[
https://issues.apache.org/jira/browse/QPID-4010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13279175#comment-13279175
]
Rob Godfrey commented on QPID-4010:
-----------------------------------
Configuration of the SimpleLDAPAuthenticationManager is done as follows:
{code:xml}
<security>
<simple-ldap-auth-manager>
<provider-url>ldaps://example.com:636/</provider-url>
<search-context>dc=example\,dc=com</search-context>
<search-filter>(uid={0})</search-filter>
</simple-ldap-auth-manager>
</security>
{code}
The authentication manager first connects to the ldap server anonymously and
searches for the ldap entity which is identified by the username provided over
SASL. Essentially the authentication manager calls [DirContext.search(Name
name, String filterExpr, Object\[\] filterArgs, SearchControls
cons)|http://docs.oracle.com/javase/7/docs/api/javax/naming/directory/DirContext.html#search%28javax.naming.Name,%20java.lang.String,%20java.lang.Object\[\],%20javax.naming.directory.SearchControls%29]
with the values of search-context and search-filter as the first two
arguments, and the username as the only element in the array which is the third
argument.
If the search returns a name from the LDAP server, the AuthenticationManager
then attempts to login to the ldap server with the given name and the password.
If the URL to open for authentication is different to that for the search, then
the authentication url can be overridden using <provider-auth-url> in addition
to providing a <provider-url>. Note that the URL used for authentication
should use ldaps:// since passwords will be being sent over it.
By default com.sun.jndi.ldap.LdapCtxFactory is used to create the context,
however this can be overridden by specifying <ldap-context-factory> in the
configuration.
> [Java Broker] Add LDAP authentication support to the Java Broker
> ----------------------------------------------------------------
>
> Key: QPID-4010
> URL: https://issues.apache.org/jira/browse/QPID-4010
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Rob Godfrey
> Assignee: Rob Godfrey
> Priority: Minor
> Fix For: 0.17
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Add support for LDAP based authentication rather than password based.
> Initial efforts to simply support search for the dn based on the passed
> username, followed by "simple" authentication of that dn using the password
> supplied.
> Given the fact that the password must be sent in the clear over the client
> <-> qpid broker connection for this to work, this authentication method
> should ONLY be used on SSL secured connections.
> For LDAP servers that support SASL authentication we might in future be able
> to proxy the SASL exchange through the AMQP sasl mechanism.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
