Return-Path: X-Original-To: apmail-karaf-issues-archive@minotaur.apache.org Delivered-To: apmail-karaf-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4ADE71042B for ; Fri, 25 Oct 2013 14:32:40 +0000 (UTC) Received: (qmail 45353 invoked by uid 500); 25 Oct 2013 14:32:40 -0000 Delivered-To: apmail-karaf-issues-archive@karaf.apache.org Received: (qmail 45292 invoked by uid 500); 25 Oct 2013 14:32:34 -0000 Mailing-List: contact issues-help@karaf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@karaf.apache.org Delivered-To: mailing list issues@karaf.apache.org Received: (qmail 44672 invoked by uid 99); 25 Oct 2013 14:32:31 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Oct 2013 14:32:31 +0000 Date: Fri, 25 Oct 2013 14:32:31 +0000 (UTC) From: "Jonathan Anstey (JIRA)" To: issues@karaf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (KARAF-2529) Use connection credentials when searching for roles in LDAP MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 Jonathan Anstey created KARAF-2529: -------------------------------------- Summary: Use connection credentials when searching for roles in LDAP Key: KARAF-2529 URL: https://issues.apache.org/jira/browse/KARAF-2529 Project: Karaf Issue Type: Bug Affects Versions: 2.3.3 Reporter: Jonathan Anstey Currently when you specify connection.username and connection.password, the LDAP module correctly uses these credentials when searching for a Karaf user, it then checks the Karaf user's password by doing a bind. Now when the LDAP module searches for roles for this user it doesn't switch back to using the provided connection credentials but reuses the Karaf user credentials added during the bind. It should be using the connection credentials for the role search just like the user search. Proposed fix: {code} diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java index f6637b7..37afcea 100644 --- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java +++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java @@ -225,6 +225,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { // step 2: bind the user using the DN context = null; try { + // switch the credentials to the Karaf login user so that we can verify his password is correct logger.debug("Bind user (authentication)."); env.put(Context.SECURITY_AUTHENTICATION, authentication); logger.debug("Set the security principal for " + userDN + "," + userBaseDN); @@ -251,6 +252,12 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { context = null; try { logger.debug("Get user roles."); + // switch back to the connection credentials for the role search like we did for the user search in step 1 + if (connectionUsername != null && connectionUsername.trim().length() > 0) { + env.put(Context.SECURITY_AUTHENTICATION, authentication); + env.put(Context.SECURITY_PRINCIPAL, connectionUsername); + env.put(Context.SECURITY_CREDENTIALS, connectionPassword); + } context = new InitialDirContext(env); SearchControls controls = new SearchControls(); if (roleSearchSubtree) { {code} I'll push the commit once I get my karma set up if there are no objections to the fix :-) -- This message was sent by Atlassian JIRA (v6.1#6144)