Hi, I was able to reproduce the issue described. JIRA QPID-8623 was created: https://issues.apache.org/jira/browse/QPID-8623
Kind regards, Daniil Kirilyuk On Tue, 14 Feb 2023 at 22:02, Bryan Dixon <br...@bldixon.net> wrote: > > I am working on installing Qpid Broker-J 9.0.0 on Windows. I'm using this > Java 11 version: > IMPLEMENTOR="Eclipse Adoptium" > IMPLEMENTOR_VERSION="Temurin-11.0.18+10" > JAVA_VERSION="11.0.18" > JAVA_VERSION_DATE="2023-01-17" > FULL_VERSION="11.0.18+10" > JVM_VARIANT="Hotspot" > > I am wanting to utilize SimpleLDAP for an AuthenticationProvider to our > ActiveDirectory environment. I'm currently just testing with the HTTP(s) > Port to make sure I have it configured correctly. Anyway, I appear to have > everything working just fine including referencing AD groups in the > RulesBased ACLs. However, I want to utilize Broker-J's AESKeyFile > encryption to encrypt the LDAP Search password. > > I made a copy of my qpid work area that was working correctly with SimpleLDAP > and deleted it to start the configuration over. But this time I enabled the > Broker AESKeyFile encryption up front before I configured SimpleLDAP. I > also restarted the broker after I enabled encryption and before I continued > the configuration. I used the exact same configuration settings in this new > work area and now authentication always fails. The error message being > logged is: > > 2023-02-14T20:58:22,270Z WARN [qtp453021524-123] > (o.a.q.s.s.a.m.SimpleLDAPAuthenticationManagerImpl) - Retrieving LDAP name > for user 'xxxxxx' resulted in error. > javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: > LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563 > ] > at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3259) > at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205) > at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2991) > at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2905) > at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348) > at > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:266) > at > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:226) > at > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:284) > at > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:185) > at > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:115) > at > java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730) > at > java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) > at java.naming/javax.naming.InitialContext.init(InitialContext.java:236) > at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208) > at > java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) > at > org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.lambda$createInitialDirContext$2(SimpleLDAPAuthenticationManagerImpl.java:602) > at java.base/java.security.AccessController.doPrivileged(Native Method) > at java.base/javax.security.auth.Subject.doAs(Subject.java:423) > at > org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.invokeContextOperationAs(SimpleLDAPAuthenticationManagerImpl.java:796) > at > org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.createInitialDirContext(SimpleLDAPAuthenticationManagerImpl.java:602) > > > I'm wondering if AESKeyFile encryption might not be working correctly with > SimpleLDAP - perhaps the encrypted password (the password is encrypted in the > config.json file) isn't being decrypted before LDAP is checked? > > Thanks > Bryan --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org