You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Rob Godfrey (JIRA)" <ji...@apache.org> on 2012/05/18 22:35:06 UTC
[jira] [Created] (QPID-4010) [Java Broker] Add LDAP authentication
support to the Java Broker
Rob Godfrey created QPID-4010:
---------------------------------
Summary: [Java Broker] Add LDAP authentication support to the Java Broker
Key: QPID-4010
URL: https://issues.apache.org/jira/browse/QPID-4010
Project: Qpid
Issue Type: Improvement
Components: Java Broker
Reporter: Rob Godfrey
Assignee: Rob Godfrey
Priority: Minor
Fix For: 0.17
Add support for LDAP based authentication rather than password based.
Initial efforts to simply support search for the dn based on the passed username, followed by "simple" authentication of that dn using the password supplied.
Given the fact that the password must be sent in the clear over the client <-> qpid broker connection for this to work, this authentication method should ONLY be used on SSL secured connections.
For LDAP servers that support SASL authentication we might in future be able to proxy the SASL exchange through the AMQP sasl mechanism.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Commented] (QPID-4010) [Java Broker] Add LDAP
authentication support to the Java Broker
Posted by "Rob Godfrey (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-4010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13279175#comment-13279175 ]
Rob Godfrey commented on QPID-4010:
-----------------------------------
Configuration of the SimpleLDAPAuthenticationManager is done as follows:
{code:xml}
<security>
<simple-ldap-auth-manager>
<provider-url>ldaps://example.com:636/</provider-url>
<search-context>dc=example\,dc=com</search-context>
<search-filter>(uid={0})</search-filter>
</simple-ldap-auth-manager>
</security>
{code}
The authentication manager first connects to the ldap server anonymously and searches for the ldap entity which is identified by the username provided over SASL. Essentially the authentication manager calls [DirContext.search(Name name, String filterExpr, Object\[\] filterArgs, SearchControls cons)|http://docs.oracle.com/javase/7/docs/api/javax/naming/directory/DirContext.html#search%28javax.naming.Name,%20java.lang.String,%20java.lang.Object\[\],%20javax.naming.directory.SearchControls%29] with the values of search-context and search-filter as the first two arguments, and the username as the only element in the array which is the third argument.
If the search returns a name from the LDAP server, the AuthenticationManager then attempts to login to the ldap server with the given name and the password.
If the URL to open for authentication is different to that for the search, then the authentication url can be overridden using <provider-auth-url> in addition to providing a <provider-url>. Note that the URL used for authentication should use ldaps:// since passwords will be being sent over it.
By default com.sun.jndi.ldap.LdapCtxFactory is used to create the context, however this can be overridden by specifying <ldap-context-factory> in the configuration.
> [Java Broker] Add LDAP authentication support to the Java Broker
> ----------------------------------------------------------------
>
> Key: QPID-4010
> URL: https://issues.apache.org/jira/browse/QPID-4010
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Rob Godfrey
> Assignee: Rob Godfrey
> Priority: Minor
> Fix For: 0.17
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Add support for LDAP based authentication rather than password based.
> Initial efforts to simply support search for the dn based on the passed username, followed by "simple" authentication of that dn using the password supplied.
> Given the fact that the password must be sent in the clear over the client <-> qpid broker connection for this to work, this authentication method should ONLY be used on SSL secured connections.
> For LDAP servers that support SASL authentication we might in future be able to proxy the SASL exchange through the AMQP sasl mechanism.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org