5 enable surrogate authentication in different ldap tree from principal #6846
Conversation
️✅ There are no secrets present in this pull request anymore.If these secrets were true positive and are still valid, we highly recommend you to revoke them. 🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request. |
|
Thank you @rbonatuvic. There are a few style violations. Can you please review those? |
update unit and puppeteer tests for surrogate ldap
e5c1afc to
985d578
Compare
|
Code style updates have been committed. |
|
One point to raise here is that in the event that the principal and surrogate exist in the same ldap search trees, this will incur a performance cost, right? |
|
In other words, assuming the performance cost is something of a concern, one possible idea would be to search the immediate connection factory first, and if that fails, then look at everything else (and exclude the one that was just searched). |
|
When I get 7.2 deployed (later this month), I will get back to performing load tests. |
|
Sounds good, thank you. Let's keep this WIP until then. |
…n-different-ldap-tree-from-principal
…n-different-ldap-tree-from-principal
Please make sure you include the following:
This change enables surrogate (impersonation) authentication where the principal and surrogate exist in different ldap search trees. It leverages the existing configuration array notation for surrogate.ldap search; that is, end user documentation and configuration remain as is.
This change was accomplished by separating the search for the principal and surrogate (i.e. two loops instead of one).
Functional test run: https://github.com/rbonatuvic/cas/actions/runs/14874450106
Unit test run: https://github.com/rbonatuvic/cas/actions/runs/14873390499