Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-3063

Security: LDAPLoginModule: User role search does not work if connectionUsername and connectionPassword are not specified

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Abandoned
    • 5.3.0
    • NEEDS_REVIEW
    • None
    • None

    • LDAP/AD

    Description

      LDAPLoginModule authenticate() method calls bindUser() for authentication and then immediately after that, it calls getRoles() to fetch the roles for the user based on the specified role search criteria. Note that the bindUser() removes the "java.security.principal" environment if no connectionUsername/password is provided. Calling getRoles() after that does not work because it needs the security principal in the environment to perform the role search.

      A sample JAAS Login configuration is provided below -

      TestLogin {
      org.apache.activemq.jaas.LDAPLoginModule required
      debug=false
      initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
      connectionURL="ldap://somehost:389"
      connectionProtocol=""
      authentication=simple
      userBase="OU=users,O=domain"
      userSearchMatching="(uid=

      {0})"
      userSearchSubtree=true
      userRoleName="memberOf"
      roleName="CN"
      roleBase="OU=Groups,O=domain"
      roleSearchMatching="member={0}

      "
      roleSearchSubtree=true
      ;
      };

      Attachments

        Activity

          People

            Unassigned Unassigned
            allahamit Amit Kumar
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: