karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Anstey (JIRA)" <j...@apache.org>
Subject [jira] [Created] (KARAF-2529) Use connection credentials when searching for roles in LDAP
Date Fri, 25 Oct 2013 14:32:31 GMT
Jonathan Anstey created KARAF-2529:
--------------------------------------

             Summary: Use connection credentials when searching for roles in LDAP
                 Key: KARAF-2529
                 URL: https://issues.apache.org/jira/browse/KARAF-2529
             Project: Karaf
          Issue Type: Bug
    Affects Versions: 2.3.3
            Reporter: Jonathan Anstey


Currently when you specify connection.username and connection.password, the LDAP module correctly
uses these credentials when searching for a Karaf user, it then checks the Karaf user's password
by doing a bind. Now when the LDAP module searches for roles for this user it doesn't switch
back to using the provided connection credentials but reuses the Karaf user credentials added
during the bind. It should be using the connection credentials for the role search just like
the user search. Proposed fix:

{code}
diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
index f6637b7..37afcea 100644
--- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
+++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
@@ -225,6 +225,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
         // step 2: bind the user using the DN
         context = null;
         try {
+            // switch the credentials to the Karaf login user so that we can verify his password
is correct
             logger.debug("Bind user (authentication).");
             env.put(Context.SECURITY_AUTHENTICATION, authentication);
             logger.debug("Set the security principal for " + userDN + "," + userBaseDN);
@@ -251,6 +252,12 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
         context = null;
         try {
             logger.debug("Get user roles.");
+            // switch back to the connection credentials for the role search like we did
for the user search in step 1 
+            if (connectionUsername != null && connectionUsername.trim().length()
> 0) {
+                env.put(Context.SECURITY_AUTHENTICATION, authentication);
+                env.put(Context.SECURITY_PRINCIPAL, connectionUsername);
+                env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
+            }
             context = new InitialDirContext(env);
             SearchControls controls = new SearchControls();
             if (roleSearchSubtree) {
{code}

I'll push the commit once I get my karma set up if there are no objections to the fix :-)



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message