[jira] [Work logged] (ARTEMIS-2433) Support LDAP role mapping of SASL EXTERNAL credentials

Fri, 09 Aug 2019 07:46:08 -0700 


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-2433?focusedWorklogId=292085&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-292085
 ]

ASF GitHub Bot logged work on ARTEMIS-2433:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/Aug/19 14:45
            Start Date: 09/Aug/19 14:45
    Worklog Time Spent: 10m 
      Work Description: gtully commented on issue #2768: ARTEMIS-2433 add 
ExternalCertificateLoginModule to surface a SASL EXT…
URL: https://github.com/apache/activemq-artemis/pull/2768#issuecomment-519946775
 
 
   pushed an update with a rebase to resolve the conflict the ldif file
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 292085)
    Time Spent: 40m  (was: 0.5h)

> Support LDAP role mapping of SASL EXTERNAL credentials
> ------------------------------------------------------
>
>                 Key: ARTEMIS-2433
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-2433
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: AMQP, Broker
>    Affects Versions: 2.9.0
>            Reporter: Gary Tully
>            Assignee: Gary Tully
>            Priority: Major
>              Labels: AMQP, LDAP, SASL
>             Fix For: 2.10.0
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> currently the textcertificate login module must be used with SASL EXTERNAL. 
> There is no other way to do authorisation and role assignment.
> however a validated TLS certificate subject dn is a valid identity, in the 
> same way as a kerberos token identity. If we provide a login module that will 
> populate a subject principal with the subject DN, it will be possible to 
> chain with the LDAPLoginModule and have LDAP used for role assignment. In 
> LDAP, the CERT subjectDN just needs to be added as a member to any existing 
> role definition.
> LDAPLoginModule can be configured to not authenticate, not lookup the user 
> and *just* do role assignment.
> authenticateUser=false and default/empty userSearchMatching



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to