cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jan Bernhardt (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6043) Multi User BaseDN Support for LdapClaimsHandler
Date Fri, 10 Oct 2014 21:25:34 GMT

    [ https://issues.apache.org/jira/browse/CXF-6043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14167537#comment-14167537
] 

Jan Bernhardt commented on CXF-6043:
------------------------------------

Before 3.1.0 it should be possible to achieve the same outcome just by adding multiple LdapClaimsHandler
to the ClaimsManager, since the ClaimsManager iterates over all provided ClaimsHandler it
will eventually find the correct claims. Just make sure that your username is unique when
using multiple ClaimsHandler (because all matching claims form each Handler will be included
in the outcome)

> Multi User BaseDN Support for LdapClaimsHandler
> -----------------------------------------------
>
>                 Key: CXF-6043
>                 URL: https://issues.apache.org/jira/browse/CXF-6043
>             Project: CXF
>          Issue Type: Improvement
>          Components: STS
>    Affects Versions: 2.7.12, 3.0.1
>            Reporter: Jan Bernhardt
>            Assignee: Jan Bernhardt
>              Labels: Claims, STS
>             Fix For: 3.1.0
>
>
> The current implementation of the LdapClaimsHandler only allows to define a single DN
for your user search base. In cases when users are spread in multiple OUs which do not share
a common OU, it is not possible to collect claims for all the users.
> Sample:
> CN=Alice,OU=Internal-User,DC=MY,DC=DOMAIN,DC=COM
> CN=Bob,OU=External-User,DC=MY,DC=DOMAIN,DC=COM
> Setting the "userBaseDN" to "OU=Internal-User,DC=MY,DC=DOMAIN,DC=COM" would cause that
claims for Bob could not be resolved.
> My proposal is to add another property "userBaseDNs" to the LdapClaimsHandler containing
a List<String> of userBaseDN. If the user could not be found within the scope of userBaseDN
then all userBaseDNs contained in the Collection will be searched until the user claims could
be retrieved.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message