[jira] [Created] (KARAF-2529) Use connection credentials when searching for roles in LDAP

Fri, 25 Oct 2013 07:33:47 -0700 

Jonathan Anstey created KARAF-2529:
--------------------------------------

             Summary: Use connection credentials when searching for roles in 
LDAP
                 Key: KARAF-2529
                 URL: https://issues.apache.org/jira/browse/KARAF-2529
             Project: Karaf
          Issue Type: Bug
    Affects Versions: 2.3.3
            Reporter: Jonathan Anstey


Currently when you specify connection.username and connection.password, the 
LDAP module correctly uses these credentials when searching for a Karaf user, 
it then checks the Karaf user's password by doing a bind. Now when the LDAP 
module searches for roles for this user it doesn't switch back to using the 
provided connection credentials but reuses the Karaf user credentials added 
during the bind. It should be using the connection credentials for the role 
search just like the user search. Proposed fix:

{code}
diff --git 
a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
 
b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
index f6637b7..37afcea 100644
--- 
a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
+++ 
b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
@@ -225,6 +225,7 @@ public class LDAPLoginModule extends 
AbstractKarafLoginModule {
         // step 2: bind the user using the DN
         context = null;
         try {
+            // switch the credentials to the Karaf login user so that we can 
verify his password is correct
             logger.debug("Bind user (authentication).");
             env.put(Context.SECURITY_AUTHENTICATION, authentication);
             logger.debug("Set the security principal for " + userDN + "," + 
userBaseDN);
@@ -251,6 +252,12 @@ public class LDAPLoginModule extends 
AbstractKarafLoginModule {
         context = null;
         try {
             logger.debug("Get user roles.");
+            // switch back to the connection credentials for the role search 
like we did for the user search in step 1 
+            if (connectionUsername != null && 
connectionUsername.trim().length() > 0) {
+                env.put(Context.SECURITY_AUTHENTICATION, authentication);
+                env.put(Context.SECURITY_PRINCIPAL, connectionUsername);
+                env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
+            }
             context = new InitialDirContext(env);
             SearchControls controls = new SearchControls();
             if (roleSearchSubtree) {
{code}

I'll push the commit once I get my karma set up if there are no objections to 
the fix :-)



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to