I have the following login config to get UserPrincipals for groups:
COMBI {
com.sun.security.auth.module.LdapLoginModule REQUIRED
debug="true"
userProvider="ldaps://ad01.uis.no/dc=uis,dc=no"
userFilter="(&(sAMAccountName={USERNAME})(objectClass=user))"
java.naming.security.principal="AD_DN"
java.naming.security.credentials="PASSWORD"
storePass="true"
;
com.sun.security.auth.module.LdapLoginModule OPTIONAL
debug="true"
userProvider="ldaps://ad01.uis.no/dc=uis,dc=no"
userFilter="(&(sAMAccountName={USERNAME})(objectClass=user)(memberOf=CN=Solr-Admin,OU=ServiceGroup,OU=Operation,OU=UIS,DC=uis,DC=no))"
authzIdentity="SolrAdmin"
java.naming.security.principal="AD_DN"
java.naming.security.credentials="PASSWORD"
useFirstPass="true"
;
com.sun.security.auth.module.LdapLoginModule OPTIONAL
debug="true"
userProvider="ldaps://ad01.uis.no/dc=uis,dc=no"
userFilter="(&(sAMAccountName={USERNAME})(objectClass=user)(memberOf=CN=FullServerAdmin_Utvikling,OU=AdminGroups,OU=Administration,DC=uis,DC=no))"
authzIdentity="ServerAdmin"
java.naming.security.principal="AD_DN"
java.naming.security.credentials="PASSWORD"
useFirstPass="true"
;
};
The first component succeeds, the second fails (due to the filter returning
nothing), the third is supposed to succeed, but fails.
The reason is that the sharedState's password is cleared, even though clearPass
is false
(https://github.com/openjdk-mirror/jdk7u-jdk/blob/master/src/share/classes/com/sun/security/auth/module/LdapLoginModule.java#L1000)
Should it be
username=null;
if (clearPass) {
Arrays.fill(password, ' ');
}
password = null;
OR is this by design?
--
Martin
