[ARTEMIS-2433] Support LDAP role mapping of SASL EXTERNAL credentials - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.9.0
Fix Version/s: 2.10.0
Component/s: AMQP, Broker
Labels:
- AMQP
- LDAP
- SASL

Description

currently the textcertificate login module must be used with SASL EXTERNAL. There is no other way to do authorisation and role assignment.
however a validated TLS certificate subject dn is a valid identity, in the same way as a kerberos token identity. If we provide a login module that will populate a subject principal with the subject DN, it will be possible to chain with the LDAPLoginModule and have LDAP used for role assignment. In LDAP, the CERT subjectDN just needs to be added as a member to any existing role definition.
LDAPLoginModule can be configured to not authenticate, not lookup the user and just do role assignment.

authenticateUser=false and default/empty userSearchMatching

Attachments

Issue Links

depends upon

ARTEMIS-1758 Support SASL EXTERNAL

Closed

relates to

ARTEMIS-1373 Allow chaining of Kerberos and LDAP JAAS Login Modules for authentication and authorisation

Closed

links to

GitHub Pull Request #2768

Activity

People

Assignee:: Gary Tully

Reporter:: Gary Tully

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 26/Jul/19 09:29

Updated:: 26/Aug/19 15:50

Resolved:: 26/Aug/19 15:50

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: