[ https://issues.apache.org/jira/browse/QPID-4463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13799706#comment-13799706 ]
Keith Wall commented on QPID-4463: ---------------------------------- Hi Robbie, Could you review the attached patch (0001-QPID-4463-Java-Broker-Change-SimpleLDAPAuthManager-t.patch)? I think this is ready to commit. I wish to point out in the Management UI, in the LDAP auth provider dialogue, the user currently needs to enter the trust store name *manually*. You'd expect to see a dropdown box presently a list of available truststores, but this approach is not practical with the current model. In future, I think we should change the auth provider UI to follow the same 'pluggable' approach that we have with virtual hosts. This will allow for a much richer UI which can be customised on per-auth provider basis. That all said, I think the system as it stands is usable from an end-user perspective. I also think in the long term we will want to split out ldap into a separate module to avoid the bcel dependency on the broker core. Possibly once Ant is removed? Finally patch (0002-QPID-4463-Java-Broker-SimpleLDAPAuthenticationManage.patch) contains a system test that I used whilst developing. I'm not intending to commit this at the moment (we need to decide how best to organise automated testing with external dependencies like Directories and RDBMs) but might be helpful if you want to run the code. I've tested the ldaps authentications on Apache Directory on both Sun and IBM JDKs. Here are a couple of useful commands to prepare the truststore and run the tests. {noformat} # Get cert from Apache Directory echo -n | openssl s_client -connect localhost:10636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > apacheds.pem # Convert pem => der openssl x509 -in apacheds.pem -inform PEM -out apacheds.der -outform DER # Truststore containing Apache Directory cert ready for Qpid keytool -import -alias apacheds -file apacheds.der -keystore apacheds.ts -storepass password # A test user. ldapmodify -h Oslo.local -p 10389 -D "uid=admin,ou=system" -w secret -a -f test-profiles/test_resources/simpleldaptest/user.ldif ant test -Dtest=SimpleLDAPAuthenticationTest -Dprofile=java-mms.0-9-1 -Dsimpleldaptest.validUser=user -Dsimpleldaptest.validUserPassword=user1 -Dsimpleldaptest.ldapUrl=ldap://Oslo.local:10389 -Dsimpleldaptest.ldapUrl=ldaps://Oslo.local:10639 -Dsimpleldaptest.trustStorePath=/Users/keith/apacheds.ts {noformat} > SimpleLDAPAuthenticationManager should accept truststore and truststore > password configuration > ---------------------------------------------------------------------------------------------- > > Key: QPID-4463 > URL: https://issues.apache.org/jira/browse/QPID-4463 > Project: Qpid > Issue Type: Improvement > Components: Java Broker > Affects Versions: 0.21 > Reporter: Keith Wall > Assignee: Keith Wall > Attachments: > 0001-QPID-4463-Java-Broker-Change-SimpleLDAPAuthManager-t.patch, > 0002-QPID-4463-Java-Broker-SimpleLDAPAuthenticationManage.patch, > AbstractLDAPSSLSocketFactory.java > > > To better support use cases where the Broker is required to authenticate > against a Directory protected by SSL, the Java Broker should accept > truststore and truststore password via configuration. > Currently the user is required to pass the JVM system properties > javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword (which are > effectively globals). -- This message was sent by Atlassian JIRA (v6.1#6144) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org