Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-521

Proxied authorization components should support multiple identity mappers

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.4.5
    • Fix Version/s: 7.0.0
    • Component/s: core server, security
    • Labels:
      None
    • Support Ticket IDs:

      Description

      In implementing a SASL/Kerberos solution I require to match incoming Kerberos principals against LDAP entries in the ou=People and ou=Hosts branches. OpenDJ only supports a single RegularExpression Identity Mapper, and this makes it impossible to do.

      To illustrate, I have two situations. The first is catered for by the standard mapping, which takes the incoming principal:

      firstname.lastname@EXAMPLE.COM

      and uses a ds-config-match-pattern of ^([^@])@.$ and a ds-config-match-attribute of uid to match this to:

      uid=firstname.lastname

      I believe this is restricted on matching within the container ou=People, dc=example, dc=com (but I'm no longer sure why I believe this).

      The second situation is an incoming principal:

      host/clientserver.example.com@EXAMPLE.COM

      Now, the hosts container is ou=Hosts, dc=example, dc=com, and my current choice for host name is:

      cn=clientserver

      There's no uid for the host, so I need to match against cn attribute in this case, but the regular expression mapper doesn't support this.

      OpenLDAP will allow this, as it has support for multiple authz-regexp expressions, as illustrated by this blog post: http://www.rjsystems.nl/en/2100-kerberos-openldap-provider.php

      I'm currently investigating a workaround for this problem, so the use case may not be a good one to drive the change. As a result, I've set the current priority as Trivial.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                cforel carole forel
                Reporter:
                matthew Matthew Swift
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: