[
https://issues.apache.org/jira/browse/QPID-4463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13799706#comment-13799706
]
Keith Wall commented on QPID-4463:
----------------------------------
Hi Robbie,
Could you review the attached patch
(0001-QPID-4463-Java-Broker-Change-SimpleLDAPAuthManager-t.patch)? I think this
is ready to commit.
I wish to point out in the Management UI, in the LDAP auth provider dialogue,
the user currently needs to enter the trust store name *manually*. You'd expect
to see a dropdown box presently a list of available truststores, but this
approach is not practical with the current model. In future, I think we should
change the auth provider UI to follow the same 'pluggable' approach that we
have with virtual hosts. This will allow for a much richer UI which can be
customised on per-auth provider basis. That all said, I think the system as it
stands is usable from an end-user perspective.
I also think in the long term we will want to split out ldap into a separate
module to avoid the bcel dependency on the broker core. Possibly once Ant is
removed?
Finally patch (0002-QPID-4463-Java-Broker-SimpleLDAPAuthenticationManage.patch)
contains a system test that I used whilst developing. I'm not intending to
commit this at the moment (we need to decide how best to organise automated
testing with external dependencies like Directories and RDBMs) but might be
helpful if you want to run the code.
I've tested the ldaps authentications on Apache Directory on both Sun and IBM
JDKs.
Here are a couple of useful commands to prepare the truststore and run the
tests.
{noformat}
# Get cert from Apache Directory
echo -n | openssl s_client -connect localhost:10636 | sed -ne '/-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p' > apacheds.pem
# Convert pem => der
openssl x509 -in apacheds.pem -inform PEM -out apacheds.der -outform DER
# Truststore containing Apache Directory cert ready for Qpid
keytool -import -alias apacheds -file apacheds.der -keystore apacheds.ts
-storepass password
# A test user.
ldapmodify -h Oslo.local -p 10389 -D "uid=admin,ou=system" -w secret -a -f
test-profiles/test_resources/simpleldaptest/user.ldif
ant test -Dtest=SimpleLDAPAuthenticationTest -Dprofile=java-mms.0-9-1
-Dsimpleldaptest.validUser=user -Dsimpleldaptest.validUserPassword=user1
-Dsimpleldaptest.ldapUrl=ldap://Oslo.local:10389
-Dsimpleldaptest.ldapUrl=ldaps://Oslo.local:10639
-Dsimpleldaptest.trustStorePath=/Users/keith/apacheds.ts
{noformat}
> SimpleLDAPAuthenticationManager should accept truststore and truststore
> password configuration
> ----------------------------------------------------------------------------------------------
>
> Key: QPID-4463
> URL: https://issues.apache.org/jira/browse/QPID-4463
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Affects Versions: 0.21
> Reporter: Keith Wall
> Assignee: Keith Wall
> Attachments:
> 0001-QPID-4463-Java-Broker-Change-SimpleLDAPAuthManager-t.patch,
> 0002-QPID-4463-Java-Broker-SimpleLDAPAuthenticationManage.patch,
> AbstractLDAPSSLSocketFactory.java
>
>
> To better support use cases where the Broker is required to authenticate
> against a Directory protected by SSL, the Java Broker should accept
> truststore and truststore password via configuration.
> Currently the user is required to pass the JVM system properties
> javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword (which are
> effectively globals).
--
This message was sent by Atlassian JIRA
(v6.1#6144)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
