Issue masking LDAP password in login.config

[Andrew Pomponio <AP...@perforce.com>]

Hello Artemis Devs,
I originally opened a ticket with the users mailing list to discuss the following issue: https://lists.apache.org/thread/6ptmpln9wfysv07v3ncdxkd2c99glh9t

TL:DR: a user is attempting to mask their password in login.config and when they attempt to authenticate against LDAP, they get an authentication error.

We’ve reviewed the idea that they could be using a password with unsupported characters and spaces, but we’re attempting to explore other options as well. Artemis is logging the following error:
2022-07-19 11:26:08,144 ERROR [org.apache.activemq.artemis.core.server] AMQ224084: Failed to open context: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563�]

Aside from the special characters and spaces theory, is there any other known restriction to masking passwords that might not be obvious or well documented? They have tested the password in plaintext so it does work that way, it’s just the masking of it that does not work. If it matters at all, the user is using pre-built container images for artemis that run on Debian 10 and Java 11. We’re attempting to get debug logs for org.apache.activemq.artemis.spi.core.security.jaas from the user, and we’ve also sent them our own working example main.java file to demonstrate to them how password masking “should” work. The purpose of this was to make sure the password is hardcoded in the main.java file and matches the output of a java code snippet. We are also attempting to verify if they’re implementing TLS over LDAP as well to see if that’s adding any overhead complications. Any additional insight is greatly appreciated. Thanks!





This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.

Re: Issue masking LDAP password in login.config

[Justin Bertram <jb...@apache.org>]

Any feedback here? Did your user get this sorted out?


Justin

On Tue, Aug 16, 2022 at 11:51 AM Justin Bertram <jb...@apache.org> wrote:

> > ...is there any other known restriction to masking passwords that might
> not be obvious or well documented?
>
> I'm not aware of any restrictions for masked passwords. If it can be put
> into a Java String then it can be masked and unmasked. The default masking
> & unmasking algorithms work directly with byte[] so there's no real
> restrictions.
>
> The "artemis mask" command spits out the masked password, but it still
> needs to be wrapped in "ENC()" to be detected properly in login.config. In
> the other thread I pasted a link to the ActiveMQ Artemis test-suite which
> demonstrates how to configure the password. Is the user doing this properly?
>
>
> Justin
>
> On Tue, Aug 16, 2022 at 10:53 AM Andrew Pomponio <AP...@perforce.com>
> wrote:
>
>> Hello Artemis Devs,
>> I originally opened a ticket with the users mailing list to discuss the
>> following issue:
>> https://lists.apache.org/thread/6ptmpln9wfysv07v3ncdxkd2c99glh9t
>>
>> TL:DR: a user is attempting to mask their password in login.config and
>> when they attempt to authenticate against LDAP, they get an authentication
>> error.
>>
>> We’ve reviewed the idea that they could be using a password with
>> unsupported characters and spaces, but we’re attempting to explore other
>> options as well. Artemis is logging the following error:
>> 2022-07-19 11:26:08,144 ERROR [org.apache.activemq.artemis.core.server]
>> AMQ224084: Failed to open context: javax.naming.AuthenticationException:
>> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment:
>> AcceptSecurityContext error, data 52e, v4563�]
>>
>> Aside from the special characters and spaces theory, is there any other
>> known restriction to masking passwords that might not be obvious or well
>> documented? They have tested the password in plaintext so it does work that
>> way, it’s just the masking of it that does not work. If it matters at all,
>> the user is using pre-built container images for artemis that run on Debian
>> 10 and Java 11. We’re attempting to get debug logs for
>> org.apache.activemq.artemis.spi.core.security.jaas from the user, and we’ve
>> also sent them our own working example main.java file to demonstrate to
>> them how password masking “should” work. The purpose of this was to make
>> sure the password is hardcoded in the main.java file and matches the output
>> of a java code snippet. We are also attempting to verify if they’re
>> implementing TLS over LDAP as well to see if that’s adding any overhead
>> complications. Any additional insight is greatly appreciated. Thanks!
>>
>>
>>
>>
>>
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>

Re: Issue masking LDAP password in login.config

[Justin Bertram <jb...@apache.org>]

> ...is there any other known restriction to masking passwords that might
not be obvious or well documented?

I'm not aware of any restrictions for masked passwords. If it can be put
into a Java String then it can be masked and unmasked. The default masking
& unmasking algorithms work directly with byte[] so there's no real
restrictions.

The "artemis mask" command spits out the masked password, but it still
needs to be wrapped in "ENC()" to be detected properly in login.config. In
the other thread I pasted a link to the ActiveMQ Artemis test-suite which
demonstrates how to configure the password. Is the user doing this properly?


Justin

On Tue, Aug 16, 2022 at 10:53 AM Andrew Pomponio <AP...@perforce.com>
wrote:

> Hello Artemis Devs,
> I originally opened a ticket with the users mailing list to discuss the
> following issue:
> https://lists.apache.org/thread/6ptmpln9wfysv07v3ncdxkd2c99glh9t
>
> TL:DR: a user is attempting to mask their password in login.config and
> when they attempt to authenticate against LDAP, they get an authentication
> error.
>
> We’ve reviewed the idea that they could be using a password with
> unsupported characters and spaces, but we’re attempting to explore other
> options as well. Artemis is logging the following error:
> 2022-07-19 11:26:08,144 ERROR [org.apache.activemq.artemis.core.server]
> AMQ224084: Failed to open context: javax.naming.AuthenticationException:
> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment:
> AcceptSecurityContext error, data 52e, v4563�]
>
> Aside from the special characters and spaces theory, is there any other
> known restriction to masking passwords that might not be obvious or well
> documented? They have tested the password in plaintext so it does work that
> way, it’s just the masking of it that does not work. If it matters at all,
> the user is using pre-built container images for artemis that run on Debian
> 10 and Java 11. We’re attempting to get debug logs for
> org.apache.activemq.artemis.spi.core.security.jaas from the user, and we’ve
> also sent them our own working example main.java file to demonstrate to
> them how password masking “should” work. The purpose of this was to make
> sure the password is hardcoded in the main.java file and matches the output
> of a java code snippet. We are also attempting to verify if they’re
> implementing TLS over LDAP as well to see if that’s adding any overhead
> complications. Any additional insight is greatly appreciated. Thanks!
>
>
>
>
>
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>