Apache
/
activemq-artemis
mirror of https://github.com/apache/activemq-artemis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ARTEMIS-1372 - alow auth to ldap via kerberos

This commit is contained in:
gtully 2017-09-04 14:33:30 +01:00 committed by Clebert Suconic
parent ab7dc69b5d
commit 5db68a451b
4 changed files with 162 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
View File

@ -36,12 +36,15 @@ import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException; import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule; import javax.security.auth.spi.LoginModule;
import java.io.IOException; import java.io.IOException;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.security.Principal; import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.text.MessageFormat; import java.text.MessageFormat;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashSet; import java.util.HashSet;
@ -75,6 +78,8 @@ public class LDAPLoginModule implements LoginModule {
private static final String USER_ROLE_NAME = "userRoleName"; private static final String USER_ROLE_NAME = "userRoleName";
private static final String EXPAND_ROLES = "expandRoles"; private static final String EXPAND_ROLES = "expandRoles";
private static final String EXPAND_ROLES_MATCHING = "expandRolesMatching"; private static final String EXPAND_ROLES_MATCHING = "expandRolesMatching";
private static final String LOGIN_CONFIG_SCOPE = "loginConfigScope";
private static final String AUTHENTICATE_USER = "authenticateUser";
protected DirContext context; protected DirContext context;
@ -84,6 +89,8 @@ public class LDAPLoginModule implements LoginModule {
private String username; private String username;
private final Set<RolePrincipal> groups = new HashSet<>(); private final Set<RolePrincipal> groups = new HashSet<>();
private boolean userAuthenticated = false; private boolean userAuthenticated = false;
private boolean authenticateUser = true;
private Subject brokerGssapiIdentity = null;
@Override @Override
public void initialize(Subject subject, public void initialize(Subject subject,
@ -93,12 +100,19 @@ public class LDAPLoginModule implements LoginModule {
this.subject = subject; this.subject = subject;
this.handler = callbackHandler; this.handler = callbackHandler;
config = new LDAPLoginProperty[]{new LDAPLoginProperty(INITIAL_CONTEXT_FACTORY, (String) options.get(INITIAL_CONTEXT_FACTORY)), new LDAPLoginProperty(CONNECTION_URL, (String) options.get(CONNECTION_URL)), new LDAPLoginProperty(CONNECTION_USERNAME, (String) options.get(CONNECTION_USERNAME)), new LDAPLoginProperty(CONNECTION_PASSWORD, (String) options.get(CONNECTION_PASSWORD)), new LDAPLoginProperty(CONNECTION_PROTOCOL, (String) options.get(CONNECTION_PROTOCOL)), new LDAPLoginProperty(AUTHENTICATION, (String) options.get(AUTHENTICATION)), new LDAPLoginProperty(USER_BASE, (String) options.get(USER_BASE)), new LDAPLoginProperty(USER_SEARCH_MATCHING, (String) options.get(USER_SEARCH_MATCHING)), new LDAPLoginProperty(USER_SEARCH_SUBTREE, (String) options.get(USER_SEARCH_SUBTREE)), new LDAPLoginProperty(ROLE_BASE, (String) options.get(ROLE_BASE)), new LDAPLoginProperty(ROLE_NAME, (String) options.get(ROLE_NAME)), new LDAPLoginProperty(ROLE_SEARCH_MATCHING, (String) options.get(ROLE_SEARCH_MATCHING)), new LDAPLoginProperty(ROLE_SEARCH_SUBTREE, (String) options.get(ROLE_SEARCH_SUBTREE)), new LDAPLoginProperty(USER_ROLE_NAME, (String) options.get(USER_ROLE_NAME)), new LDAPLoginProperty(EXPAND_ROLES, (String) options.get(EXPAND_ROLES)), new LDAPLoginProperty(EXPAND_ROLES_MATCHING, (String) options.get(EXPAND_ROLES_MATCHING))}; config = new LDAPLoginProperty[]{new LDAPLoginProperty(INITIAL_CONTEXT_FACTORY, (String) options.get(INITIAL_CONTEXT_FACTORY)), new LDAPLoginProperty(CONNECTION_URL, (String) options.get(CONNECTION_URL)), new LDAPLoginProperty(CONNECTION_USERNAME, (String) options.get(CONNECTION_USERNAME)), new LDAPLoginProperty(CONNECTION_PASSWORD, (String) options.get(CONNECTION_PASSWORD)), new LDAPLoginProperty(CONNECTION_PROTOCOL, (String) options.get(CONNECTION_PROTOCOL)), new LDAPLoginProperty(AUTHENTICATION, (String) options.get(AUTHENTICATION)), new LDAPLoginProperty(USER_BASE, (String) options.get(USER_BASE)), new LDAPLoginProperty(USER_SEARCH_MATCHING, (String) options.get(USER_SEARCH_MATCHING)), new LDAPLoginProperty(USER_SEARCH_SUBTREE, (String) options.get(USER_SEARCH_SUBTREE)), new LDAPLoginProperty(ROLE_BASE, (String) options.get(ROLE_BASE)), new LDAPLoginProperty(ROLE_NAME, (String) options.get(ROLE_NAME)), new LDAPLoginProperty(ROLE_SEARCH_MATCHING, (String) options.get(ROLE_SEARCH_MATCHING)), new LDAPLoginProperty(ROLE_SEARCH_SUBTREE, (String) options.get(ROLE_SEARCH_SUBTREE)), new LDAPLoginProperty(USER_ROLE_NAME, (String) options.get(USER_ROLE_NAME)), new LDAPLoginProperty(EXPAND_ROLES, (String) options.get(EXPAND_ROLES)), new LDAPLoginProperty(EXPAND_ROLES_MATCHING, (String) options.get(EXPAND_ROLES_MATCHING)), new LDAPLoginProperty(LOGIN_CONFIG_SCOPE, (String) options.get(LOGIN_CONFIG_SCOPE)), new LDAPLoginProperty(AUTHENTICATE_USER, (String) options.get(AUTHENTICATE_USER))};
if (isLoginPropertySet(AUTHENTICATE_USER)) {
authenticateUser = Boolean.valueOf(getLDAPPropertyValue(AUTHENTICATE_USER));
}
} }
@Override @Override
public boolean login() throws LoginException { public boolean login() throws LoginException {
if (!authenticateUser) {
return false;
}
Callback[] callbacks = new Callback[2]; Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("User name"); callbacks[0] = new NameCallback("User name");
@ -135,25 +149,26 @@ public class LDAPLoginModule implements LoginModule {
@Override @Override
public boolean commit() throws LoginException { public boolean commit() throws LoginException {
Set<UserPrincipal> authenticatedUsers = subject.getPrincipals(UserPrincipal.class);
Set<Principal> principals = subject.getPrincipals(); Set<Principal> principals = subject.getPrincipals();
if (userAuthenticated) { if (userAuthenticated) {
principals.add(new UserPrincipal(username)); principals.add(new UserPrincipal(username));
} else { }
// assign roles to any other UserPrincipal
Set<UserPrincipal> authenticatedUsers = subject.getPrincipals(UserPrincipal.class); // assign roles to any other UserPrincipal
for (UserPrincipal authenticatedUser : authenticatedUsers) { for (UserPrincipal authenticatedUser : authenticatedUsers) {
List<String> roles = new ArrayList<>(); List<String> roles = new ArrayList<>();
try { try {
String dn = resolveDN(username, roles); String dn = resolveDN(authenticatedUser.getName(), roles);
resolveRolesForDN(context, dn, username, roles); resolveRolesForDN(context, dn, authenticatedUser.getName(), roles);
} catch (NamingException e) { } catch (NamingException e) {
closeContext(); closeContext();
FailedLoginException ex = new FailedLoginException("Error contacting LDAP"); FailedLoginException ex = new FailedLoginException("Error contacting LDAP");
ex.initCause(e); ex.initCause(e);
throw ex; throw ex;
}
} }
} }
for (RolePrincipal gp : groups) { for (RolePrincipal gp : groups) {
principals.add(gp); principals.add(gp);
} }
@ -226,7 +241,7 @@ public class LDAPLoginModule implements LoginModule {
} }
try { try {
openContext(); openContext();
} catch (NamingException ne) { } catch (Exception ne) {
FailedLoginException ex = new FailedLoginException("Error opening LDAP connection"); FailedLoginException ex = new FailedLoginException("Error opening LDAP connection");
ex.initCause(ne); ex.initCause(ne);
throw ex; throw ex;
@ -264,7 +279,15 @@ public class LDAPLoginModule implements LoginModule {
logger.debug(" filter: " + filter); logger.debug(" filter: " + filter);
} }
NamingEnumeration<SearchResult> results = context.search(getLDAPPropertyValue(USER_BASE), filter, constraints); NamingEnumeration<SearchResult> results = null;
try {
results = Subject.doAs(brokerGssapiIdentity, (PrivilegedExceptionAction< NamingEnumeration<SearchResult>>) () -> context.search(getLDAPPropertyValue(USER_BASE), filter, constraints));
} catch (PrivilegedActionException e) {
Exception cause = e.getException();
FailedLoginException ex = new FailedLoginException("Error executing search query to resolve DN");
ex.initCause(cause);
throw ex;
}
if (results == null || !results.hasMore()) { if (results == null || !results.hasMore()) {
throw new FailedLoginException("User " + username + " not found in LDAP."); throw new FailedLoginException("User " + username + " not found in LDAP.");
@ -346,7 +369,7 @@ public class LDAPLoginModule implements LoginModule {
if (!isLoginPropertySet(ROLE_NAME)) { if (!isLoginPropertySet(ROLE_NAME)) {
return; return;
} }
String filter = roleSearchMatchingFormat.format(new String[]{doRFC2254Encoding(dn), doRFC2254Encoding(username)}); final String filter = roleSearchMatchingFormat.format(new String[]{doRFC2254Encoding(dn), doRFC2254Encoding(username)});
SearchControls constraints = new SearchControls(); SearchControls constraints = new SearchControls();
if (roleSearchSubtreeBool) { if (roleSearchSubtreeBool) {
@ -362,7 +385,16 @@ public class LDAPLoginModule implements LoginModule {
} }
HashSet<String> haveSeenNames = new HashSet<>(); HashSet<String> haveSeenNames = new HashSet<>();
Queue<String> pendingNameExpansion = new LinkedList<>(); Queue<String> pendingNameExpansion = new LinkedList<>();
NamingEnumeration<SearchResult> results = context.search(getLDAPPropertyValue(ROLE_BASE), filter, constraints); NamingEnumeration<SearchResult> results = null;
try {
results = Subject.doAs(brokerGssapiIdentity, (PrivilegedExceptionAction< NamingEnumeration<SearchResult>>) () -> context.search(getLDAPPropertyValue(ROLE_BASE), filter, constraints));
} catch (PrivilegedActionException e) {
Exception cause = e.getException();
NamingException ex = new NamingException("Error executing search query to resolve roles");
ex.initCause(cause);
throw ex;
}
while (results.hasMore()) { while (results.hasMore()) {
SearchResult result = results.next(); SearchResult result = results.next();
Attributes attrs = result.getAttributes(); Attributes attrs = result.getAttributes();
@ -379,8 +411,15 @@ public class LDAPLoginModule implements LoginModule {
MessageFormat expandRolesMatchingFormat = new MessageFormat(getLDAPPropertyValue(EXPAND_ROLES_MATCHING)); MessageFormat expandRolesMatchingFormat = new MessageFormat(getLDAPPropertyValue(EXPAND_ROLES_MATCHING));
while (!pendingNameExpansion.isEmpty()) { while (!pendingNameExpansion.isEmpty()) {
String name = pendingNameExpansion.remove(); String name = pendingNameExpansion.remove();
filter = expandRolesMatchingFormat.format(new String[]{name}); final String expandFilter = expandRolesMatchingFormat.format(new String[]{name});
results = context.search(getLDAPPropertyValue(ROLE_BASE), filter, constraints); try {
results = Subject.doAs(brokerGssapiIdentity, (PrivilegedExceptionAction< NamingEnumeration<SearchResult>>) () -> context.search(getLDAPPropertyValue(ROLE_BASE), expandFilter, constraints));
} catch (PrivilegedActionException e) {
Exception cause = e.getException();
NamingException ex = new NamingException("Error executing search query to expand roles");
ex.initCause(cause);
throw ex;
}
while (results.hasMore()) { while (results.hasMore()) {
SearchResult result = results.next(); SearchResult result = results.next();
name = result.getNameInNamespace(); name = result.getNameInNamespace();
@ -476,26 +515,49 @@ public class LDAPLoginModule implements LoginModule {
} }
} }
protected void openContext() throws NamingException { protected void openContext() throws Exception {
if (context == null) { if (context == null) {
try { try {
Hashtable<String, String> env = new Hashtable<>(); Hashtable<String, String> env = new Hashtable<>();
env.put(Context.INITIAL_CONTEXT_FACTORY, getLDAPPropertyValue(INITIAL_CONTEXT_FACTORY)); env.put(Context.INITIAL_CONTEXT_FACTORY, getLDAPPropertyValue(INITIAL_CONTEXT_FACTORY));
if (isLoginPropertySet(CONNECTION_USERNAME)) {
env.put(Context.SECURITY_PRINCIPAL, getLDAPPropertyValue(CONNECTION_USERNAME));
} else {
throw new NamingException("Empty username is not allowed");
}
if (isLoginPropertySet(CONNECTION_PASSWORD)) {
env.put(Context.SECURITY_CREDENTIALS, getLDAPPropertyValue(CONNECTION_PASSWORD));
} else {
throw new NamingException("Empty password is not allowed");
}
env.put(Context.SECURITY_PROTOCOL, getLDAPPropertyValue(CONNECTION_PROTOCOL)); env.put(Context.SECURITY_PROTOCOL, getLDAPPropertyValue(CONNECTION_PROTOCOL));
env.put(Context.PROVIDER_URL, getLDAPPropertyValue(CONNECTION_URL)); env.put(Context.PROVIDER_URL, getLDAPPropertyValue(CONNECTION_URL));
env.put(Context.SECURITY_AUTHENTICATION, getLDAPPropertyValue(AUTHENTICATION)); env.put(Context.SECURITY_AUTHENTICATION, getLDAPPropertyValue(AUTHENTICATION));
context = new InitialDirContext(env);
if ("GSSAPI".equalsIgnoreCase(getLDAPPropertyValue(AUTHENTICATION))) {
final String configScope = isLoginPropertySet(LOGIN_CONFIG_SCOPE) ? getLDAPPropertyValue(LOGIN_CONFIG_SCOPE) : "broker-sasl-gssapi";
try {
LoginContext loginContext = new LoginContext(configScope);
loginContext.login();
brokerGssapiIdentity = loginContext.getSubject();
} catch (LoginException e) {
e.printStackTrace();
FailedLoginException ex = new FailedLoginException("Error contacting LDAP using GSSAPI in JAAS loginConfigScope: " + configScope);
ex.initCause(e);
throw ex;
}
} else {
if (isLoginPropertySet(CONNECTION_USERNAME)) {
env.put(Context.SECURITY_PRINCIPAL, getLDAPPropertyValue(CONNECTION_USERNAME));
} else {
throw new NamingException("Empty username is not allowed");
}
if (isLoginPropertySet(CONNECTION_PASSWORD)) {
env.put(Context.SECURITY_CREDENTIALS, getLDAPPropertyValue(CONNECTION_PASSWORD));
} else {
throw new NamingException("Empty password is not allowed");
}
}
try {
context = Subject.doAs(brokerGssapiIdentity, (PrivilegedExceptionAction<DirContext>) () -> new InitialDirContext(env));
} catch (PrivilegedActionException e) {
throw e.getException();
}
} catch (NamingException e) { } catch (NamingException e) {
closeContext(); closeContext();

57
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/SaslKrb5LDAPSecurityTest.java
View File

@ -26,6 +26,8 @@ import javax.naming.NameClassPair;
import javax.naming.NamingEnumeration; import javax.naming.NamingEnumeration;
import javax.naming.directory.DirContext; import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext; import javax.naming.directory.InitialDirContext;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import java.io.BufferedReader; import java.io.BufferedReader;
import java.io.File; import java.io.File;
import java.io.InputStream; import java.io.InputStream;
@ -36,6 +38,8 @@ import java.lang.reflect.Method;
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
import java.net.URL; import java.net.URL;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.text.MessageFormat; import java.text.MessageFormat;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashMap; import java.util.HashMap;
@ -58,6 +62,7 @@ import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
import org.apache.activemq.artemis.utils.RandomUtil; import org.apache.activemq.artemis.utils.RandomUtil;
import org.apache.commons.io.FileUtils; import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils; import org.apache.commons.io.IOUtils;
import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms;
import org.apache.directory.api.ldap.model.entry.DefaultEntry; import org.apache.directory.api.ldap.model.entry.DefaultEntry;
import org.apache.directory.api.ldap.model.entry.Entry; import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.filter.PresenceNode; import org.apache.directory.api.ldap.model.filter.PresenceNode;
@ -70,6 +75,7 @@ import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.server.annotations.CreateKdcServer; import org.apache.directory.server.annotations.CreateKdcServer;
import org.apache.directory.server.annotations.CreateLdapServer; import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport; import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.annotations.SaslMechanism;
import org.apache.directory.server.core.annotations.ApplyLdifFiles; import org.apache.directory.server.core.annotations.ApplyLdifFiles;
import org.apache.directory.server.core.annotations.ContextEntry; import org.apache.directory.server.core.annotations.ContextEntry;
import org.apache.directory.server.core.annotations.CreateDS; import org.apache.directory.server.core.annotations.CreateDS;
@ -82,6 +88,7 @@ import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KerberosKeyFactory; import org.apache.directory.server.kerberos.shared.crypto.encryption.KerberosKeyFactory;
import org.apache.directory.server.kerberos.shared.keytab.Keytab; import org.apache.directory.server.kerberos.shared.keytab.Keytab;
import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry; import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry;
import org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler;
import org.apache.directory.shared.kerberos.KerberosTime; import org.apache.directory.shared.kerberos.KerberosTime;
import org.apache.directory.shared.kerberos.codec.types.EncryptionType; import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
import org.apache.directory.shared.kerberos.components.EncryptionKey; import org.apache.directory.shared.kerberos.components.EncryptionKey;
@ -98,15 +105,18 @@ import org.slf4j.LoggerFactory;
import static org.apache.activemq.artemis.tests.util.ActiveMQTestBase.NETTY_ACCEPTOR_FACTORY; import static org.apache.activemq.artemis.tests.util.ActiveMQTestBase.NETTY_ACCEPTOR_FACTORY;
@RunWith(FrameworkRunner.class) @RunWith(FrameworkRunner.class) @CreateDS(name = "Example",
@CreateDS(name = "Example",
partitions = {@CreatePartition(name = "example", suffix = "dc=example,dc=com", partitions = {@CreatePartition(name = "example", suffix = "dc=example,dc=com",
contextEntry = @ContextEntry(entryLdif = "dn: dc=example,dc=com\n" + "dc: example\n" + "objectClass: top\n" + "objectClass: domain\n\n"), contextEntry = @ContextEntry(entryLdif = "dn: dc=example,dc=com\n" + "dc: example\n" + "objectClass: top\n" + "objectClass: domain\n\n"),
indexes = {@CreateIndex(attribute = "objectClass"), @CreateIndex(attribute = "dc"), @CreateIndex(attribute = "ou")})}, indexes = {@CreateIndex(attribute = "objectClass"), @CreateIndex(attribute = "dc"), @CreateIndex(attribute = "ou")})},
additionalInterceptors = { KeyDerivationInterceptor.class }) additionalInterceptors = { KeyDerivationInterceptor.class })
@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 1024)}) @CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 1024)},
@CreateKdcServer(searchBaseDn = "dc=example,dc=com", transports = {@CreateTransport(protocol = "TCP", port = 0)}) saslHost = "localhost",
saslPrincipal = "ldap/localhost@EXAMPLE.COM",
saslMechanisms = {@SaslMechanism(name = SupportedSaslMechanisms.GSSAPI, implClass = GssapiMechanismHandler.class)})
@CreateKdcServer(transports = {@CreateTransport(protocol = "TCP", port = 0)})
@ApplyLdifFiles("SaslKrb5LDAPSecurityTest.ldif") @ApplyLdifFiles("SaslKrb5LDAPSecurityTest.ldif")
public class SaslKrb5LDAPSecurityTest extends AbstractLdapTestUnit { public class SaslKrb5LDAPSecurityTest extends AbstractLdapTestUnit {
@ -165,7 +175,7 @@ public class SaslKrb5LDAPSecurityTest extends AbstractLdapTestUnit {
// hard coded match, default_keytab_name in minikdc-krb5.conf template // hard coded match, default_keytab_name in minikdc-krb5.conf template
File userKeyTab = new File("target/test.krb5.keytab"); File userKeyTab = new File("target/test.krb5.keytab");
createPrincipal(userKeyTab, "client", "amqp/localhost"); createPrincipal(userKeyTab, "client", "amqp/localhost", "ldap/localhost");
if (debug) { if (debug) {
dumpLdapContents(); dumpLdapContents();
@ -309,6 +319,43 @@ public class SaslKrb5LDAPSecurityTest extends AbstractLdapTestUnit {
ctx.close(); ctx.close();
} }
@Test
public void testSaslGssapiLdapAuth() throws Exception {
final Hashtable<String, String> env = new Hashtable<>();
env.put(Context.PROVIDER_URL, "ldap://localhost:1024");
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
LoginContext loginContext = new LoginContext("broker-sasl-gssapi");
loginContext.login();
try {
Subject.doAs(loginContext.getSubject(), (PrivilegedExceptionAction<Object>) () -> {
HashSet<String> set = new HashSet<>();
DirContext ctx = new InitialDirContext(env);
NamingEnumeration<NameClassPair> list = ctx.list("ou=system");
while (list.hasMore()) {
NameClassPair ncp = list.next();
set.add(ncp.getName());
}
Assert.assertTrue(set.contains("uid=first"));
Assert.assertTrue(set.contains("cn=users"));
Assert.assertTrue(set.contains("ou=configuration"));
Assert.assertTrue(set.contains("prefNodeName=sysPrefRoot"));
ctx.close();
return null;
});
} catch (PrivilegedActionException e) {
throw e.getException();
}
}
@Test @Test
public void testJAASSecurityManagerAuthorizationPositive() throws Exception { public void testJAASSecurityManagerAuthorizationPositive() throws Exception {

15
tests/integration-tests/src/test/resources/SaslKrb5LDAPSecurityTest.ldif
View File

@ -29,7 +29,7 @@ objectClass: top
dn: cn=admins,ou=system dn: cn=admins,ou=system
cn: admins cn: admins
member: uid=first,ou=system member: uid=first,ou=system
member: uid=client,dc=example,dc=com member: uid=client,ou=users,dc=example,dc=com
objectClass: groupOfNames objectClass: groupOfNames
objectClass: top objectClass: top
@ -59,16 +59,3 @@ uid: krbtgt
userPassword: secret userPassword: secret
krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
krb5KeyVersionNumber: 0 krb5KeyVersionNumber: 0
dn: uid=ldap,ou=users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: LDAP
sn: Service
uid: ldap
userPassword: secret
krb5PrincipalName: ldap/localhost@EXAMPLE.COM
krb5KeyVersionNumber: 0

17
tests/integration-tests/src/test/resources/login.config
View File

@ -158,13 +158,13 @@ Krb5PlusLdap {
debug=true debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://localhost:1024" connectionURL="ldap://localhost:1024"
connectionUsername="uid=admin,ou=system" authentication=GSSAPI
connectionPassword=secret loginConfigScope=broker-sasl-gssapi
connectionProtocol=s connectionProtocol=s
authentication=simple userBase="ou=users,dc=example,dc=com"
userBase="dc=example,dc=com"
userSearchMatching="(krb5PrincipalName={0})" userSearchMatching="(krb5PrincipalName={0})"
userSearchSubtree=true userSearchSubtree=true
authenticateUser=false
roleBase="ou=system" roleBase="ou=system"
roleName=cn roleName=cn
roleSearchMatching="(member={0})" roleSearchMatching="(member={0})"
@ -196,6 +196,15 @@ amqp-sasl-gssapi {
debug=true; debug=true;
}; };
broker-sasl-gssapi {
com.sun.security.auth.module.Krb5LoginModule required
isInitiator=true
storeKey=true
useKeyTab=true
principal="amqp/localhost"
debug=true;
};
amqp-jms-client { amqp-jms-client {
com.sun.security.auth.module.Krb5LoginModule required com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true; useKeyTab=true;