Re: Issue masking LDAP password in login.config

[Justin Bertram <jb...@apache.org>]

Any feedback here? Did your user get this sorted out?


Justin

On Tue, Aug 16, 2022 at 11:51 AM Justin Bertram <jb...@apache.org> wrote:

> > ...is there any other known restriction to masking passwords that might
> not be obvious or well documented?
>
> I'm not aware of any restrictions for masked passwords. If it can be put
> into a Java String then it can be masked and unmasked. The default masking
> & unmasking algorithms work directly with byte[] so there's no real
> restrictions.
>
> The "artemis mask" command spits out the masked password, but it still
> needs to be wrapped in "ENC()" to be detected properly in login.config. In
> the other thread I pasted a link to the ActiveMQ Artemis test-suite which
> demonstrates how to configure the password. Is the user doing this properly?
>
>
> Justin
>
> On Tue, Aug 16, 2022 at 10:53 AM Andrew Pomponio <AP...@perforce.com>
> wrote:
>
>> Hello Artemis Devs,
>> I originally opened a ticket with the users mailing list to discuss the
>> following issue:
>> https://lists.apache.org/thread/6ptmpln9wfysv07v3ncdxkd2c99glh9t
>>
>> TL:DR: a user is attempting to mask their password in login.config and
>> when they attempt to authenticate against LDAP, they get an authentication
>> error.
>>
>> We’ve reviewed the idea that they could be using a password with
>> unsupported characters and spaces, but we’re attempting to explore other
>> options as well. Artemis is logging the following error:
>> 2022-07-19 11:26:08,144 ERROR [org.apache.activemq.artemis.core.server]
>> AMQ224084: Failed to open context: javax.naming.AuthenticationException:
>> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment:
>> AcceptSecurityContext error, data 52e, v4563�]
>>
>> Aside from the special characters and spaces theory, is there any other
>> known restriction to masking passwords that might not be obvious or well
>> documented? They have tested the password in plaintext so it does work that
>> way, it’s just the masking of it that does not work. If it matters at all,
>> the user is using pre-built container images for artemis that run on Debian
>> 10 and Java 11. We’re attempting to get debug logs for
>> org.apache.activemq.artemis.spi.core.security.jaas from the user, and we’ve
>> also sent them our own working example main.java file to demonstrate to
>> them how password masking “should” work. The purpose of this was to make
>> sure the password is hardcoded in the main.java file and matches the output
>> of a java code snippet. We are also attempting to verify if they’re
>> implementing TLS over LDAP as well to see if that’s adding any overhead
>> complications. Any additional insight is greatly appreciated. Thanks!
>>
>>
>>
>>
>>
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>