Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-18035

Policy retrieval of response attributes can fail when using LdapDecisionNode against different directory to identity store

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 6.5.3
    • 7.0.0, 6.5.4, 7.1.0
    • trees
    • Rank:
      1|i0520m:
    • AM Sustaining Sprint 87
    • 5
    • Yes
    • No
    • Yes and I used the same an in the description

      Description

      Description:

      Retrieval of response attributes for a policy will fail if a tree is used for authentication and the tree uses an Ldap Decision Node to authenticate to a different directory to the AM identity store (e.g. AD) and the uid/dn entries of the identity in each directory are different.

      In the above scenario, the policy evaluation response indicates no actions or response attributes for the requested resource.

       

      Reproduction steps:

      1. Setup a Windows Server and Active Directory server. See https://bugster.forgerock.org/jira/browse/OPENAM-9674?focusedCommentId=141742&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-141742 for further details. Create a test user, e.g. dn: CN=testaduser1,CN=Users,DC=wintest,DC=com, sAMAccountName: testaduser1, mail: testaduser1@testinternal.com, cn: testaduser1
      2. Deploy AM 6.5.3, embedded config and user store.
      3. In top level realm, Authentication settings, add user search alias attributes of mail and cn (so the result is uid, mail, cn).
      4. Create a tree, LdapTree, consisting of a PageNode that has a username and password collector, then LdapDecisionNode, and a successful result going to SetSessionProperties, uid set to be mail, with any failure going to Failure. Configure the LdapDecisionNode to point at AD, with Attribute used to retrieve user profile: mail and Attributes used to search for a user to be authenticated: mail samAccountName.
      5. Create a new module, LdapModule that also points to AD, and which uses the same values as the Ldap Decision Node above.
      6. Create a chain, LdapChain that has the above module set as required.
      7. Leave the embedded identity store user search attribute and Authentication naming attribute at the default value of uid for both.
      8. Create a policy, in the Default Policy Set: TestPolicy01, http://web.amtest2.com:80/test1/., actions GET and POST and add response attributes of uid and mail.
      9. Create an identity in the embedded identity store which matches the email address of the above, but not uid, and has a cn value matching the samAccountName (and/or first part of the dn - I've not determined which if significant, i.e. so that the search alias can locate the profile when using the chain), e.g.: dn: uid=testfortheaduser,ou=people,dc=openam,dc=forgerock,dc=org, cn: testaduser1, mail: testaduser1@testinternal.com, uid: testfortheaduser
      10. in Identities, navigate to Groups tab, then All authenticated users, then add Entitlement REST Access privilege.
      11. Authenticate using the chain, e.g. curl -X POST -k -H 'Content-type: application/json' --header "Accept-API-Version:protocol=1.0,resource=2.1" -H 'X-OpenAM-username: testaduser1@testinternal.com' -H 'X-OpenAM-Password: changeit’ 'https://openam.amtest2.com:8443/access/json/authenticate?authIndexType=service&authIndexValue=LdapChain.
      12. With the token returned, perform a policy evaluation using the default policy set, e.g: curl -k --request POST --header "Content-Type: application/json" --header 'Accept-API-Version: protocol=1.0,resource=2.0' --header "iPlanetDirectoryPro: <user sso token>" --data '{"resources":["http://web.amtest2.com:80/test1/index.html"],"subject": {"ssoToken": "<user sso token>"}}' 'https://openam.amtest2.com:8443/access/json/policies?_action=evaluate'. Observe that the response is successful e.g [{"resource":"http://web.amtest2.com:80/test1/index.html","actions": {"POST":true,"GET":true}

        ,"attributes":

        {"uid":["testfortheaduser"],"mail":["testaduser1@testinternal.com"]}

        ,"advices":{},"ttl":9223372036854775807}]

      1. Now perform an authentication using the tree, e.g. curl -X POST -k -H 'Content-type: application/json' --header "Accept-API-Version:protocol=1.0,resource=2.1" -H 'X-OpenAM-username: testaduser1@testinternal.com' -H 'X-OpenAM-Password: changeit’ 'https://openam.amtest2.com:8443/access/json/authenticate?authIndexType=service&authIndexValue=LdapTree
      2. With the token returned, repeat the policy evaluation request in step 11.

      Expected behaviour:

      A successful policy result should be returned, consistent with when authenticating via the chain.

      Current behaviour:

      The policy result returned is e.g.: 

      \\\\\\\{"resource":"http://web.amtest2.com:80/test1/index.html","actions":{},"attributes":{},"advices":{},"ttl":9223372036854775807}

      Code analysis:

      The retrieval of the response attributes is failing. 

      After authenticating via the chain, in OpenSSOSubjectAttributeCollector.getUserAttributes, uuid from subject is:

      id=testfortheaduser,ou=user,dc=openam,dc=forgerock,dc=org

      This then results in IdServicesImpl.getAttributes performing a lookup for testfortheaduser and it find is using the uid value (user search attr from datastore).

      With tree, in OpenSSOSubjectAttributeCollector.getUserAttributes, the uuid is

      id=testaduser1,ou=user,dc=openam,dc=forgerock,dc=org

      and results in a uid search for testaduser1, which it doesn't find.

      For both routes, the mappedAttributeNames in IdServicesImpl.getAttributes is 'uid' so the search fails.

      At a high level it looks as though because the Chain/Module route retrieves the user profile it then has a username value that represents the uid of the user stored in the Identity Store.

      Workarounds:

      • Ensure that the uids and/or dns of the entries in both directories match.
      • Set the Identity Search attribute to an attribute that does have the value matching that of the dn/samAccountName in AD, e.g. cn attribute could be used for that.
      • Do not use response attributes on the policy.

        Attachments

          Issue Links

            Activity

              People

              lawrence.yarham Lawrence Yarham
              lawrence.yarham Lawrence Yarham
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: