[jira] [Resolved] (KARAF-2529) Use connection credentials when searching for roles in LDAP

[Jonathan Anstey (JIRA)]

     [ 
https://issues.apache.org/jira/browse/KARAF-2529?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jonathan Anstey resolved KARAF-2529.
------------------------------------

       Resolution: Fixed
    Fix Version/s: 2.3.4
                   3.0.0
                   2.4.0

> Use connection credentials when searching for roles in LDAP
> -----------------------------------------------------------
>
>                 Key: KARAF-2529
>                 URL: https://issues.apache.org/jira/browse/KARAF-2529
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 2.3.3
>            Reporter: Jonathan Anstey
>             Fix For: 2.4.0, 3.0.0, 2.3.4
>
>
> Currently when you specify connection.username and connection.password, the 
> LDAP module correctly uses these credentials when searching for a Karaf user, 
> it then checks the Karaf user's password by doing a bind. Now when the LDAP 
> module searches for roles for this user it doesn't switch back to using the 
> provided connection credentials but reuses the Karaf user credentials added 
> during the bind. It should be using the connection credentials for the role 
> search just like the user search. Proposed fix:
> {code}
> diff --git 
> a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
>  
> b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
> index f6637b7..37afcea 100644
> --- 
> a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
> +++ 
> b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
> @@ -225,6 +225,7 @@ public class LDAPLoginModule extends 
> AbstractKarafLoginModule {
>          // step 2: bind the user using the DN
>          context = null;
>          try {
> +            // switch the credentials to the Karaf login user so that we can 
> verify his password is correct
>              logger.debug("Bind user (authentication).");
>              env.put(Context.SECURITY_AUTHENTICATION, authentication);
>              logger.debug("Set the security principal for " + userDN + "," + 
> userBaseDN);
> @@ -251,6 +252,12 @@ public class LDAPLoginModule extends 
> AbstractKarafLoginModule {
>          context = null;
>          try {
>              logger.debug("Get user roles.");
> +            // switch back to the connection credentials for the role search 
> like we did for the user search in step 1 
> +            if (connectionUsername != null && 
> connectionUsername.trim().length() > 0) {
> +                env.put(Context.SECURITY_AUTHENTICATION, authentication);
> +                env.put(Context.SECURITY_PRINCIPAL, connectionUsername);
> +                env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
> +            }
>              context = new InitialDirContext(env);
>              SearchControls controls = new SearchControls();
>              if (roleSearchSubtree) {
> {code}
> I'll push the commit once I get my karma set up if there are no objections to 
> the fix :-)



--
This message was sent by Atlassian JIRA
(v6.1#6144)