thank you for creating the issue. ill add a few comments to that in case they prove helpful.
On Tue, Feb 21, 2023 at 7:17 AM Daniil Kirilyuk <daniel.kiril...@gmail.com> wrote: > Hi, > > JIRA QPID-8625 was created: > > https://issues.apache.org/jira/browse/QPID-8625 > > Kind regards, > Daniil Kirilyuk > > > On Fri, Feb 10, 2023, 08:23 Daniil Kirilyuk <daniel.kiril...@gmail.com> > wrote: > > > Hi, > > > > The LDAP authentication in qpid-broker-j is performed by > > SimpleLDAPAuthenticationManagerImpl, which first tries to find the > > user using supplied search value and then performs LDAP bind using the > > DN found. Full DN is used as a principal name after that. There is a > > flag "isBindWithoutSearch", but when set to true it would require to > > supply full DN as the username (and wouldn't solve the ACL rules > > issue). > > > > I would say, the current implementation doesn't support the desired > > behavior. You could create a JIRA for this issue. > > > > Kind regards, > > Daniil Kirilyuk > > > > On Wed, 8 Feb 2023 at 23:02, Dan Langford <danlangf...@gmail.com> wrote: > > > > > > We are upgrading some very old qpid servers in the enterprise (6.0.8) > and > > > we use LDAP authentication. Where I might have a current ACL entry like > > > this: > > > > > > ACL ALLOW danlangford ALL > > > > > > im finding in QPID 6.1-9.0 i am needing the rule to look like this > > > > > > ACL ALLOW "cn=danlangford,ou=000,ou=People,o=MyEnterprise" ALL > > > > > > now in the above example i can still authenticate over HTTP or AMQP > with > > > the user "danlangford" and i see a log message > > > Found 'danlangford' DN 'cn=danlangford,ou=000,ou=People,o=MyEnterprise' > > > but my ACLs are now going to be much more verbose, and problematic (see > > > below), if they have to contain the full DN. > > > > > > This is particularly problematic in my enterprise because our identity > > team > > > has partitioned out all the users. see the "ou=000" (i happen to be in > > the > > > first partition). so as it stands we will need to update our ACLs and > go > > > look up the full DN for each user manually to put into the ACL. And my > > > identity team said that there is no guarantee that the partition won't > > > change for some reason in the future and they encourage all system to > > > search for a user. (cn=username) with search context of > > > ou=People,o=MyEnterprise > > > > > > Is there a way to configure to prior behavior that allowed just the > > > username in the ACL? > > >
