[
https://issues.apache.org/jira/browse/AMQ-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen updated AMQ-3063:
-----------------------------
Fix Version/s: NEEDS_REVIEWED
> Security: LDAPLoginModule: User role search does not work if
> connectionUsername and connectionPassword are not specified
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: AMQ-3063
> URL: https://issues.apache.org/jira/browse/AMQ-3063
> Project: ActiveMQ
> Issue Type: Improvement
> Affects Versions: 5.3.0
> Environment: LDAP/AD
> Reporter: Amit Kumar
> Priority: Minor
> Fix For: NEEDS_REVIEWED
>
>
> LDAPLoginModule authenticate() method calls bindUser() for authentication and
> then immediately after that, it calls getRoles() to fetch the roles for the
> user based on the specified role search criteria. Note that the bindUser()
> removes the "java.security.principal" environment if no
> connectionUsername/password is provided. Calling getRoles() after that does
> not work because it needs the security principal in the environment to
> perform the role search.
> A sample JAAS Login configuration is provided below -
> TestLogin {
> org.apache.activemq.jaas.LDAPLoginModule required
> debug=false
> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
> connectionURL="ldap://somehost:389";
> connectionProtocol=""
> authentication=simple
> userBase="OU=users,O=domain"
> userSearchMatching="(uid={0})"
> userSearchSubtree=true
> userRoleName="memberOf"
> roleName="CN"
> roleBase="OU=Groups,O=domain"
> roleSearchMatching="member={0}"
> roleSearchSubtree=true
> ;
> };
--
This message was sent by Atlassian JIRA
(v6.1#6144)
