You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Urs Roesch (Jira)" <ji...@apache.org> on 2020/08/21 17:13:00 UTC
[jira] [Closed] (ARTEMIS-2884) JAAS LDAPLoginModule does not accept
'%' in connectionPassword
[ https://issues.apache.org/jira/browse/ARTEMIS-2884?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Urs Roesch closed ARTEMIS-2884.
-------------------------------
Resolution: Not A Problem
Silly me, when wrapping it it in double quotes it works.
{{connectionPassword="Top%Secret"}} (/)
> JAAS LDAPLoginModule does not accept '%' in connectionPassword
> --------------------------------------------------------------
>
> Key: ARTEMIS-2884
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2884
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: Broker
> Affects Versions: 2.13.0, 2.14.0
> Environment: Artemis Version tested: 2.13, 214
> Operating System: CentOS Linux release 8.2.2004 (Core)
> Java Version: OpenJDK 64-Bit Server VM 18.9 (build 11.0.8+10-LTS, mixed mode, sharing)
> LDAP Server: Samba 4.7.6 on Ubuntu 18.04
> Reporter: Urs Roesch
> Priority: Minor
>
> The JAAS LDAPLoginModule throws a configuration error when the {{connectionPassword}} contains percentage sign ({{%}}). Below are the configuration directives for login.config and the excerpts from the artemis.log files for both the non-working and working configuration. The only difference is the change of character 4 in the password from percent (%) to dot (.) on line 6 of the {{login.config}} file.
> h4. Non-working configuration
> {code:java|title=non-working login.config}
> activemq {
> org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule sufficient
> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
> connectionURL="ldap://192.168.xxx.xxxx:389"
> connectionUsername="CN=artemis,OU=Users,DC=sample,DC=ch"
> connectionPassword=Top%Secret
> connectionProtocol=s
> authentication=simple
> userBase="OU=Users,DC=sample,DC=ch"
> userSearchMatching="(CN={0})"
> userSearchSubtree=true
> roleBase="ou=Groups,dc=sample,dc=ch"
> roleName=cn
> roleSearchMatching="(member={0})"
> roleSearchSubtree=true
> debug=true;
> }
> {code}
> {code:java|title=error in artemis.log}
> 2020-08-21 09:29:49,964 ERROR [org.apache.activemq.artemis.core.server] AMQ224018: Failed to create session: java.lang.SecurityException: java.io.IOException: Configuration Error: [4/6223]
> Line 6: expected [option key], found [null]
> at java.base/sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137) [java.base:]
> at java.base/sun.security.provider.ConfigFile.<init>(ConfigFile.java:102) [java.base:]
> at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [java.base:]
> at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) [java.base:]
> at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) [java.base:]
> at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) [java.base:]
> at java.base/java.lang.Class.newInstance(Class.java:584) [java.base:]
> at java.base/javax.security.auth.login.Configuration$2.run(Configuration.java:255) [java.base:]
> at java.base/javax.security.auth.login.Configuration$2.run(Configuration.java:246) [java.base:]
> at java.base/java.security.AccessController.doPrivileged(Native Method) [java.base:]
> at java.base/javax.security.auth.login.Configuration.getConfiguration(Configuration.java:245) [java.base:]
> at java.base/javax.security.auth.login.LoginContext$1.run(LoginContext.java:242) [java.base:]
> at java.base/javax.security.auth.login.LoginContext$1.run(LoginContext.java:240) [java.base:]
> at java.base/java.security.AccessController.doPrivileged(Native Method) [java.base:]
> at java.base/javax.security.auth.login.LoginContext.init(LoginContext.java:240) [java.base:]
> at java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:501) [java.base:]
> at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:195) [artemis-server-2.14.0.jar:2.14.0]
> at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.validateUser(ActiveMQJAASSecurityManager.java:100) [artemis-server-2.14.0.jar:2.14.0]
> at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:146) [artemis-server-2.14.0.jar:2.14.0]
> at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1538) [artemis-server-2.14.0.jar:2.14.0]
> at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.handleCreateSession(ActiveMQPacketHandler.java:173) [artemis-server-2.14.0.jar:2.14.0]
> at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.handlePacket(ActiveMQPacketHandler.java:95) [artemis-server-2.14.0.jar:2.14.0]
> at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.handlePacket(ChannelImpl.java:720) [artemis-core-client-2.14.0.jar:2.14.0]
> at org.apache.activemq.artemis.core.protocol.core.impl.RemotingConnectionImpl.doBufferReceived(RemotingConnectionImpl.java:408) [artemis-core-client-2.14.0.jar:2.14.0]
> at org.apache.activemq.artemis.core.protocol.core.impl.RemotingConnectionImpl.bufferReceived(RemotingConnectionImpl.java:385) [artemis-core-client-2.14.0.jar:2.14.0]
> at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:667) [artemis-server-2.14.0.jar:2.14.0]
> at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73) [artemis-core-client-2.14.0.jar:2.14.0]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:321) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:295) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:792) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:475) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-all-4.1.48.Final.jar:4.1.48.Final]
> at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) [artemis-commons-2.14.0.jar:2.14.0]
> Caused by: java.io.IOException: Configuration Error:
> Line 6: expected [option key], found [null]
> at java.base/sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:665) [java.base:]
> at java.base/sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:578) [java.base:]
> at java.base/sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:476) [java.base:]
> at java.base/sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:426) [java.base:]
> at java.base/sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329) [java.base:]
> at java.base/sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271) [java.base:]
> at java.base/sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135) [java.base:]
> ... 44 more
> {code}
> h4. Working configuration
> The only change is the percent on line 6 ({{connectionPassword}}) was changed to a dot. Not shown here, the password was changes on the LDAP side.
> {code:java|title=working login.conf}
> activemq {
> org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule sufficient
> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
> connectionURL="ldap://192.168.xxx.xxx:389"
> connectionUsername="CN=artemis,OU=Users,DC=sample,DC=ch"
> connectionPassword=Top.Secret
> connectionProtocol=s
> authentication=simple
> userBase="OU=Users,DC=sample,DC=ch"
> userSearchMatching="(CN={0})"
> userSearchSubtree=true
> roleBase="ou=Groups,dc=sample,dc=ch"
> roleName=cn
> roleSearchMatching="(member={0})"
> roleSearchSubtree=true
> debug=true;
> }
> {code}
> {code: title = artemis.log}
> 2020-08-20 18:00:58,098 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Create the LDAP initial context. [6/10226]
> 2020-08-20 18:00:58,100 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Referral handling: ignore
> 2020-08-20 18:00:58,122 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Get the user DN.
> 2020-08-20 18:00:58,122 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Looking for the user in LDAP with
> 2020-08-20 18:00:58,122 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] base DN: OU=Users,DC=sample,DC=ch
> 2020-08-20 18:00:58,122 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] filter: (CN=admin_queue)
> 2020-08-20 18:00:58,123 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] LDAP returned a relative name: CN=admin_queue
> 2020-08-20 18:00:58,124 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Using DN [CN=admin_queue,OU=Users,DC=sample,DC=ch] for binding.
> 2020-08-20 18:00:58,124 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Binding the user.
> 2020-08-20 18:00:58,139 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] User CN=admin_queue,OU=Users,DC=sample,DC=ch successfully bound.
> 2020-08-20 18:00:58,139 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Get user roles.
> 2020-08-20 18:00:58,139 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Looking for the user roles in LDAP with
> 2020-08-20 18:00:58,139 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] base DN: ou=Groups,dc=sample,dc=ch
> 2020-08-20 18:00:58,139 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] filter: (member=CN=admin_queue,OU=Users,DC=sample,DC=ch)
> 2020-08-20 18:00:58,161 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Roles [amq_queue] for user admin_queue
> 2020-08-20 18:00:58,253 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Create the LDAP initial context.
> 2020-08-20 18:00:58,253 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Referral handling: ignore
> 2020-08-20 18:00:58,276 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Get the user DN.
> 2020-08-20 18:00:58,276 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Looking for the user in LDAP with
> 2020-08-20 18:00:58,276 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] base DN: OU=Users,DC=sample,DC=ch
> 2020-08-20 18:00:58,276 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] filter: (CN=admin_queue)
> 2020-08-20 18:00:58,277 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] LDAP returned a relative name: CN=admin_queue
> 2020-08-20 18:00:58,277 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Using DN [CN=admin_queue,OU=Users,DC=sample,DC=ch] for binding.
> 2020-08-20 18:00:58,277 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Binding the user.
> 2020-08-20 18:00:58,294 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] User CN=admin_queue,OU=Users,DC=sample,DC=ch successfully bound.
> 2020-08-20 18:00:58,294 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Get user roles.
> 2020-08-20 18:00:58,294 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Looking for the user roles in LDAP with
> 2020-08-20 18:00:58,294 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] base DN: ou=Groups,dc=sample,dc=ch
> 2020-08-20 18:00:58,294 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] filter: (member=CN=admin_queue,OU=Users,DC=sample,DC=ch)
> 2020-08-20 18:00:58,317 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Roles [amq_queue] for user admin_queue
> 2020-08-20 18:00:58,325 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Create the LDAP initial context.
> 2020-08-20 18:00:58,325 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Referral handling: ignore
> 2020-08-20 18:00:58,360 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Get the user DN.
> 2020-08-20 18:00:58,360 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Looking for the user in LDAP with
> 2020-08-20 18:00:58,360 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] base DN: OU=Users,DC=sample,DC=ch
> 2020-08-20 18:00:58,360 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] filter: (CN=admin_queue)
> 2020-08-20 18:00:58,362 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] LDAP returned a relative name: CN=admin_queue
> 2020-08-20 18:00:58,363 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Using DN [CN=admin_queue,OU=Users,DC=sample,DC=ch] for binding.
> 2020-08-20 18:00:58,363 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Binding the user.
> 2020-08-20 18:00:58,392 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] User CN=admin_queue,OU=Users,DC=sample,DC=ch successfully bound.
> 2020-08-20 18:00:58,393 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Get user roles.
> 2020-08-20 18:00:58,393 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Looking for the user roles in LDAP with
> 2020-08-20 18:00:58,393 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] base DN: ou=Groups,dc=sample,dc=ch
> 2020-08-20 18:00:58,393 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] filter: (member=CN=admin_queue,OU=Users,DC=sample,DC=ch)
> 2020-08-20 18:00:58,423 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Roles [amq_queue] for user admin_queue
> 2020-08-20 18:00:58,511 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Create the LDAP initial context.
> 2020-08-20 18:00:58,511 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Referral handling: ignore
> 2020-08-20 18:00:58,539 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Get the user DN.
> 2020-08-20 18:00:58,540 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Looking for the user in LDAP with
> 2020-08-20 18:00:58,540 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] base DN: OU=Users,DC=sample,DC=ch
> 2020-08-20 18:00:58,540 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] filter: (CN=admin_queue)
> 2020-08-20 18:00:58,541 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] LDAP returned a relative name: CN=admin_queue
> 2020-08-20 18:00:58,541 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Using DN [CN=admin_queue,OU=Users,DC=sample,DC=ch] for binding.
> 2020-08-20 18:00:58,541 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Binding the user.
> 2020-08-20 18:00:58,562 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] User CN=admin_queue,OU=Users,DC=sample,DC=ch successfully bound.
> 2020-08-20 18:00:58,562 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Get user roles.
> 2020-08-20 18:00:58,562 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Looking for the user roles in LDAP with
> 2020-08-20 18:00:58,562 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] base DN: ou=Groups,dc=sample,dc=ch
> 2020-08-20 18:00:58,562 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] filter: (member=CN=admin_queue,OU=Users,DC=sample,DC=ch)
> 2020-08-20 18:00:58,585 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Roles [amq_queue] for user admin_queue
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)