Hi, The LDAP authentication in qpid-broker-j is performed by SimpleLDAPAuthenticationManagerImpl, which first tries to find the user using supplied search value and then performs LDAP bind using the DN found. Full DN is used as a principal name after that. There is a flag "isBindWithoutSearch", but when set to true it would require to supply full DN as the username (and wouldn't solve the ACL rules issue).
I would say, the current implementation doesn't support the desired behavior. You could create a JIRA for this issue. Kind regards, Daniil Kirilyuk On Wed, 8 Feb 2023 at 23:02, Dan Langford <danlangf...@gmail.com> wrote: > > We are upgrading some very old qpid servers in the enterprise (6.0.8) and > we use LDAP authentication. Where I might have a current ACL entry like > this: > > ACL ALLOW danlangford ALL > > im finding in QPID 6.1-9.0 i am needing the rule to look like this > > ACL ALLOW "cn=danlangford,ou=000,ou=People,o=MyEnterprise" ALL > > now in the above example i can still authenticate over HTTP or AMQP with > the user "danlangford" and i see a log message > Found 'danlangford' DN 'cn=danlangford,ou=000,ou=People,o=MyEnterprise' > but my ACLs are now going to be much more verbose, and problematic (see > below), if they have to contain the full DN. > > This is particularly problematic in my enterprise because our identity team > has partitioned out all the users. see the "ou=000" (i happen to be in the > first partition). so as it stands we will need to update our ACLs and go > look up the full DN for each user manually to put into the ACL. And my > identity team said that there is no guarantee that the partition won't > change for some reason in the future and they encourage all system to > search for a user. (cn=username) with search context of > ou=People,o=MyEnterprise > > Is there a way to configure to prior behavior that allowed just the > username in the ACL? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
