[
https://issues.apache.org/jira/browse/ARTEMIS-3140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17436134#comment-17436134
]
ASF subversion and git services commented on ARTEMIS-3140:
----------------------------------------------------------
Commit a0c4cba7e13ea34b2a0c3e2114664e7f41e3060c in activemq-artemis's branch
refs/heads/main from pahamala
[ https://gitbox.apache.org/repos/asf?p=activemq-artemis.git;h=a0c4cba ]
ARTEMIS-3140 Extra options in LDAP login module
Adds support for extra configuration options to LDAP login module to
prepare for supporting any future/custom string configuration in LDAP
directory context creation.
Details:
- Changed LDAPLoginModule to pass any string configuration not
recognized by the module itself to the InitialDirContext contruction
environment.
- Changed the static LDAPLoginModule configuration key fields to an
enum to be able to loop through the specified keys (e.g. to filter out
the internal LDAPLoginModule configuration keys from the keys passed to
InitialDirContext).
- Few fixes for issues reported by static analysis tools.
- Tested that LDAP authentication with TLS+GSSAPI works against a
recent Windows AD server with Java
OpenJDK11U-jdk_x64_windows_hotspot_11.0.13_8 by setting the property
com.sun.jndi.ldap.tls.cbtype (see ARTEMIS-3140) in JAAS login.conf.
- Moved LDAPLoginModuleTest to the correct package to be able to
access LDAPLoginModule package privates from the test code.
- Added a test to LDAPLoginModuleTest for the task changes.
- Updated documentation to reflect the changes.
> Support com.sun.jndi.ldap.tls.cbtype in LDAPLoginModule
> -------------------------------------------------------
>
> Key: ARTEMIS-3140
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3140
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Affects Versions: 2.17.0
> Reporter: Panu Hämäläinen
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Microsoft has added the following binding feature to LDAP connections
> (AD/Domain Controllers):
> [https://support.microsoft.com/en-us/topic/use-the-ldapenforcechannelbinding-registry-entry-to-make-ldap-authentication-over-ssl-tls-more-secure-e9ecfa27-5e57-8519-6ba3-d2c06b21812e]
>
> To interoperate with this Java has required some changes which are available
> at least in a Java 16 release candidate:
> [https://bugs.openjdk.java.net/browse/JDK-8245527]
> That is, to make Java add the required channel binding information to its
> LDAP connection, the JNDI environment property
> \{{com.sun.jndi.ldap.tls.cbtype}} must be set to \{{tls-server-end-point}}.
> However, Artemis LDAPLoginModule creates an internal environment object which
> does not support the property.
>
> I would also propose to improve the LDAPLoginModule class in a way that any
> future custom/added property could be included to the JNDI environment
> without requiring changes to the actual code.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
