Hi, JIRA QPID-8625 was created:
https://issues.apache.org/jira/browse/QPID-8625 Kind regards, Daniil Kirilyuk On Fri, Feb 10, 2023, 08:23 Daniil Kirilyuk <daniel.kiril...@gmail.com> wrote: > Hi, > > The LDAP authentication in qpid-broker-j is performed by > SimpleLDAPAuthenticationManagerImpl, which first tries to find the > user using supplied search value and then performs LDAP bind using the > DN found. Full DN is used as a principal name after that. There is a > flag "isBindWithoutSearch", but when set to true it would require to > supply full DN as the username (and wouldn't solve the ACL rules > issue). > > I would say, the current implementation doesn't support the desired > behavior. You could create a JIRA for this issue. > > Kind regards, > Daniil Kirilyuk > > On Wed, 8 Feb 2023 at 23:02, Dan Langford <danlangf...@gmail.com> wrote: > > > > We are upgrading some very old qpid servers in the enterprise (6.0.8) and > > we use LDAP authentication. Where I might have a current ACL entry like > > this: > > > > ACL ALLOW danlangford ALL > > > > im finding in QPID 6.1-9.0 i am needing the rule to look like this > > > > ACL ALLOW "cn=danlangford,ou=000,ou=People,o=MyEnterprise" ALL > > > > now in the above example i can still authenticate over HTTP or AMQP with > > the user "danlangford" and i see a log message > > Found 'danlangford' DN 'cn=danlangford,ou=000,ou=People,o=MyEnterprise' > > but my ACLs are now going to be much more verbose, and problematic (see > > below), if they have to contain the full DN. > > > > This is particularly problematic in my enterprise because our identity > team > > has partitioned out all the users. see the "ou=000" (i happen to be in > the > > first partition). so as it stands we will need to update our ACLs and go > > look up the full DN for each user manually to put into the ACL. And my > > identity team said that there is no guarantee that the partition won't > > change for some reason in the future and they encourage all system to > > search for a user. (cn=username) with search context of > > ou=People,o=MyEnterprise > > > > Is there a way to configure to prior behavior that allowed just the > > username in the ACL? >
