honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

LDAP calls that create a new connection use privilegedConnect (elastic/x-pack-elasticsearch#2018) 

This change fixes some cases where calls to the LDAP library can result in a new connection being
created that were not wrapped in privileged connect calls. This would result in permission denied
errors when trying to make the connection.

Original commit: elastic/x-pack-elasticsearch@182c790dd4
This commit is contained in:
Jay Modi 2017-07-17 13:15:12 -06:00 committed by GitHub
parent 44c9bba39c
commit 653b927628
2 changed files with 33 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
plugin/src/main/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapUtils.java
View File

@ -224,10 +224,10 @@ public final class LdapUtils {
boolean searching = false;
LDAPConnection ldapConnection = null;
try {
ldapConnection = ldap.getConnection();
ldapConnection = privilegedConnect(ldap::getConnection);
final LDAPConnection finalConnection = ldapConnection;
LdapSearchResultListener ldapSearchResultListener = new LdapSearchResultListener(
ldapConnection, ignoreReferralErrors,
finalConnection, ignoreReferralErrors,
ActionListener.wrap(
searchResult -> {
IOUtils.closeWhileHandlingException(
@ -523,8 +523,8 @@ public final class LdapUtils {
// in order to follow the referral we need to open a new connection and we do so using the
// referral connector on the ldap connection
final LDAPConnection referralConn = ldapConnection.getReferralConnector()
.getReferralConnection(referralURL, ldapConnection);
final LDAPConnection referralConn =
privilegedConnect(() -> ldapConnection.getReferralConnector().getReferralConnection(referralURL, ldapConnection));
final LdapSearchResultListener ldapListener = new LdapSearchResultListener(
referralConn, ignoreErrors,
ActionListener.wrap(

29
plugin/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverInMemoryTests.java
View File

@ -10,9 +10,12 @@ import java.util.concurrent.ExecutionException;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionOptions;
import com.unboundid.ldap.sdk.LDAPConnectionPool;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPURL;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import com.unboundid.ldap.sdk.SingleServerSet;
import org.elasticsearch.action.support.PlainActionFuture;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
@ -111,6 +114,32 @@ public class SearchGroupsResolverInMemoryTests extends LdapTestCase {
assertThat(groups, iterableWithSize(0));
}
public void testSearchWithConnectionPoolForOneResult() throws Exception {
final LDAPURL ldapurl = new LDAPURL(ldapUrls()[0]);
try (LDAPConnectionPool pool =
LdapUtils.privilegedConnect(() -> new LDAPConnectionPool(new SingleServerSet(ldapurl.getHost(), ldapurl.getPort()),
new SimpleBindRequest("cn=Horatio Hornblower,ou=people,o=sevenSeas", "pass"), 0, 20))) {
final Settings settings = Settings.builder()
.put("bind_dn", "cn=Horatio Hornblower,ou=people,o=sevenSeas")
.put("bind_password", "pass")
.put("user_search.base_dn", "ou=groups,o=sevenSeas")
.put("group_search.base_dn", "ou=groups,o=sevenSeas")
.put("group_search.scope", LdapSearchScope.SUB_TREE)
.build();
final SearchGroupsResolver resolver = new SearchGroupsResolver(settings);
final PlainActionFuture<List<String>> future = new PlainActionFuture<>();
resolver.resolve(pool,
"cn=Moultrie Crystal,ou=people,o=sevenSeas",
TimeValue.timeValueSeconds(30),
logger,
null, future);
List<String> resolvedDNs = future.actionGet();
assertEquals(1, resolvedDNs.size());
}
}
private void connect(LDAPConnectionOptions options) throws LDAPException {
if (connection != null) {
throw new IllegalStateException("Already connected (" + connection.getConnectionName() + ' '