Major Description
Currently when you specify connection.username and connection.password, the LDAP module correctly uses these credentials when searching for a Karaf user, it then checks the Karaf user's password by doing a bind. Now when the LDAP module searches for roles for this user it doesn't switch back to using the provided connection credentials but reuses the Karaf user credentials added during the bind. It should be using the connection credentials for the role search just like the user search. Proposed fix:
diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java index f6637b7..37afcea 100644 --- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java +++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java @@ -225,6 +225,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { // step 2: bind the user using the DN context = null; try { + // switch the credentials to the Karaf login user so that we can verify his password is correct logger.debug("Bind user (authentication)."); env.put(Context.SECURITY_AUTHENTICATION, authentication); logger.debug("Set the security principal for " + userDN + "," + userBaseDN); @@ -251,6 +252,12 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { context = null; try { logger.debug("Get user roles."); + // switch back to the connection credentials for the role search like we did for the user search in step 1 + if (connectionUsername != null && connectionUsername.trim().length() > 0) { + env.put(Context.SECURITY_AUTHENTICATION, authentication); + env.put(Context.SECURITY_PRINCIPAL, connectionUsername); + env.put(Context.SECURITY_CREDENTIALS, connectionPassword); + } context = new InitialDirContext(env); SearchControls controls = new SearchControls(); if (roleSearchSubtree) {
I'll push the commit once I get my karma set up if there are no objections to the fix 