Security: LDAPLoginModule: User role search does not work if connectionUsername
and connectionPassword are not specified
------------------------------------------------------------------------------------------------------------------------
Key: AMQ-3063
URL: https://issues.apache.org/jira/browse/AMQ-3063
Project: ActiveMQ
Issue Type: Improvement
Affects Versions: 5.3.0
Environment: LDAP/AD
Reporter: Amit Kumar
Priority: Minor
LDAPLoginModule authenticate() method calls bindUser() for authentication and
then immediately after that, it calls getRoles() to fetch the roles for the
user based on the specified role search criteria. Note that the bindUser()
removes the "java.security.principal" environment if no
connectionUsername/password is provided. Calling getRoles() after that does not
work because it needs the security principal in the environment to perform the
role search.
A sample JAAS Login configuration is provided below -
TestLogin {
org.apache.activemq.jaas.LDAPLoginModule required
debug=false
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://somehost:389";
connectionProtocol=""
authentication=simple
userBase="OU=users,O=domain"
userSearchMatching="(uid={0})"
userSearchSubtree=true
userRoleName="memberOf"
roleName="CN"
roleBase="OU=Groups,O=domain"
roleSearchMatching="member={0}"
roleSearchSubtree=true
;
};
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
