ActiveMQ
  1. ActiveMQ
  2. AMQ-3064

Security: LDAPLoginModule: Specifying userRoleName as 'memberOf' fetches the full DN of the group, and initializes a GroupPrincipal with full DN

    Details

    • Type: Wish Wish
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 5.3.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      In the sample below, when I specify the userRoleName as 'memberOf', it initializes a GroupPrincipal with the name as full DN. e.g. 'CN=somegroupIAMMemberOf,OU=Groups,O=domain'...
      This may not work if the expected role is 'somegroupIAMMemberOf'.

      TestLogin {
      org.apache.activemq.jaas.LDAPLoginModule required
      debug=false
      initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
      connectionURL="ldap://something:389"
      connectionUsername="uid=generic.gen,OU=Generics,O=something"
      connectionPassword="generic123"
      connectionProtocol=""
      authentication=simple
      userBase="OU=Users,O=something"
      userSearchMatching="(uid=

      {0})"
      userSearchSubtree=true
      userRoleName="memberOf"
      roleName="CN"
      roleBase="OU=Groups,O=something"
      roleSearchMatching="member={0}

      "
      roleSearchSubtree=true
      ;
      };

        Activity

          People

          • Assignee:
            Unassigned
            Reporter:
            Amit Kumar
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:

              Development