[
https://issues.apache.org/jira/browse/QPID-8127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16971464#comment-16971464
]
Alex Rudyy commented on QPID-8127:
----------------------------------
The JIRA title and descriptions are not exactly correct.
The issue here is not ACL functionality. The group fetching functionality
currently uses case sensitive principal names to find the principal groups.
Thus, when user principal returned by ldap server is "cn=integration-TeSt1,
ou=users, dc=qpid, dc=org" and ManagedGroupProvider contains group "bar" having
member "cn=integration-test1, ou=users, dc=qpid, dc=org" , the user subject
created by {{org.apache.qpid.server.security.SubjectCreator}} will not have a
group principal "bar". As result, the ACL rule declared as "ACL-LOG bar ACCESS
VIRTUALHOST" would not be picked up for the user, which in turn will not allow
the user to access Virtual host.
Another orthogonal problem with DNs are the spaces. It is quite easy to miss or
add extra space in DN. As result, the ACL rule matching or group matching will
not give the right results for the DN containing(missing) spaces. The DN
normalization should be applied to ACL rule identities and principal names in
order to get rid of extra spaces.
I think we need to close this JIRA as invalid and open 2 new JIRAs for 2
separate issues described above.
> [Broker-J][ACL] Allow case insensitive matching of group and user names in
> existing ACL
> ---------------------------------------------------------------------------------------
>
> Key: QPID-8127
> URL: https://issues.apache.org/jira/browse/QPID-8127
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Reporter: Alex Rudyy
> Priority: Major
>
> The current ACL rules matching functionality is case sensitive for user names
> and group names.
> When SimpleLdap authentication provider is configured and groups are fetched
> from LDAP as distinguished names, it is quite easy to make a mistake in
> group/user DN and put some of letter in wrong case as LDAP DN search is
> case-insensitive. Thus, users can specify some parts of DN in ACL using
> letters in wrong case.
> The debugging of such mistyped names can be time-consuming. IMHO, it make
> more sense to add ability into ACL implementation to match groups and user
> names in case insensitive way.
> The following link provides a good overview of case sensitivity of DN:
> [http://ldapwiki.com/wiki/Distinguished%20Name%20Case%20Sensitivity]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
