You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Jan Bernhardt (JIRA)" <ji...@apache.org> on 2014/10/10 23:25:34 UTC

[jira] [Commented] (CXF-6043) Multi User BaseDN Support for LdapClaimsHandler

    [ https://issues.apache.org/jira/browse/CXF-6043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14167537#comment-14167537 ] 

Jan Bernhardt commented on CXF-6043:
------------------------------------

Before 3.1.0 it should be possible to achieve the same outcome just by adding multiple LdapClaimsHandler to the ClaimsManager, since the ClaimsManager iterates over all provided ClaimsHandler it will eventually find the correct claims. Just make sure that your username is unique when using multiple ClaimsHandler (because all matching claims form each Handler will be included in the outcome)

> Multi User BaseDN Support for LdapClaimsHandler
> -----------------------------------------------
>
>                 Key: CXF-6043
>                 URL: https://issues.apache.org/jira/browse/CXF-6043
>             Project: CXF
>          Issue Type: Improvement
>          Components: STS
>    Affects Versions: 2.7.12, 3.0.1
>            Reporter: Jan Bernhardt
>            Assignee: Jan Bernhardt
>              Labels: Claims, STS
>             Fix For: 3.1.0
>
>
> The current implementation of the LdapClaimsHandler only allows to define a single DN for your user search base. In cases when users are spread in multiple OUs which do not share a common OU, it is not possible to collect claims for all the users.
> Sample:
> CN=Alice,OU=Internal-User,DC=MY,DC=DOMAIN,DC=COM
> CN=Bob,OU=External-User,DC=MY,DC=DOMAIN,DC=COM
> Setting the "userBaseDN" to "OU=Internal-User,DC=MY,DC=DOMAIN,DC=COM" would cause that claims for Bob could not be resolved.
> My proposal is to add another property "userBaseDNs" to the LdapClaimsHandler containing a List<String> of userBaseDN. If the user could not be found within the scope of userBaseDN then all userBaseDNs contained in the Collection will be searched until the user claims could be retrieved.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)