Help Desk Ticket Reference: https://c.na7.visual.force.com/apex/Case_View?id=500A0000007BFNF&sfdc.override=1 project_key: JBEPP PicketLink does not account for possible white spaces in the DN when it verifies identity. If the user has accidentally entered a white space, the following exception is thrown : [org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository] (ajp-0.0.0.0-8009-20) Exception occurred: org.picketlink.idm.common.exception.IdentityException: Cannot recognize identity object type by its DN: cn=portaluser_administrator,cn=portaluser, ou=portalGroups, dc=hds,dc=com at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.findIdentityObject(LDAPIdentityStoreImpl.java:836) at org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl.findIdentityObject(LDAPIdentityStoreImpl.java:1246) at org.picketlink.idm.impl.repository.FallbackIdentityStoreRepository.findIdentityObject(FallbackIdentityStoreRepository.java:760) at org.picketlink.idm.impl.api.session.managers.RelationshipManagerImpl.findAssociatedGroups(RelationshipManagerImpl.java:1085) findIdentityObject()does the following comparison : if (entry != null && entry.getDn().equalsIgnoreCase(dn)) If there is an extra whitespace in the DN, the match fails and the exception is thrown. The comparison should be more user friendly and attempt to crop out the white spaces.
Release Notes Docs Status: Added: Documented as Known Issue Release Notes Text: Added: PicketLink does not account for spaces in domain names when it verifies identity. If the user enters spaces in the domain name, the following exception is thrown: "org.picketlink.idm.common.exception.IdentityException: Cannot recognize identity object type by its DN". There is no workaround for this issue, apart from ensuring no spaces are included in domain names.
Labels: Added: EPP_5_2_1_Candidate
Labels: Removed: EPP_5_2_1_Candidate
Fixed in Picketlink IDM trunk https://source.jboss.org/changelog/PicketLink?cs=1374 . I added new methods to class Tools.java, which supports comparison of Ldap DN, so DNS are considered equal even if these DN have some whitespaces in path. LDAPIdentityStoreRepository is refactored to use these util methods. TestCase is also added for it.
Only needed action is to release Picketlink IDM and update EPP pom.xml to use this new Picketlink IDM.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Release notes docs status: Not Yet Documented for EPP 5.2.1 Release notes text: CAUSE: PicketLink does not account for spaces in domain names when it verifies identity. If the user enters spaces in the domain name, the following exception is thrown: "org.picketlink.idm.common.exception.IdentityException: Cannot recognize identity object type by its DN". There is no workaround for this issue, apart from ensuring no spaces are included in domain names. FIX: It's fixed only in Picketlink IDM library. Now it supports comparison of Ldap DN, so DN are considered equal even if these DN have some whitespaces in path. LDAPIdentityStoreRepository is refactored according to it. TestCase is also added for it into Picketlink IDM library.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,6 +1,4 @@ -Release notes docs status: Not Yet Documented for EPP 5.2.1 - -Release notes text: CAUSE: PicketLink does not account for spaces in domain +CAUSE: PicketLink does not account for spaces in domain names when it verifies identity. If the user enters spaces in the domain name, the following exception is thrown: "org.picketlink.idm.common.exception.IdentityException: Cannot recognize
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,12 +1 @@ -CAUSE: PicketLink does not account for spaces in domain +An issue in PicketLink identity verification resulted in domain names containing spaces causing the following exception to be raised: <literal>Cannot recognize identity object type by its DN</literal>. The fix implements changes to LDAPIdentityStoreRepository comparison logic, which compares the LDAP domain name with the domain name containing spaces. The logic ignores spaces in the domain name and searches for an overall character match. Domains that have a character match pass validation, which corrects the originally reported issue.-names when it verifies identity. If the user enters spaces in the domain name, -the following exception is thrown: -"org.picketlink.idm.common.exception.IdentityException: Cannot recognize -identity object type by its DN". There is no workaround for this issue, apart -from ensuring no spaces are included in domain names. - -FIX: It's fixed only in Picketlink IDM library. Now it supports comparison of Ldap DN, so DN are considered -equal even if these DN have some whitespaces in path. -LDAPIdentityStoreRepository is refactored according to it. - -TestCase is also added for it into Picketlink IDM library.