Uploaded image for project: 'Karaf'
  1. Karaf
  2. KARAF-2529

Use connection credentials when searching for roles in LDAP

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.3.3
    • 2.4.0, 3.0.0, 2.3.4
    • None
    • None

    Description

      Currently when you specify connection.username and connection.password, the LDAP module correctly uses these credentials when searching for a Karaf user, it then checks the Karaf user's password by doing a bind. Now when the LDAP module searches for roles for this user it doesn't switch back to using the provided connection credentials but reuses the Karaf user credentials added during the bind. It should be using the connection credentials for the role search just like the user search. Proposed fix:

      diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
      index f6637b7..37afcea 100644
      --- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
      +++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
      @@ -225,6 +225,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
               // step 2: bind the user using the DN
               context = null;
               try {
      +            // switch the credentials to the Karaf login user so that we can verify his password is correct
                   logger.debug("Bind user (authentication).");
                   env.put(Context.SECURITY_AUTHENTICATION, authentication);
                   logger.debug("Set the security principal for " + userDN + "," + userBaseDN);
      @@ -251,6 +252,12 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
               context = null;
               try {
                   logger.debug("Get user roles.");
      +            // switch back to the connection credentials for the role search like we did for the user search in step 1 
      +            if (connectionUsername != null && connectionUsername.trim().length() > 0) {
      +                env.put(Context.SECURITY_AUTHENTICATION, authentication);
      +                env.put(Context.SECURITY_PRINCIPAL, connectionUsername);
      +                env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
      +            }
                   context = new InitialDirContext(env);
                   SearchControls controls = new SearchControls();
                   if (roleSearchSubtree) {
      

      I'll push the commit once I get my karma set up if there are no objections to the fix

      Attachments

        Activity

          People

            janstey Jonathan Anstey
            janstey Jonathan Anstey
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: