You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Alex Rudyy (Jira)" <ji...@apache.org> on 2019/11/11 11:47:00 UTC
[jira] [Commented] (QPID-8127) [Broker-J][ACL] Allow case
insensitive matching of group and user names in existing ACL
[ https://issues.apache.org/jira/browse/QPID-8127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16971464#comment-16971464 ]
Alex Rudyy commented on QPID-8127:
----------------------------------
The JIRA title and descriptions are not exactly correct.
The issue here is not ACL functionality. The group fetching functionality currently uses case sensitive principal names to find the principal groups. Thus, when user principal returned by ldap server is "cn=integration-TeSt1, ou=users, dc=qpid, dc=org" and ManagedGroupProvider contains group "bar" having member "cn=integration-test1, ou=users, dc=qpid, dc=org" , the user subject created by {{org.apache.qpid.server.security.SubjectCreator}} will not have a group principal "bar". As result, the ACL rule declared as "ACL-LOG bar ACCESS VIRTUALHOST" would not be picked up for the user, which in turn will not allow the user to access Virtual host.
Another orthogonal problem with DNs are the spaces. It is quite easy to miss or add extra space in DN. As result, the ACL rule matching or group matching will not give the right results for the DN containing(missing) spaces. The DN normalization should be applied to ACL rule identities and principal names in order to get rid of extra spaces.
I think we need to close this JIRA as invalid and open 2 new JIRAs for 2 separate issues described above.
> [Broker-J][ACL] Allow case insensitive matching of group and user names in existing ACL
> ---------------------------------------------------------------------------------------
>
> Key: QPID-8127
> URL: https://issues.apache.org/jira/browse/QPID-8127
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Reporter: Alex Rudyy
> Priority: Major
>
> The current ACL rules matching functionality is case sensitive for user names and group names.
> When SimpleLdap authentication provider is configured and groups are fetched from LDAP as distinguished names, it is quite easy to make a mistake in group/user DN and put some of letter in wrong case as LDAP DN search is case-insensitive. Thus, users can specify some parts of DN in ACL using letters in wrong case.
> The debugging of such mistyped names can be time-consuming. IMHO, it make more sense to add ability into ACL implementation to match groups and user names in case insensitive way.
> The following link provides a good overview of case sensitivity of DN:
> [http://ldapwiki.com/wiki/Distinguished%20Name%20Case%20Sensitivity]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org