Bug 535360 (RHQ-2064)
| Summary: | enhanced security support for LDAP integration | ||
|---|---|---|---|
| Product: | [Other] RHQ Project | Reporter: | Joseph Marques <jmarques> |
| Component: | Core Server | Assignee: | John Mazzitelli <mazz> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 1.2 | Keywords: | CodeChange |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://jira.rhq-project.org/browse/RHQ-2064 | ||
| Whiteboard: | |||
| Fixed In Version: | 1.3 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I checked this into LdapLoginModule:
// Setup SSL if requested
String protocol = env.getProperty(Context.SECURITY_PROTOCOL);
if ((protocol != null) && protocol.equals("ssl")) {
String ldapSocketFactory = env.getProperty("java.naming.ldap.factory.socket");
if (ldapSocketFactory == null) {
env.put("java.naming.ldap.factory.socket", UntrustedSSLSocketFactory.class.getName());
}
env.put(Context.SECURITY_PROTOCOL, "ssl");
}
So if you set that env var in rhq-server.properties, and put your custom classes in a jar in the Jbossas lib directory, it "should" work. Need to test this. All we would be doing is delegating to the custom class implementation, its up to that impl to do the right thing.
svn rev 3931
needsReproSteps I made this a "code change" issue, not "bug". This just added code that allows someone to customize the server to allow for secure LDAP access using certs (as opposed to user/pass creds). Someone would have to write their own factory that does the cert handling, deploy its jar file in the server's lib directory, set "java.naming.ldap.factory.socket" to the class name of the new factory class and restart the server. I've never done this, it isn't officially supported due to all the customization that needs to happen, and its never been tested. However, its here now for someone who really needs this to try and use it. If we can confirm someone has used this and can give us the code and steps necessary to hook all this up, we can add it to the docs and perhaps put it in the QA task list. But for now, consider this a code change with nothing to test now. This bug was previously known as http://jira.rhq-project.org/browse/RHQ-2064 This bug relates to RHQ-243 |
Documentation states that "JON does not currently check server certificates for LDAP over SSL, nor can it provide client side certificates to the LDAP server." This is correct. To date, we do not support SSL cert auth for our LDAP integration, only username/password credentials. We currently extend LdapExtLoginModule but build up the initial context ourselves. If we enabled users to override the context variable "java.naming.ldap.factory.socket", then they could their own more sophisticated mechanisms. This is hard-coded to the untrusted socket factory today: // Setup SSL if requested String protocol = env.getProperty(Context.SECURITY_PROTOCOL); if ((protocol != null) && protocol.equals("ssl")) { env.put("java.naming.ldap.factory.socket", UntrustedSSLSocketFactory.class.getName()); env.put(Context.SECURITY_PROTOCOL, "ssl"); }