You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2019/08/26 03:58:00 UTC
[jira] [Commented] (ARTEMIS-2433) Support LDAP role mapping of SASL
EXTERNAL credentials
[ https://issues.apache.org/jira/browse/ARTEMIS-2433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16915456#comment-16915456 ]
ASF subversion and git services commented on ARTEMIS-2433:
----------------------------------------------------------
Commit b20c2593e99fc6de384af64554ae8266b3323998 in activemq-artemis's branch refs/heads/master from gtully
[ https://gitbox.apache.org/repos/asf?p=activemq-artemis.git;h=b20c259 ]
ARTEMIS-2433 add ExternalCertificateLoginModule to surface a SASL EXTERNAL identity (subjectDN) to JAAS.
> Support LDAP role mapping of SASL EXTERNAL credentials
> ------------------------------------------------------
>
> Key: ARTEMIS-2433
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2433
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: AMQP, Broker
> Affects Versions: 2.9.0
> Reporter: Gary Tully
> Assignee: Gary Tully
> Priority: Major
> Labels: AMQP, LDAP, SASL
> Fix For: 2.10.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> currently the textcertificate login module must be used with SASL EXTERNAL. There is no other way to do authorisation and role assignment.
> however a validated TLS certificate subject dn is a valid identity, in the same way as a kerberos token identity. If we provide a login module that will populate a subject principal with the subject DN, it will be possible to chain with the LDAPLoginModule and have LDAP used for role assignment. In LDAP, the CERT subjectDN just needs to be added as a member to any existing role definition.
> LDAPLoginModule can be configured to not authenticate, not lookup the user and *just* do role assignment.
> authenticateUser=false and default/empty userSearchMatching
--
This message was sent by Atlassian Jira
(v8.3.2#803003)