You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Jonathan Anstey (JIRA)" <ji...@apache.org> on 2013/10/28 18:42:32 UTC

[jira] [Resolved] (KARAF-2529) Use connection credentials when searching for roles in LDAP

     [ https://issues.apache.org/jira/browse/KARAF-2529?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jonathan Anstey resolved KARAF-2529.
------------------------------------

       Resolution: Fixed
    Fix Version/s: 2.3.4
                   3.0.0
                   2.4.0

> Use connection credentials when searching for roles in LDAP
> -----------------------------------------------------------
>
>                 Key: KARAF-2529
>                 URL: https://issues.apache.org/jira/browse/KARAF-2529
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 2.3.3
>            Reporter: Jonathan Anstey
>             Fix For: 2.4.0, 3.0.0, 2.3.4
>
>
> Currently when you specify connection.username and connection.password, the LDAP module correctly uses these credentials when searching for a Karaf user, it then checks the Karaf user's password by doing a bind. Now when the LDAP module searches for roles for this user it doesn't switch back to using the provided connection credentials but reuses the Karaf user credentials added during the bind. It should be using the connection credentials for the role search just like the user search. Proposed fix:
> {code}
> diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
> index f6637b7..37afcea 100644
> --- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
> +++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
> @@ -225,6 +225,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
>          // step 2: bind the user using the DN
>          context = null;
>          try {
> +            // switch the credentials to the Karaf login user so that we can verify his password is correct
>              logger.debug("Bind user (authentication).");
>              env.put(Context.SECURITY_AUTHENTICATION, authentication);
>              logger.debug("Set the security principal for " + userDN + "," + userBaseDN);
> @@ -251,6 +252,12 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
>          context = null;
>          try {
>              logger.debug("Get user roles.");
> +            // switch back to the connection credentials for the role search like we did for the user search in step 1 
> +            if (connectionUsername != null && connectionUsername.trim().length() > 0) {
> +                env.put(Context.SECURITY_AUTHENTICATION, authentication);
> +                env.put(Context.SECURITY_PRINCIPAL, connectionUsername);
> +                env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
> +            }
>              context = new InitialDirContext(env);
>              SearchControls controls = new SearchControls();
>              if (roleSearchSubtree) {
> {code}
> I'll push the commit once I get my karma set up if there are no objections to the fix :-)



--
This message was sent by Atlassian JIRA
(v6.1#6144)