jakartaee
TCK Challenge: ldap test has non-compliant mismatch between LDAPIdentityStoreDefinition and LDIF
Challenged Tests: ee.jakarta.tck.security.test.AppLDAPIT#testAuthenticated
TCK Version: Jakarta Security TCK 3.0.0
Tested Implementation: Open Liberty
Description:
This test configures an LDAPIdentityStoreDefinition with only the elements url, callerBaseDn, and groupSearchBase. It configures LDAP with an LDIF that defines group membership with the member: keyword.
Looking at the API for both member: and memberOf:, the description for memberOf: states "This attribute is used only if: a) group search is not configured (i.e., no groupSearchBase and groupSearchFilter configured)..." (emphasis ours).
Accordingly, this means that there is a mismatch between the identity store and LDAP configurations. Group search is not configured (since only one of the two required elements -- groupSearchBase -- is specified), but the LDAP is set up with the member: keyword, which is (implicitly) only used if group search is configured. One might argue that the spec doesn't really mean to say that both groupSearchBase and groupSearchFilter need be provided and that only one of these two is required to configure group search, but a) the API should state or instead of and in that case and b) in a real world LDAP scenario, such a search would be expensive.
This test can easily be updated to comply with the specification by adding the groupSearchFilter element to the existing LdapIdentityStoreDefinition.
Soteria skirts this problem by providing a default value for groupSearchFilter, despite the stated default from the API being the empty string.
Hi @arjantijms, Please let us know if this challenge has been accepted or if more information is needed.
Regards, Teddy
