[
https://issues.apache.org/jira/browse/CXF-6043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14167537#comment-14167537
]
Jan Bernhardt commented on CXF-6043:
------------------------------------
Before 3.1.0 it should be possible to achieve the same outcome just by adding
multiple LdapClaimsHandler to the ClaimsManager, since the ClaimsManager
iterates over all provided ClaimsHandler it will eventually find the correct
claims. Just make sure that your username is unique when using multiple
ClaimsHandler (because all matching claims form each Handler will be included
in the outcome)
> Multi User BaseDN Support for LdapClaimsHandler
> -----------------------------------------------
>
> Key: CXF-6043
> URL: https://issues.apache.org/jira/browse/CXF-6043
> Project: CXF
> Issue Type: Improvement
> Components: STS
> Affects Versions: 2.7.12, 3.0.1
> Reporter: Jan Bernhardt
> Assignee: Jan Bernhardt
> Labels: Claims, STS
> Fix For: 3.1.0
>
>
> The current implementation of the LdapClaimsHandler only allows to define a
> single DN for your user search base. In cases when users are spread in
> multiple OUs which do not share a common OU, it is not possible to collect
> claims for all the users.
> Sample:
> CN=Alice,OU=Internal-User,DC=MY,DC=DOMAIN,DC=COM
> CN=Bob,OU=External-User,DC=MY,DC=DOMAIN,DC=COM
> Setting the "userBaseDN" to "OU=Internal-User,DC=MY,DC=DOMAIN,DC=COM" would
> cause that claims for Bob could not be resolved.
> My proposal is to add another property "userBaseDNs" to the LdapClaimsHandler
> containing a List<String> of userBaseDN. If the user could not be found
> within the scope of userBaseDN then all userBaseDNs contained in the
> Collection will be searched until the user claims could be retrieved.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
