JOSSO

LDAPIdentityStore doesn't support different cn/uid

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: JOSSO 1.8, JOSSO 1.8.1
  • Fix Version/s: JOSSO 1.8.2
  • Component/s: None
  • Labels:
    None

Description



It is likely the case the the UID in LDAP is not the same as the CN in the
certificate (esp. considering multi-CA authentication). Thus, there needs
to be an additional mapping beyond principalUIDAttr and credentialQuery
string that allows the translation something along the lines of this:
1. CN in certificate looks up in LDAP for matching entries (with
certificates; may have entries without certificates)
2. Comparison of Certificate provided against those in LDAP for
verification of same (i.e., instead of two certificates with the same CN
crossing users)
3. Conversion of the *real* UID attribute into the username; dropping CN
as the username
currently, if you use the credentialQueryString of
'credentialQueryString="cn=username,userCertificate;binary=userCertificate"
', but have 'principalUidAttributeID="uid"', resolution will fail (unless,
in the outside case, UID == CN).

Activity

Hide
Sebastian Gonzalez Oyuela added a comment -
More commetns provided by the user:

Basically -- as I'll explain in more detail below -- we use the CN field to lookup a list of *possible* matches, and drill-down into the userCertificate to match against what's provided from there. In the end, though, if we find a valid user with a registered certificate, we don't use 'CN' as the user/unique id. We have a different attribute -- uid -- that's used for this purpose. The reason is that we cannot guarantee that 'CN' will be unique; in fact, since it stands for "Common Name," it's almost guaranteed to not be unique.
  The culture is different, but the case we use in the U.S. is "John Smith" -- it's a fairly common name, and you may have more than one at a given organization. Since I'm also concerned (again, more below) with multiple-organizations, it's even more likely to have duplicate names, but different people.
Show
Sebastian Gonzalez Oyuela added a comment - More commetns provided by the user: Basically -- as I'll explain in more detail below -- we use the CN field to lookup a list of *possible* matches, and drill-down into the userCertificate to match against what's provided from there. In the end, though, if we find a valid user with a registered certificate, we don't use 'CN' as the user/unique id. We have a different attribute -- uid -- that's used for this purpose. The reason is that we cannot guarantee that 'CN' will be unique; in fact, since it stands for "Common Name," it's almost guaranteed to not be unique.   The culture is different, but the case we use in the U.S. is "John Smith" -- it's a fairly common name, and you may have more than one at a given organization. Since I'm also concerned (again, more below) with multiple-organizations, it's even more likely to have duplicate names, but different people.
Hide
Goran Nastov added a comment -
Changed strong authentication and identity stores (LDAP, DB, Memory store) to support authentication using certificates that have CN (or OID value) different from user id (username). Also, if user has more than one certificate, all of them will be returned from identity stores.
One part of the code was taken from the user provided patch.

Some new configuration properties have been added to support this:
- LDAP: principalLookupAttributeID and userCertificateAtrributeID (defaults to "userCertificate")
- DB: certificateCredentialsQueryString and uidQueryString
- Memory store: <principalLookupKey> in josso-credentials.xml
Show
Goran Nastov added a comment - Changed strong authentication and identity stores (LDAP, DB, Memory store) to support authentication using certificates that have CN (or OID value) different from user id (username). Also, if user has more than one certificate, all of them will be returned from identity stores. One part of the code was taken from the user provided patch. Some new configuration properties have been added to support this: - LDAP: principalLookupAttributeID and userCertificateAtrributeID (defaults to "userCertificate") - DB: certificateCredentialsQueryString and uidQueryString - Memory store: <principalLookupKey> in josso-credentials.xml
Hide
Deoggon Kim added a comment -
It seems doesn't working with OpenLDAP( userCertificate;binary attribute ). following is my configuration for ldap store.

    ldap-istore:ldap-bind-store
            id="josso-identity-store"
            initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
            providerUrl="ldaps://10.8.0.1:636"
            securityPrincipal=""
            securityCredential=""
            securityAuthentication="simple"
            ldapSearchScope="SUBTREE"
            usersCtxDN="ou=Users,dc=domain,dc=com"
            principalUidAttributeID="uid"
            uidAttributeID="uniquemember"
            rolesCtxDN="ou=Groups,dc=domain,dc=com"
            roleAttributeID="cn"
            updateableCredentialAttribute="userPassword"
principalLookupAttributeID="cn"
userCertificateAtrributeID="userCertificate;binary"
            credentialQueryString="uid=username,userCertificate;binary=userCertificate"
            userPropertiesQueryString="mail=mail,cn=cn"
            /

I guess ldap search filter '(&(cn=[certificates cn])(?userCertificate;binary=[byrearray]))' doesn't working.
Show
Deoggon Kim added a comment - It seems doesn't working with OpenLDAP( userCertificate;binary attribute ). following is my configuration for ldap store.     ldap-istore:ldap-bind-store             id="josso-identity-store"             initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"             providerUrl="ldaps://10.8.0.1:636"             securityPrincipal=""             securityCredential=""             securityAuthentication="simple"             ldapSearchScope="SUBTREE"             usersCtxDN="ou=Users,dc=domain,dc=com"             principalUidAttributeID="uid"             uidAttributeID="uniquemember"             rolesCtxDN="ou=Groups,dc=domain,dc=com"             roleAttributeID="cn"             updateableCredentialAttribute="userPassword" principalLookupAttributeID="cn" userCertificateAtrributeID="userCertificate;binary"             credentialQueryString="uid=username,userCertificate;binary=userCertificate"             userPropertiesQueryString="mail=mail,cn=cn"             / I guess ldap search filter '(&(cn=[certificates cn])(?userCertificate;binary=[byrearray]))' doesn't working.
Hide
Gabie Jean added a comment -
I'm really proud to discover you, your blog is really great! I like its interface, and I too loved the content too. Especially so keep!

voyance gratuite - http://www.nina-voyance.fr/
voyance par mail - http://www.rose-voyance.com
Show
Gabie Jean added a comment - I'm really proud to discover you, your blog is really great! I like its interface, and I too loved the content too. Especially so keep! voyance gratuite - http://www.nina-voyance.fr/ voyance par mail - http://www.rose-voyance.com

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: