You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Charles Moulliard (JIRA)" <ji...@apache.org> on 2010/12/05 17:44:10 UTC
[jira] Created: (KARAF-310) Add LDAP JAAS module
Add LDAP JAAS module
--------------------
Key: KARAF-310
URL: https://issues.apache.org/jira/browse/KARAF-310
Project: Karaf
Issue Type: New Feature
Reporter: Charles Moulliard
Fix For: 2.2.0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (KARAF-310) Add LDAP JAAS module
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-310?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guillaume Nodet closed KARAF-310.
---------------------------------
Resolution: Duplicate
> Add LDAP JAAS module
> --------------------
>
> Key: KARAF-310
> URL: https://issues.apache.org/jira/browse/KARAF-310
> Project: Karaf
> Issue Type: New Feature
> Reporter: Charles Moulliard
> Fix For: 2.2.0
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Reopened: (KARAF-310) Add LDAP JAAS module
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-310?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guillaume Nodet reopened KARAF-310:
-----------------------------------
Assignee: (was: Charles Moulliard)
We need to rewrite the current ldap login module to support:
* our role based discovery policy
* password encryption
* a backing engine for the new jaas commands
Note the two first points are done through inheriting the AbstractKarafLoginModule.
> Add LDAP JAAS module
> --------------------
>
> Key: KARAF-310
> URL: https://issues.apache.org/jira/browse/KARAF-310
> Project: Karaf
> Issue Type: New Feature
> Reporter: Charles Moulliard
> Fix For: 2.2.0
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (KARAF-310) Add LDAP JAAS module
Posted by "Jean-Baptiste Onofré (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-310?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré resolved KARAF-310.
----------------------------------------
Resolution: Duplicate
Duplicate with KARAF-307.
I will commit it tomorrow.
> Add LDAP JAAS module
> --------------------
>
> Key: KARAF-310
> URL: https://issues.apache.org/jira/browse/KARAF-310
> Project: Karaf
> Issue Type: New Feature
> Reporter: Charles Moulliard
> Assignee: Charles Moulliard
> Fix For: 2.2.0
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (KARAF-310) Add LDAP JAAS module
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12973425#action_12973425 ]
Guillaume Nodet commented on KARAF-310:
---------------------------------------
So I think logging the exception is fine as long as the credentials can never appear in the log (at any level).
> Add LDAP JAAS module
> --------------------
>
> Key: KARAF-310
> URL: https://issues.apache.org/jira/browse/KARAF-310
> Project: Karaf
> Issue Type: New Feature
> Reporter: Charles Moulliard
> Fix For: 2.2.0
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (KARAF-310) Add LDAP JAAS module
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12969333#action_12969333 ]
Guillaume Nodet commented on KARAF-310:
---------------------------------------
It has been considered a security breach at all log levels. So currently, you need to remote debug and put a breakpoint where the exception is catched ...
> Add LDAP JAAS module
> --------------------
>
> Key: KARAF-310
> URL: https://issues.apache.org/jira/browse/KARAF-310
> Project: Karaf
> Issue Type: New Feature
> Reporter: Charles Moulliard
> Fix For: 2.2.0
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (KARAF-310) Add LDAP JAAS module
Posted by "Charles Moulliard (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-310?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Charles Moulliard reassigned KARAF-310:
---------------------------------------
Assignee: Charles Moulliard
> Add LDAP JAAS module
> --------------------
>
> Key: KARAF-310
> URL: https://issues.apache.org/jira/browse/KARAF-310
> Project: Karaf
> Issue Type: New Feature
> Reporter: Charles Moulliard
> Assignee: Charles Moulliard
> Fix For: 2.2.0
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (KARAF-310) Add LDAP JAAS module
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12969320#action_12969320 ]
Guillaume Nodet commented on KARAF-310:
---------------------------------------
This is on purpose so as not to log any security related things. Some users have asked to remove all those logs to not create security breaches.
> Add LDAP JAAS module
> --------------------
>
> Key: KARAF-310
> URL: https://issues.apache.org/jira/browse/KARAF-310
> Project: Karaf
> Issue Type: New Feature
> Reporter: Charles Moulliard
> Fix For: 2.2.0
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (KARAF-310) Add LDAP JAAS module
Posted by "Charles Moulliard (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12969319#action_12969319 ]
Charles Moulliard commented on KARAF-310:
-----------------------------------------
Additional point :
When a LDAP error occurs during communication with the server, the error message received is not propagated back to the authenticate method (authenticate(String username, String password)) of the LDAP login module and so it does not allow to see what happens. Instead, a generic LDAP exception is generated and it is really difficult to see if the error comes from an issue with username/password or role or syntax used to search in LDAP server
{code}
javax.security.auth.login.LoginException: LDAP Error
at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.login(LDAPLoginModule.java:119)
at org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83)[karaf-jaas-boot.jar:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)[:1.6.0_22]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)[:1.6.0_22]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)[:1.6.0_22]
at java.lang.reflect.Method.invoke(Method.java:597)[:1.6.0_22]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)[:1.6.0_22]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)[:1.6.0_22]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)[:1.6.0_22]
at java.security.AccessController.doPrivileged(Native Method)[:1.6.0_22]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)[:1.6.0_22]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)[:1.6.0_22]
at org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:203)[88:org.eclipse.jetty.plus:7.1.6.v20100715]
at org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:75)[68:org.eclipse.jetty.security:7.1.6.v20100715]
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:416)[68:org.eclipse.jetty.security:7.1.6.v20100715]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)[67:org.eclipse.jetty.server:7.1.6.v20100715]
at org.eclipse.jetty.server.Server.handle(Server.java:347)[67:org.eclipse.jetty.server:7.1.6.v20100715]
at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)[67:org.eclipse.jetty.server:7.1.6.v20100715]
at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)[67:org.eclipse.jetty.server:7.1.6.v20100715]
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)[63:org.eclipse.jetty.http:7.1.6.v20100715]
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)[63:org.eclipse.jetty.http:7.1.6.v20100715]
at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)[67:org.eclipse.jetty.server:7.1.6.v20100715]
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)[62:org.eclipse.jetty.io:7.1.6.v20100715]
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)[61:org.eclipse.jetty.util:7.1.6.v20100715]
at java.lang.Thread.run(Thread.java:680)[:1.6.0_22]
Caused by: javax.security.auth.login.FailedLoginException
at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.login(LDAPLoginModule.java:114)
{code}
So it is not possible to log this info by example -->
{code}
[LDAP: error code 80 - OTHER: failed for SearchRequest
baseDn : 'ou=groups,ou=system'
filter : '(2.5.4.31-false-EXTENSIBLE-null-'0x75 0x69 0x64 0x3D 0x6A 0x64 0x6F 0x65 ':[9223372036854775807])'
scope : whole subtree
typesOnly : false
Size Limit : no limit
Time Limit : no limit
Deref Aliases : deref Always
attributes :
: N O T I M P L E M E N T E D Y E T !]
{code}
This should be improved
> Add LDAP JAAS module
> --------------------
>
> Key: KARAF-310
> URL: https://issues.apache.org/jira/browse/KARAF-310
> Project: Karaf
> Issue Type: New Feature
> Reporter: Charles Moulliard
> Fix For: 2.2.0
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (KARAF-310) Add LDAP JAAS module
Posted by "Charles Moulliard (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12969322#action_12969322 ]
Charles Moulliard commented on KARAF-310:
-----------------------------------------
I agree with user remark but this should be possible to have the information in DEBUG mode.
> Add LDAP JAAS module
> --------------------
>
> Key: KARAF-310
> URL: https://issues.apache.org/jira/browse/KARAF-310
> Project: Karaf
> Issue Type: New Feature
> Reporter: Charles Moulliard
> Fix For: 2.2.0
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.