s1728: add the entryDN as a principal when augmenting a users Subject.

projects/cadcAccessControl-Server/build.xml

@@ -148,7 +148,7 @@
         <pathelement path="${jars}:${testingJars}"/>
       </classpath>
       <sysproperty key="ca.nrc.cadc.util.PropertiesReader.dir" value="test"/>
-      <test name="ca.nrc.cadc.ac.server.web.users.UserActionFactoryTest" />
+      <test name="ca.nrc.cadc.ac.server.ldap.LdapUserDAOTest" />
       <formatter type="plain" usefile="false" />
     </junit>
   </target>

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/UserPersistence.java

@@ -133,7 +133,22 @@ public interface UserPersistence<T extends Principal>
     User<T> getPendingUser(T userID)
             throws UserNotFoundException, TransientException,
                    AccessControlException;
-    
+
+    /**
+     * Get the user specified by userID with all of the users identities.
+     *
+     * @param userID The userID.
+     *
+     * @return User instance.
+     *
+     * @throws UserNotFoundException when the user is not found.
+     * @throws TransientException If an temporary, unexpected problem occurred.
+     * @throws AccessControlException If the operation is not permitted.
+     */
+    User<T> getAugmentedUser(T userID)
+        throws UserNotFoundException, TransientException,
+               AccessControlException;
+
     /**
      * Attempt to login the specified user.
      *
@@ -148,7 +163,7 @@ public interface UserPersistence<T extends Principal>
      */
     Boolean doLogin(String userID, String password)
             throws UserNotFoundException, TransientException, 
-            AccessControlException;
+                   AccessControlException;
    
     /**
      * Updated the user specified by User.

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java

@@ -68,22 +68,17 @@
  */
 package ca.nrc.cadc.ac.server.ldap;
 
-import ca.nrc.cadc.auth.HttpPrincipal;
-import ca.nrc.cadc.auth.NumericPrincipal;
-import ca.nrc.cadc.auth.OpenIdPrincipal;
+import ca.nrc.cadc.auth.DNPrincipal;
 import ca.nrc.cadc.net.TransientException;
 import com.unboundid.ldap.sdk.DN;
 import com.unboundid.ldap.sdk.LDAPConnection;
 import com.unboundid.ldap.sdk.LDAPException;
 import com.unboundid.ldap.sdk.ResultCode;
-import com.unboundid.ldap.sdk.SearchResult;
-import com.unboundid.ldap.sdk.SearchScope;
 import org.apache.log4j.Logger;
 
 import javax.net.SocketFactory;
 import javax.net.ssl.SSLSocketFactory;
 import javax.security.auth.Subject;
-import javax.security.auth.x500.X500Principal;
 import java.security.AccessControlException;
 import java.security.AccessController;
 import java.security.GeneralSecurityException;
@@ -159,12 +154,12 @@ public abstract class LdapDAO
         }
     }
 
-    protected DN getSubjectDN() throws LDAPException
+    protected DN getSubjectDN()
+        throws LDAPException
     {
         if (subjDN == null)
         {
-            Subject callerSubject =
-                    Subject.getSubject(AccessController.getContext());
+            Subject callerSubject = getSubject();
             if (callerSubject == null)
             {
                 throw new AccessControlException("Caller not authenticated.");
@@ -176,48 +171,18 @@ public abstract class LdapDAO
                 throw new AccessControlException("Caller not authenticated.");
             }
 
-            String ldapField = null;
             for (Principal p : principals)
             {
-                if (p instanceof HttpPrincipal)
+                if (p instanceof DNPrincipal)
                 {
-                    ldapField = "(uid=" + p.getName() + ")";
-                    break;
-                }
-                if (p instanceof NumericPrincipal)
-                {
-                    ldapField = "(numericid=" + p.getName() + ")";
-                    break;
-                }
-                if (p instanceof X500Principal)
-                {
-                    ldapField = "(distinguishedname=" + p.getName() + ")";
-                    break;
-                }
-                if (p instanceof OpenIdPrincipal)
-                {
-                    ldapField = "(openid=" + p.getName() + ")";
-                    break;
+                    subjDN = new DN(p.getName());
                 }
             }
 
-            if (ldapField == null)
+            if (subjDN == null)
             {
                 throw new AccessControlException("Identity of caller unknown.");
             }
-
-            SearchResult searchResult =
-                    getConnection().search(config.getUsersDN(), SearchScope.ONE,
-                            ldapField, "entrydn");
-
-            if (searchResult.getEntryCount() < 1)
-            {
-                throw new AccessControlException(
-                        "No LDAP account when search with rule " + ldapField);
-            }
-
-            subjDN = (searchResult.getSearchEntries().get(0))
-                    .getAttributeValueAsDN("entrydn");
         }
         return subjDN;
     }
@@ -268,4 +233,9 @@ public abstract class LdapDAO
         throw new RuntimeException("Ldap error (" + code.getName() + ")");
     }
 
+    protected Subject getSubject()
+    {
+        return Subject.getSubject(AccessController.getContext());
+    }
+
 }

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java

@@ -80,6 +80,7 @@ import java.util.Random;
 
 import javax.security.auth.x500.X500Principal;
 
+import ca.nrc.cadc.auth.DNPrincipal;
 import org.apache.log4j.Logger;
 
 import ca.nrc.cadc.ac.PersonalDetails;
@@ -156,6 +157,10 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
             {
                     LDAP_FIRST_NAME, LDAP_LAST_NAME
             };
+    private String[] identityAttribs = new String[]
+        {
+            LDAP_UID, LDAP_DISTINGUISHED_NAME, LDAP_NUMERICID, LDAP_ENTRYDN
+        };
 
     public LdapUserDAO(LdapConfig config)
     {
@@ -545,6 +550,61 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
         return user;
     }
 
+    public User<T> getAugmentedUser(final T userID)
+        throws UserNotFoundException, TransientException,
+        AccessControlException
+    {
+        String searchField = userLdapAttrib.get(userID.getClass());
+        if (searchField == null)
+        {
+            throw new IllegalArgumentException(
+                "Unsupported principal type " + userID.getClass());
+        }
+
+        try
+        {
+            Filter filter =
+                Filter.createNOTFilter(Filter.createPresenceFilter("nsaccountlock"));
+            filter =
+                Filter.createANDFilter(filter,
+                    Filter.createEqualityFilter(searchField, userID.getName()));
+
+            SearchRequest searchRequest =
+                new SearchRequest(config.getUsersDN(), SearchScope.ONE,
+                    filter, identityAttribs);
+
+            searchRequest.addControl(
+                new ProxiedAuthorizationV2RequestControl(
+                    "dn:" + getSubjectDN().toNormalizedString()));
+
+            SearchResultEntry searchResult = getConnection().searchForEntry(searchRequest);
+
+            if (searchResult == null)
+            {
+                String msg = "User not found " + userID.toString();
+                logger.debug(msg);
+                throw new UserNotFoundException(msg);
+            }
+
+            User<T> user = new User<T>(userID);
+            user.getIdentities().add(new HttpPrincipal(
+                searchResult.getAttributeValue(LDAP_UID)));
+            user.getIdentities().add(new NumericPrincipal(
+                searchResult.getAttributeValueAsLong(LDAP_NUMERICID)));
+            user.getIdentities().add(new X500Principal(
+                searchResult.getAttributeValue(LDAP_DISTINGUISHED_NAME)));
+            user.getIdentities().add(new DNPrincipal(
+                searchResult.getAttributeValue(LDAP_ENTRYDN)));
+            return user;
+        }
+        catch (LDAPException e)
+        {
+            logger.debug("getGroup Exception: " + e, e);
+            LdapDAO.checkLdapResult(e.getResultCode());
+            throw new RuntimeException("BUG: checkLdapResult didn't throw an exception");
+        }
+    }
+
     /**
      * Obtain whether the given DN tree requires authentication.
      *

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java

@@ -202,6 +202,36 @@ public class LdapUserPersistence<T extends Principal>
         }
     }
 
+    /**
+     * Get the user specified by userID with all of the users identities.
+     *
+     * @param userID The userID.
+     *
+     * @return User instance.
+     *
+     * @throws UserNotFoundException when the user is not found.
+     * @throws TransientException If an temporary, unexpected problem occurred.
+     * @throws AccessControlException If the operation is not permitted.
+     */
+    public User<T> getAugmentedUser(T userID)
+        throws UserNotFoundException, TransientException,
+        AccessControlException
+    {
+        LdapUserDAO<T> userDAO = null;
+        try
+        {
+            userDAO = new LdapUserDAO<T>(this.config);
+            return userDAO.getAugmentedUser(userID);
+        }
+        finally
+        {
+            if (userDAO != null)
+            {
+                userDAO.close();
+            }
+        }
+    }
+
     /**
      * Get the user specified by userID.
      *

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java

@@ -100,7 +100,7 @@ public class GetUserAction extends AbstractUserAction
     {
         User<Principal> user;
  
-        if (isServops())
+        if (isSubjectUser(this.augmentUserDN))
         {
         	Subject subject = new Subject();
         	subject.getPrincipals().add(this.userID);
@@ -124,64 +124,75 @@ public class GetUserAction extends AbstractUserAction
 
     protected User<Principal> getUser(Principal principal) throws Exception
     {
-        final UserPersistence<Principal> userPersistence = getUserPersistence();
-    	User<Principal> user;
-    	
-    	try
+        User<Principal> user;
+
+        // For detail=identity, if the calling user is the same as the requested user,
+        // the calling user already has all principals for that user.
+        if (detail != null && detail.equalsIgnoreCase("identity") &&
+            isSubjectUser(principal.getName()))
         {
-            user = userPersistence.getUser(principal);
-            if (detail != null)
+            Subject subject = Subject.getSubject(AccessController.getContext());
+            user = new User<Principal>(principal);
+            user.getIdentities().addAll(subject.getPrincipals());
+        }
+        else
+        {
+            final UserPersistence<Principal> userPersistence = getUserPersistence();
+            try
             {
-                // Only return user principals
-                if (detail.equals("identity"))
+                user = userPersistence.getUser(principal);
+                if (detail != null)
                 {
-                    user.details.clear();
-                }
-                // Only return user profile info, first and last name.
-                else if (detail.equals("display"))
-                {
-                    user.getIdentities().clear();
-                    Set<PersonalDetails> details =  user.getDetails(PersonalDetails.class);
-                    if (details.isEmpty())
+                    // Only return user principals
+                    if (detail.equalsIgnoreCase("identity"))
                     {
-                        String error = principal.getName() + " missing required PersonalDetails";
-                        throw new IllegalStateException(error);
+                        user.details.clear();
+                    }
+                    // Only return user profile info, first and last name.
+                    else if (detail.equalsIgnoreCase("display"))
+                    {
+                        user.getIdentities().clear();
+                        Set<PersonalDetails> details = user.getDetails(PersonalDetails.class);
+                        if (details.isEmpty())
+                        {
+                            String error = principal.getName() + " missing required PersonalDetails";
+                            throw new IllegalStateException(error);
+                        }
+                        PersonalDetails pd = details.iterator().next();
+                        user.details.clear();
+                        user.details.add(new PersonalDetails(pd.getFirstName(), pd.getLastName()));
+                    }
+                    else
+                    {
+                        throw new IllegalArgumentException("Illegal detail parameter " + detail);
                     }
-                    PersonalDetails pd = details.iterator().next();
-                    user.details.clear();
-                    user.details.add(new PersonalDetails(pd.getFirstName(), pd.getLastName()));
-                }
-                else
-                {
-                    throw new IllegalArgumentException("Illegal detail parameter " + detail);
                 }
             }
-        }
-        catch (UserNotFoundException e)
-        {
-            user = userPersistence.getPendingUser(principal);
+            catch (UserNotFoundException e)
+            {
+                user = userPersistence.getPendingUser(principal);
+            }
         }
     	
     	return user;
     }
-    
-    protected boolean isServops()
+
+    protected boolean isSubjectUser(String username)
     {
-    	boolean isServops = false;
-        AccessControlContext acc = AccessController.getContext();
-        Subject subject = Subject.getSubject(acc);
+        boolean found = false;
+        Subject subject = Subject.getSubject(AccessController.getContext());
         if (subject != null)
         {
-        	for (Principal principal : subject.getPrincipals())
-        	{
-        		if (principal.getName().equals(this.getAugmentUserDN()))
-        		{
-        			isServops = true;
-        			break;
-        		}
-        	}
+            for (Principal principal : subject.getPrincipals())
+            {
+                if (principal.getName().equals(username))
+                {
+                    found = true;
+                    break;
+                }
+            }
         }
-        
-        return isServops;
+
+        return found;
     }
 }

projects/cadcAccessControl-Server/src/ca/nrc/cadc/auth/AuthenticatorImpl.java

@@ -133,7 +133,7 @@ public class AuthenticatorImpl implements Authenticator
                         try
                         {
                             LdapUserPersistence<Principal> dao = new LdapUserPersistence<Principal>();
-                            User<Principal> user = dao.getUser(subject.getPrincipals().iterator().next());
+                            User<Principal> user = dao.getAugmentedUser(subject.getPrincipals().iterator().next());
                             subject.getPrincipals().addAll(user.getIdentities());
                         }
                         catch (UserNotFoundException e)

projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapDAOTest.java

@@ -68,22 +68,23 @@
 
 package ca.nrc.cadc.ac.server.ldap;
 
-import java.security.PrivilegedExceptionAction;
-
-import javax.net.ssl.SSLSocketFactory;
-import javax.security.auth.Subject;
-import javax.security.auth.x500.X500Principal;
-
+import ca.nrc.cadc.auth.DNPrincipal;
 import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.auth.NumericPrincipal;
 import ca.nrc.cadc.util.Log4jInit;
-
+import com.unboundid.ldap.sdk.DN;
 import com.unboundid.ldap.sdk.LDAPConnection;
-
 import org.apache.log4j.Level;
-import org.junit.Test;
 import org.junit.BeforeClass;
-import static org.junit.Assert.*;
+import org.junit.Test;
+
+import javax.security.auth.Subject;
+import javax.security.auth.x500.X500Principal;
+import java.security.PrivilegedExceptionAction;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 
 
 public class LdapDAOTest extends AbstractLdapDAOTest
@@ -172,6 +173,31 @@ public class LdapDAOTest extends AbstractLdapDAOTest
 
     }
 
+    @Test
+    public void testGetSubjectDN() throws Exception
+    {
+        DN expected = new DN("uid=foo,ou=bar,dc=net");
+        final DNPrincipal dnPrincipal = new DNPrincipal(expected.toNormalizedString());
+
+        LdapConfig config = LdapConfig.getLdapConfig("LdapConfig.test.properties");
+        LdapDAO ldapDAO = new LdapDAO(config)
+        {
+            @Override
+            protected Subject getSubject()
+            {
+                Subject subject = new Subject();
+                subject.getPrincipals().add(new HttpPrincipal("foo"));
+                subject.getPrincipals().add(new X500Principal("uid=foo,o=bar"));
+                subject.getPrincipals().add(dnPrincipal);
+                return subject;
+            }
+        };
+
+        DN actual = ldapDAO.getSubjectDN();
+        assertNotNull("DN is null", actual);
+        assertEquals("DN's do not match", expected.toNormalizedString(), actual.toNormalizedString());
+    }
+
     private void testConnection(final LDAPConnection ldapCon)
     {
         assertTrue("Not connected but should be.", ldapCon.isConnected());

projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAOTest.java

@@ -74,6 +74,7 @@ import ca.nrc.cadc.ac.GroupNotFoundException;
 import ca.nrc.cadc.ac.GroupProperty;
 import ca.nrc.cadc.ac.Role;
 import ca.nrc.cadc.ac.User;
+import ca.nrc.cadc.auth.DNPrincipal;
 import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.util.Log4jInit;
 import org.apache.log4j.Level;
@@ -104,7 +105,13 @@ public class LdapGroupDAOTest extends AbstractLdapDAOTest
     static String daoTestDN2 = "cn=" + daoTestUid2 + ",ou=cadc,o=hia,c=ca";
     static String daoTestDN3 = "cn=" + daoTestUid3 + ",ou=cadc,o=hia,c=ca";
     static String unknownDN = "cn=foo,ou=cadc,o=hia,c=ca";
-    
+
+    static String daoTestEntryDN1 = "uid=cadcdaotest1,ou=users,ou=ds,dc=testcanfar";
+    static String daoTestEntryDN2 = "uid=cadcdaotest2,ou=users,ou=ds,dc=testcanfar";
+
+    static DNPrincipal daoDNPrincipal1;
+    static DNPrincipal daoDNPrincipal2;
+
     static X500Principal daoTestPrincipal1;
     static X500Principal daoTestPrincipal2;
     static X500Principal daoTestPrincipal3;
@@ -135,6 +142,9 @@ public class LdapGroupDAOTest extends AbstractLdapDAOTest
         daoTestPrincipal3 = new X500Principal(daoTestDN3);
         unknownPrincipal = new X500Principal(unknownDN);
 
+        daoDNPrincipal1 = new DNPrincipal(daoTestEntryDN1);
+        daoDNPrincipal2 = new DNPrincipal(daoTestEntryDN2);
+
         daoTestUser1 = new User<X500Principal>(daoTestPrincipal1);
         daoTestUser2 = new User<X500Principal>(daoTestPrincipal2);
         daoTestUser3 = new User<X500Principal>(daoTestPrincipal3);
@@ -142,9 +152,11 @@ public class LdapGroupDAOTest extends AbstractLdapDAOTest
         
         daoTestUser1Subject = new Subject();
         daoTestUser1Subject.getPrincipals().add(daoTestUser1.getUserID());
+        daoTestUser1Subject.getPrincipals().add(daoDNPrincipal1);
         
         daoTestUser2Subject = new Subject();
         daoTestUser2Subject.getPrincipals().add(daoTestUser2.getUserID());
+        daoTestUser2Subject.getPrincipals().add(daoDNPrincipal2);
         
         anonSubject = new Subject();
         anonSubject.getPrincipals().add(unknownUser.getUserID());

projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAOTest.java

@@ -82,6 +82,7 @@ import java.util.Random;
 import javax.security.auth.Subject;
 import javax.security.auth.x500.X500Principal;
 
+import ca.nrc.cadc.auth.DNPrincipal;
 import org.apache.log4j.Level;
 import org.apache.log4j.Logger;
 import org.junit.BeforeClass;
@@ -103,12 +104,16 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
     private static final Logger log = Logger.getLogger(LdapUserDAOTest.class);
 
     static final String testUserX509DN = "cn=cadcdaotest1,ou=cadc,o=hia,c=ca";
+    static final String testUser1EntryDN = "uid=cadcdaotest1,ou=users,ou=ds,dc=testcanfar";
+    static final String testUser2EntryDN = "uid=cadcdaotest2,ou=users,ou=ds,dc=testcanfar";
     static int nextUserNumericID = 666;
 
     static String testUserDN;
     static User<X500Principal> testUser;
     static User<X500Principal> testMember;
     static User<HttpPrincipal> testPendingUser;
+    static DNPrincipal testUser1DNPrincipal;
+    static DNPrincipal testUser2DNPrincipal;
     static LdapConfig config;
     static Random ran = new Random(); // source of randomness for numeric ids
 
@@ -117,7 +122,7 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
     public static void setUpBeforeClass()
             throws Exception
     {
-        Log4jInit.setLevel("ca.nrc.cadc.ac", Level.DEBUG);
+        Log4jInit.setLevel("ca.nrc.cadc.ac", Level.INFO);
 
         // get the configuration of the development server from and config files...
         config = getLdapConfig();
@@ -128,10 +133,10 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
                 new User<HttpPrincipal>(new HttpPrincipal("CADCtestRequest"));
         testPendingUser.details.add(new PersonalDetails("CADCtest", "Request"));
         testPendingUser.getIdentities().add(
-                new HttpPrincipal("CADCtestRequest"));
+            new HttpPrincipal("CADCtestRequest"));
         testPendingUser.getIdentities().add(
-                new X500Principal(
-                        "uid=CADCtestRequest,ou=userrequests,ou=ds,dc=testcanfar"));
+            new X500Principal(
+                "uid=CADCtestRequest,ou=userrequests,ou=ds,dc=testcanfar"));
         testPendingUser.getIdentities().add(new NumericPrincipal(66666));
 
         testUser.details.add(new PersonalDetails("CADC", "DAOTest1"));
@@ -147,7 +152,9 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
         testMember = new User<X500Principal>(testUserX500Princ);
         testMember.details.add(new PersonalDetails("CADC", "DAOTest1"));
         testMember.getIdentities().add(new HttpPrincipal("CadcDaoTest1"));
-        
+
+        testUser1DNPrincipal = new DNPrincipal(testUser1EntryDN);
+        testUser2DNPrincipal = new DNPrincipal(testUser2EntryDN);
     }
 
     <T extends Principal> LdapUserDAO<T> getUserDAO() throws Exception
@@ -227,6 +234,7 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
     {
         Subject subject = new Subject();
         subject.getPrincipals().add(testUser.getUserID());
+        subject.getPrincipals().add(testUser1DNPrincipal);
 
         // do everything as owner
         Subject.doAs(subject, new PrivilegedExceptionAction<Object>()
@@ -258,6 +266,7 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
     {
         Subject subject = new Subject();
         subject.getPrincipals().add(testUser.getUserID());
+        subject.getPrincipals().add(testUser1DNPrincipal);
 
         // do everything as owner
         Subject.doAs(subject, new PrivilegedExceptionAction<Object>()
@@ -267,7 +276,7 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
                 try
                 {
                     Collection<DN> groups = getUserDAO().getUserGroups(testUser.getUserID(),
-                                                       false);
+                        false);
                     assertNotNull("Groups should not be null.", groups);
 
                     for (DN groupDN : groups)
@@ -301,6 +310,7 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
     {
         Subject subject = new Subject();
         subject.getPrincipals().add(testUser.getUserID());
+        subject.getPrincipals().add(testUser1DNPrincipal);
 
         // do everything as owner
         Subject.doAs(subject, new PrivilegedExceptionAction<Object>()
@@ -314,7 +324,7 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
 
                     String  groupDN = "cn=cadcdaotestgroup1," + config.getGroupsDN();
                     isMember = getUserDAO().isMember(testUser.getUserID(),
-                                                     groupDN);
+                        groupDN);
                     assertTrue("Membership should exist.", isMember);
 
                     return null;
@@ -335,7 +345,7 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
     {
         Subject subject = new Subject();
         subject.getPrincipals().add(testUser.getUserID());
-
+        subject.getPrincipals().add(testUser1DNPrincipal);
         
         // do everything as owner
         Subject.doAs(subject, new PrivilegedExceptionAction<Object>()
@@ -579,6 +589,7 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
         // add the user
         Subject subject = new Subject();
         subject.getPrincipals().add(testUser2.getUserID());
+        subject.getPrincipals().add(testUser2DNPrincipal);
         Subject.doAs(subject, new PrivilegedExceptionAction<Object>()
         {
             public Object run()
@@ -633,6 +644,7 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
 
         // update the user
         subject.getPrincipals().add(testUser2.getUserID());
+        subject.getPrincipals().add(testUser2DNPrincipal);
         User<? extends Principal> updatedUser =
             (User<? extends Principal>) Subject.doAs(subject, new PrivilegedExceptionAction<Object>()
         {
@@ -662,7 +674,7 @@ public class LdapUserDAOTest extends AbstractLdapDAOTest
         assertEquals(user1, user2);
         assertEquals(user1.details, user2.details);
         assertEquals(user1.details.size(), user2.details.size());
-        assertEquals(user1.getIdentities().size(), user2.getIdentities().size());
+        assertEquals("# principals not equal", user1.getIdentities().size(), user2.getIdentities().size());
         for( Principal princ1 : user1.getIdentities())
         {
             boolean found = false;