[
https://issues.apache.org/jira/browse/QPID-7116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15307888#comment-15307888
]
ASF subversion and git services commented on QPID-7116:
-------------------------------------------------------
Commit 1746288 from [~lorenz.quack] in branch 'java/trunk'
[ https://svn.apache.org/r1746288 ]
QPID-7116: [Java Broker] AMQP 1.0 and SaslServlet now use subjectCreator for
authentication
before they were using saslServer directly.
This was going to be problamatic when we want to augment the subject with group
principals.
All code paths should now be using the subjectCreator
> Ability to utilise group information from a LDAP compatible directory
> ---------------------------------------------------------------------
>
> Key: QPID-7116
> URL: https://issues.apache.org/jira/browse/QPID-7116
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Keith Wall
> Assignee: Alex Rudyy
> Fix For: qpid-java-6.1
>
> Attachments: 0001-WIP-unification.patch, 0002-WIP-LDAP-groups.patch
>
>
> The Java Broker can already authenticate users against an LDAP compatible
> directory. It should also be able to use the same information source as a
> source of group information too.
> The authentication provide needs to accept optional attributes governing
> where the group information will be found:
> {{groupSearchContext}} - the base entry for the role search. If not
> specified, the search base is the top-level directory context.
> {{groupSearchFilter}} - the LDAP search filter for selecting group entries.
> A {0} token within the filter will be replaced by the distinguish name of the
> authenticated user.
> {{groupAttributeName}} - the name of the attribute that contains the name of
> the role.
> After the authentication provider has successfully bound (authenticated) the
> user, it should perform a second query for the groups. It should build a
> {{GroupPrincipal}} for each group to which the user belongs and return this
> as part of the AuthenticationResult. If the group search attributes are not
> found, the group search should be skipped.
> A future version if the LDAP Authentication Provider may offer the ability to
> cache the group results for a DN period of time. This would serve to avoid
> hitting the Directory several times authentication (it already hits the
> Directory twice if {{bindWithoutSearch}} is false, this will add a third).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
