free to close this ticket. If you aren't sure, please decide if you think PL should be changed to issue a single AttributeStatement instead of multiple so it can be technically correct and potentially more "normal" so that we would have better compatibility with 3rd party SPs.

We have now had 2 vendors complain about this. The 2nd one was savvy enough to patch the pysaml2 library they were using https://github.com/BetterWorks/pysaml2/commit/64a2078aa19535cc8825282a4e16353c4448303b?w=1. This however does make me think more and more that what we are doing isn't "normal" and needs to be changed. I'll try and figure out what SP the other vendor uses OpenSAML https://wiki.shibboleth.net/confluence/display/OpenSAML/Home which I imagine is being used by quite a few people.

Example assertion:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="https://rewardzone.redhat.com/saml/acs"
ID="ID_0afaf150-4283-41a1-860b-b59b1143d41a"
InResponseTo="_eb9c6ba835d80e20f1f36c1ac0956fe24c474090a0"
IssueInstant="2014-08-11T13:30:51.468Z"
Version="2.0"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.redhat.com/idp/</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#ID_0afaf150-4283-41a1-860b-b59b1143d41a">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>r4i33KDAC59Nm3gQ4Zw2ym9h1S0=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>H3wMzpBqcjmniKGPaijo+XnyI6GYoE6TN2u8LFRFsJamzIVPCGsiL5+rqQVcirKqIO0jEQQF5ICcTX/dmvVg1P2CA5ZXSGX2mC8zk1Kn9tbQfsjZZ1+3ywNim4w33tbOI6TTPqDOKDx7R0JqJWjTEXH7oPoR835xEkcak++LqdPJZC5fQk7nu6/B1+buqME4/q2rL/kMRXEtPUAX5dWfkFr0bvtrQ945ospb+JhWTG1Rid2Y2YimNLaWBaz/IKVDpSX8onRqhLEhfEZs5FubqA+GkkLqdjC0bnVYnmGX7Vn86mLwU/TiCIeodBLCj8p4vU8/opaUJARL44LHTeo8Xg==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIID1jCCAz+gAwIBAgICCB4wDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjELMAkGA1UECxMCSVMxFjAUBgNVBAMTDVJlZCBIYXQgSVMgQ0ExJjAkBgkqhkiG9w0BCQEWF3N5c2FkbWluLXJkdUByZWRoYXQuY29tMB4XDTEzMDMxOTIzNDU0NloXDTE1MDMxOTIzNDU0NlowgZsxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjEfMB0GA1UECxMWSW5mb3JtYXRpb24gVGVjaG5vbG9neTESMBAGA1UEAxMJU2hhZG93bWFuMSYwJAYJKoZIhvcNAQkBFhdzeXNhZG1pbi1yZHVAcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOxWX//OxKYcYHF7mlaG6wjMW9U5q4pRxzpPceOhqXtxltABtb/4WqWmwbuqGPDfz6FEF4zdPZ3BMpp+m2KmDyUd9TqRcZTqTqJg/+Xsdy8FV/WoqrBlCaH2BEzFgdHSZw2okhgVlui3l1utKNMvnsl5TSa2b5+KyNmMkRZ3EOBlPyZMH+2eWlmHQZvwqVtYyd/uA9+oVAvcUjtnZqPomLiCibPyVukpONx9JdOR5oiVPndCdyVnsg+yTDNMJ73yrTU14jvO47Hy39E9+MjGOGb95i7jkIZe6vFu/4voeNJQT7VabqE8iE0jhyU0BHkZV0qGbwknipmBzKp6C2y5Yc0CAwEAAaOBoDCBnTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUMMy5gw3OtRTSLfum1YaoFOcP3iUwHwYDVR0jBBgwFoAUDawZcO0Ep154q/6LqDTrISbBVjUwIgYDVR0RBBswGYEXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEFBQADgYEAEnq36DPdlHIb1HoE89cF87WVHtPiqXlDv73N6GONo5KQAWTXh86z4JPKDfNBMpArz1bh6h2cmerpEEuMLPzTJs1PvVkCZt8eO059PuSlZN/8xi6ZdkjBAHuWPm84C/WYrEPKTV71kXrt/UfG0pKsZcV5wpSLqoy2B5WhmfentR8=</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>7FZf/87EphxgcXuaVobrCMxb1TmrilHHOk9x46Gpe3GW0AG1v/hapabBu6oY8N/PoUQXjN09ncEymn6bYqYPJR31OpFxlOpOomD/5ex3LwVX9aiqsGUJofYETMWB0dJnDaiSGBWW6LeXW60o0y+eyXlNJrZvn4rI2YyRFncQ4GU/Jkwf7Z5aWYdBm/CpW1jJ3+4D36hUC9xSO2dmo+iYuIKJs/JW6Sk43H0l05HmiJU+d0J3JWeyD7JMM0wnvfKtNTXiO87jsfLf0T34yMY4Zv3mLuOQhl7q8W7/i+h40lBPtVpuoTyITSOHJTQEeRlXSoZvCSeKmYHMqnoLbLlhzQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_0ec528d8-a732-4b14-9ac6-7149fbe0acca"
IssueInstant="2014-08-11T13:30:51.467Z"
Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.redhat.com/idp/</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#ID_0ec528d8-a732-4b14-9ac6-7149fbe0acca">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>g4R5y0+EgSCOsR/fgNzJeIOxPJI=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>ncCz34kkDcl+h+K6DHP/Cg1u03fLdCbm+6VBjQEv/mbRQvpIsf9M+3GajKcuKm0H+jP0c3Oo7IkSQw4SjWxfezd3KmSLVWvFVg5MPlJ2a4udEAyLAxlRoqbVZ9PBOtZ1m9d0vfMdj6S1w+ckyWeoCc5t7S17WrPrbFpZRybixeNuXZOvFCnkOfrpjvcdwPZmVuwB9858vRHZch3kDt2qJ+UjTPekmexXnx87JzrXHJv7Wz7oUya8F7uN5tRTgvUV+4e5dijsWZMTgXVnwtlQstMZ8KCaxRdyz/71SzkKcaWKAZfbnXRkGg0KR6h2IikNeNPiguzQmYzKDA1S9dHeTQ==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIID1jCCAz+gAwIBAgICCB4wDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjELMAkGA1UECxMCSVMxFjAUBgNVBAMTDVJlZCBIYXQgSVMgQ0ExJjAkBgkqhkiG9w0BCQEWF3N5c2FkbWluLXJkdUByZWRoYXQuY29tMB4XDTEzMDMxOTIzNDU0NloXDTE1MDMxOTIzNDU0NlowgZsxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjEfMB0GA1UECxMWSW5mb3JtYXRpb24gVGVjaG5vbG9neTESMBAGA1UEAxMJU2hhZG93bWFuMSYwJAYJKoZIhvcNAQkBFhdzeXNhZG1pbi1yZHVAcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOxWX//OxKYcYHF7mlaG6wjMW9U5q4pRxzpPceOhqXtxltABtb/4WqWmwbuqGPDfz6FEF4zdPZ3BMpp+m2KmDyUd9TqRcZTqTqJg/+Xsdy8FV/WoqrBlCaH2BEzFgdHSZw2okhgVlui3l1utKNMvnsl5TSa2b5+KyNmMkRZ3EOBlPyZMH+2eWlmHQZvwqVtYyd/uA9+oVAvcUjtnZqPomLiCibPyVukpONx9JdOR5oiVPndCdyVnsg+yTDNMJ73yrTU14jvO47Hy39E9+MjGOGb95i7jkIZe6vFu/4voeNJQT7VabqE8iE0jhyU0BHkZV0qGbwknipmBzKp6C2y5Yc0CAwEAAaOBoDCBnTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUMMy5gw3OtRTSLfum1YaoFOcP3iUwHwYDVR0jBBgwFoAUDawZcO0Ep154q/6LqDTrISbBVjUwIgYDVR0RBBswGYEXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEFBQADgYEAEnq36DPdlHIb1HoE89cF87WVHtPiqXlDv73N6GONo5KQAWTXh86z4JPKDfNBMpArz1bh6h2cmerpEEuMLPzTJs1PvVkCZt8eO059PuSlZN/8xi6ZdkjBAHuWPm84C/WYrEPKTV71kXrt/UfG0pKsZcV5wpSLqoy2B5WhmfentR8=</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>7FZf/87EphxgcXuaVobrCMxb1TmrilHHOk9x46Gpe3GW0AG1v/hapabBu6oY8N/PoUQXjN09ncEymn6bYqYPJR31OpFxlOpOomD/5ex3LwVX9aiqsGUJofYETMWB0dJnDaiSGBWW6LeXW60o0y+eyXlNJrZvn4rI2YyRFncQ4GU/Jkwf7Z5aWYdBm/CpW1jJ3+4D36hUC9xSO2dmo+iYuIKJs/JW6Sk43H0l05HmiJU+d0J3JWeyD7JMM0wnvfKtNTXiO87jsfLf0T34yMY4Zv3mLuOQhl7q8W7/i+h40lBPtVpuoTyITSOHJTQEeRlXSoZvCSeKmYHMqnoLbLlhzQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>dminnich</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_eb9c6ba835d80e20f1f36c1ac0956fe24c474090a0"
NotOnOrAfter="2014-08-11T13:31:00.667Z"
Recipient="https://rewardzone.redhat.com/saml/acs"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-08-11T13:30:49.467Z"
NotOnOrAfter="2014-08-11T13:31:00.667Z"
>
<saml:AudienceRestriction>
<saml:Audience>https://rewardzone.redhat.com/saml/spMetadata</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-08-11T13:30:51.468Z"
SessionIndex="ID_0ec528d8-a732-4b14-9ac6-7149fbe0acca"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Contingent Worker</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Users</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>authenticated</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>devlab-tower-iam-access</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="uid"
Name="urn:oid:0.9.2342.19200300.100.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>dminnich</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="sn"
Name="urn:oid:2.5.4.4"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Minnich</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="rhatPersonType"
Name="rhatPersonType"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Contingent Worker</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="cn"
Name="urn:oid:2.5.4.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Dustin Minnich</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="email"
Name="urn:oid:1.2.840.113549.1.9.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>dminnich</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="givenName"
Name="urn:oid:2.5.4.42"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Dustin</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

------
standalone-ha bits:
<security-domain name="RedHatSAMLIDP" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="optional">
<module-option name="password-stacking" value="useFirstPass" />
<module-option name="serverSecurityDomain" value="host" />
<module-option name="removeRealmFromPrincipal" value="true" />
<module-option name="debug" value="true" />
</login-module>

<login-module code="com.redhat.it.jboss.loginModules.JbossRadiusLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="hostName" value="linotp01.authmgr.prod.int.rdu2.redhat.com"/>
<module-option name="secondaryHostName" value="linotp01.authmgr.prod.int.ams2.redhat.com"/>
<module-option name="sharedSecret" value="NO"/>
<module-option name="authRoleName" value="authenticated"/>
<module-option name="authPort" value="1812"/>
<module-option name="acctPort" value="1813"/>
<module-option name="numRetries" value="3"/>
</login-module>
<!-- fake role login module - makes sure all authenticated users have a default role, otherwise jboss gets unhappy -->
<login-module code="com.redhat.it.jboss.loginModules.StaticRoleLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="authRoleName" value="authenticated"/>
</login-module>
<login-module code="com.redhat.it.jboss.loginModules.StaticRoleLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="authRoleName" value="Users"/>
</login-module>
</authentication>

<audit>
<provider-module code="org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider"/>
</audit>
<mapping>
<mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute">
<module-option name="java.naming.provider.url" value="ldaps://ldap01.intranet.dev.int.phx1.redhat.com"/>
<module-option name="bindDN" value="uid=picketlink,ou=serviceaccounts,dc=redhat,dc=com"/>
<module-option name="bindCredential" value="NO"/>
<module-option name="baseCtxDN" value="ou=users,dc=redhat,dc=com"/>
<module-option name="baseFilter" value="(uid=
{0})"/>
<module-option name="attributeList" value="mail,cn,givenName,sn,rhatPersonType,uid"/>
<module-option name="searchTimeLimit" value="10000"/>
</mapping-module>
<mapping-module code="org.jboss.security.mapping.providers.role.LdapRolesMappingProvider" type="role">
<module-option name="java.naming.provider.url" value="ldaps://ldap01.intranet.dev.int.phx1.redhat.com"/>
<module-option name="bindDN" value="uid=picketlink,ou=serviceaccounts,dc=redhat,dc=com"/>
<module-option name="bindCredential" value="NO"/>
<module-option name="rolesCtxDN" value="ou=users,dc=redhat,dc=com"/>
<module-option name="roleFilter" value="(uid={0}

)"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="searchTimeLimit" value="10000"/>
</mapping-module>
</mapping>

</security-domain>


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 JBoss JIRA Server 2014-10-07 12:52:43 UTC

Pedro Igor <pigor.craveiro> updated the status of jira PLINK-543 to Resolved

Comment 2 Dimitris Andreadis 2014-11-20 16:31:12 UTC

RFE, certainly not blocker.

Comment 3 Kabir Khan 2015-01-07 15:17:15 UTC

Should be fixed by PL upgrade 2.5.3.SP14 BZ1166062

Comment 4 Ondrej Kotek 2015-01-15 12:42:03 UTC

Commits are not included in PL upgrade 2.5.3.SP14 (ER1), but in 2.5.3.SP15. Verification failed.

Note You need to log in before you can comment on or make changes to this bug.