When using JAAS, is there any way to specify the attributes returned by the role (group) search query?
The group returned has about 100k entries in the uniqueMember attribute which is saturating the link between the app server and OpenLDAP. Since the query only needs the cn attribute, I’d like to tell the container to only request that when performing the search.
Currently, the query does not set any attributes to be returned, which returns all of them.
The DEV (Jetty) java.security.auth.login.config looks like this
devldap {
org.eclipse.jetty.plus.jaas.spi.LdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="ldap-dev.example.com"
port="389"
bindDn="cn=Manager,dc=example,dc=com"
bindPassword="xxxx"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="ou=users,dc=example,dc=com"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="inetOrgPerson"
roleBaseDn="ou=groups,dc=example,dc=com"
roleNameAttribute="cn"
roleMemberAttribute="uniqueMember"
roleObjectClass="groupOfUniqueNames";
};
Something seriously wrong there. It shouldn’t be returning the group entry attributes at all, only the CN.
This looks like a major bug in org.eclipse.jetty.plus.jaas.spi.LdapLoginModule. It should set the
returningAttributesproperty of theSearchControltonew String[]{_roleNameAttribute}ingetUserRolesByDn(). You need to report it, and/or patch it yourself.If you’re using OpenLDAP you could consider using the
memberOfoverlay. This gives the user himself an attribute listing all the groups he is a member of. However it isn’t retrospective, and as you already clearly have a large directory you would have a job on your hands to populate it from existing groups. The overlay will auto-maintain it once installed, but only for group updates that take place after it’s installed.