Only the first LdapIdentityStoreDefinition appears to be working. Why?

Wed, 10 Jan 2024 09:06:22 -0800 

I have defined two classes implementing @LdapIdentityStoreDefinition, but only 
the groups from the validating store is used. What am I missing?

Based on the configuration below and the Jakarta Tutorial, I expect the groups 
"USER" and "ROLE_1" for my authenticated user.  Only group "USER" is listed.

***
* Jakarta Tutorial
***
https://jakartaee.github.io/jakartaee-documentation/jakartaee-tutorial/9.1/security/security-api/security-api.html#_overview_of_the_identity_store_interfaces

There is a built-in IdentityStoreHandler that implements a standard algorithm 
defined by Jakarta Security. The Jakarta Security specification provides a full 
description of the algorithm, but it can be roughly summarized as follows:
        • Iterate over the available validating IdentityStores, in priority 
order, until the provided Credential is validated or there are no more 
IdentityStores.
        • If the Credential was validated, iterate over the available 
group-providing IdentityStores, in priority order, aggregating the groups 
returned by each store.
        • Return the validated caller and group information.

***
* LDAP Configuation
***
ou=groups,dc=example,dc=com contains
 cn=USERS
    uniqueMember= uid=myuser,ou=people,dc=example,dc=com

ou=roles,dc=example,dc=com contains
 cn=ROLE_1
    uniqueMember= uid=myuser,ou=people,dc=example,dc=com

***
* 1st LdapIdentityStoreDefinition
***
@LdapIdentityStoreDefinition(url = "ldap://localhost:10389";, //
       bindDn = "uid=admin,ou=system", //
       bindDnPassword = "secret", //
       callerBaseDn = "ou=people, dc=example,dc=com", //
       callerNameAttribute = "uid", //
       groupSearchBase = "ou=groups,dc=example,dc=com", //
       groupMemberAttribute = "uniqueMember"
@ApplicationScoped
public class LdapIdentity {

}

***
* 1st LdapIdentityStoreDefinition
***
@LdapIdentityStoreDefinition(url = "ldap://localhost:10389";, //
       bindDn = "uid=admin,ou=system", //
       bindDnPassword = "secret", //
       groupSearchBase = "ou=roles,dc=example,dc=com", //
       groupMemberAttribute = "uniqueMember",
       useFor = (ValidationType.PROVIDE_GROUPS),
       priority = 100)
@ApplicationScoped
public class RolesIdentity {

}

Paul Spencer

Reply via email to