Any feedback here? Did your user get this sorted out?
Justin On Tue, Aug 16, 2022 at 11:51 AM Justin Bertram <[email protected]> wrote: > > ...is there any other known restriction to masking passwords that might > not be obvious or well documented? > > I'm not aware of any restrictions for masked passwords. If it can be put > into a Java String then it can be masked and unmasked. The default masking > & unmasking algorithms work directly with byte[] so there's no real > restrictions. > > The "artemis mask" command spits out the masked password, but it still > needs to be wrapped in "ENC()" to be detected properly in login.config. In > the other thread I pasted a link to the ActiveMQ Artemis test-suite which > demonstrates how to configure the password. Is the user doing this properly? > > > Justin > > On Tue, Aug 16, 2022 at 10:53 AM Andrew Pomponio <[email protected]> > wrote: > >> Hello Artemis Devs, >> I originally opened a ticket with the users mailing list to discuss the >> following issue: >> https://lists.apache.org/thread/6ptmpln9wfysv07v3ncdxkd2c99glh9t >> >> TL:DR: a user is attempting to mask their password in login.config and >> when they attempt to authenticate against LDAP, they get an authentication >> error. >> >> We’ve reviewed the idea that they could be using a password with >> unsupported characters and spaces, but we’re attempting to explore other >> options as well. Artemis is logging the following error: >> 2022-07-19 11:26:08,144 ERROR [org.apache.activemq.artemis.core.server] >> AMQ224084: Failed to open context: javax.naming.AuthenticationException: >> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: >> AcceptSecurityContext error, data 52e, v4563�] >> >> Aside from the special characters and spaces theory, is there any other >> known restriction to masking passwords that might not be obvious or well >> documented? They have tested the password in plaintext so it does work that >> way, it’s just the masking of it that does not work. If it matters at all, >> the user is using pre-built container images for artemis that run on Debian >> 10 and Java 11. We’re attempting to get debug logs for >> org.apache.activemq.artemis.spi.core.security.jaas from the user, and we’ve >> also sent them our own working example main.java file to demonstrate to >> them how password masking “should” work. The purpose of this was to make >> sure the password is hardcoded in the main.java file and matches the output >> of a java code snippet. We are also attempting to verify if they’re >> implementing TLS over LDAP as well to see if that’s adding any overhead >> complications. Any additional insight is greatly appreciated. Thanks! >> >> >> >> >> >> This e-mail may contain information that is privileged or confidential. >> If you are not the intended recipient, please delete the e-mail and any >> attachments and notify us immediately. >> >>
