ActiveMQ
  1. ActiveMQ
  2. AMQ-3063

Security: LDAPLoginModule: User role search does not work if connectionUsername and connectionPassword are not specified

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 5.3.0
    • Fix Version/s: NEEDS_REVIEW
    • Component/s: None
    • Labels:
      None
    • Environment:

      LDAP/AD

      Description

      LDAPLoginModule authenticate() method calls bindUser() for authentication and then immediately after that, it calls getRoles() to fetch the roles for the user based on the specified role search criteria. Note that the bindUser() removes the "java.security.principal" environment if no connectionUsername/password is provided. Calling getRoles() after that does not work because it needs the security principal in the environment to perform the role search.

      A sample JAAS Login configuration is provided below -

      TestLogin {
      org.apache.activemq.jaas.LDAPLoginModule required
      debug=false
      initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
      connectionURL="ldap://somehost:389"
      connectionProtocol=""
      authentication=simple
      userBase="OU=users,O=domain"
      userSearchMatching="(uid=

      {0})"
      userSearchSubtree=true
      userRoleName="memberOf"
      roleName="CN"
      roleBase="OU=Groups,O=domain"
      roleSearchMatching="member={0}

      "
      roleSearchSubtree=true
      ;
      };

        Activity

          People

          • Assignee:
            Unassigned
            Reporter:
            Amit Kumar
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:

              Development