"Due to performance issues we need to cache passwords obtained from external sources using {EXT} prefix in LdapExt login module" Note: This RFE is a clone of https://issues.jboss.org/browse/PRODMGT-319 under consideration for EAP 5.3. --[jira] https://issues.jboss.org/browse/PRODMGT-395
This has been documented for the 5.x stream. Details in bug 1093209.
This is already documented. Fix is available in the description of 'bindCredential' option: http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Security_Guide/appe-Reference.html#topic4732_ldapextendedmoduleoptions
Fix is available here: http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Security_Guide/appe-Reference.html#topic4732_ldapextendedmoduleoptions
The description should be moved out of the table to its own section. There are 2 main reasons: 1) The readability in table column is very bad. 2) This feature is not used only in LdapExtLoginModule, but in other parts of the PicketBox too: $ grep -R 'Util.loadPassword' * org/picketbox/datasource/security/PBEIdentityLoginModule.java: this.pbepass = Util.loadPassword(tmp); org/jboss/security/mapping/providers/attribute/LdapAttributeMappingProvider.java: bindCredential = new String(Util.loadPassword(bindCredential)); org/jboss/security/mapping/providers/role/LdapRolesMappingProvider.java: this.bindCredential = new String(Util.loadPassword(this.bindCredential)); org/jboss/security/auth/spi/LdapUsersLoginModule.java: this.bindCredential = new String(Util.loadPassword(this.bindCredential)); org/jboss/security/auth/spi/LdapExtLoginModule.java: this.bindCredential = new String(Util.loadPassword(this.bindCredential)); org/jboss/security/auth/callback/LdapCallbackHandler.java: bindCredential = new String(Util.loadPassword(bindCredential)); org/jboss/security/JBossJSSESecurityDomain.java: this.keyStorePassword = Util.loadPassword(keyStorePassword); org/jboss/security/JBossJSSESecurityDomain.java: this.trustStorePassword = Util.loadPassword(trustStorePassword); org/jboss/security/JBossJSSESecurityDomain.java: this.serviceAuthToken = Util.loadPassword(serviceAuthToken);
Created new topic #38715. Updated content specs. Changes will be visible in the next build.
Hi Nidhi, I found your new topic in the Security Guide here: http://docbuilder.usersys.redhat.com/22558/#Mechanism_to_Cache_Passwords_from_External_Source I'm not sure it's ready for QA review. The first 2 sentences are not really complete sentences. For the first sentence, maybe this would be better? The <literal>bindCredential</literal> module option allows for caching of passwords from external sources. I'm not sure I understand this sentence: Password stored as plain text for the bindDN, or loaded externally using EXT command Are you saying this? Passwords are stored as plain text for the <literal>bindDN<literal> option or are loaded externally using the <literal>EXT</literal> command. I am adding the preview URL so Josef can review this also since I am not familiar with the topic. Preview URL for the new topic is here: http://docbuilder.usersys.redhat.com/22558/#Mechanism_to_Cache_Passwords_from_External_Source
I have restructured this topic to aid clarity. I further need to add sub-titles per sub-section. Topic: "bindCredential Module Option [38715]"
I have further restructured and reworded the content to improve on its clarity. When it is available on the docs-devel site I will move this ticket to ON_QA. Topic: bindCredential Module Option [38715]
The amended text is available in revision 6.3.0-29 (or later) of the Security Guide at [1]. As per comment 5 from Josef, this content has been moved out of a tabular format. I have done my best to explain the several methods available for the bindCredential module, including how to have passwords obtained from an external source cached. [1] http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Security_Guide/index.html#Mechanism_to_Cache_Passwords_from_External_Source
There are some minor issue, which should be fixed: 1) It is good that the long description was moved out of table, but it is needed to keep this module option in LdapExtended table. I suggest to put the reference(link) to this new section into table in description of this module option, so that users can found information easily. 2) In first sentence: Add that bindCredential can be used also by several mapping modules. 3) In option "Use an external command": {EXTC[:expiration_in_millis]} variant is supported only by LdapExtended login module, this should be mentioned. Add that if the "expiration_in_millis" is set to 0 it doesn't expire. (same as default) 4) Remove option "Use a specified class", because this is not supported in configuration settings of EAP. 5) In Example 15.19. Obtain a password from an external file and cache it for 500 milliseconds: There should not be "[]" brackets. The example should look like this: {EXTC:500}cat /mysecretpasswordfile
I have made all the changes requested in comment 11. When this guide is rebuilt I will put this ticket to ON_QA status. Note to Docs: bindCredential Module Option [38715] Note to QE: A visual diff of the changes made is available at [1]. Otherwise the details of the changes made are as follows: * Added mention in the first paragraph that bindCredential can be used also by several mapping modules. * Added note that the 'EXTC' variant is supported only by LdapExtended login module. * Added mention that if the "expiration_in_millis" is set to 0 it doesn't expire. * Removed option "Use a specified class". * In example "Obtain a password from an external file and cache it for 500 milliseconds", removed the square brackets. [1] http://virt-ecs-01.lab.eng.bne.redhat.com:8080/pressgang-ccms-ui-next/#TopicHistoryView;38715;680750;681306
I have made all the changes requested in comment 11. When this guide is rebuilt I will put this ticket to ON_QA status. Note to Docs: bindCredential Module Option [38715] Note to QE: A visual diff of the changes made is available at [1]. Otherwise the details of the changes made are as follows: * Added mention in the first paragraph that bindCredential can be used also by several mapping modules. * Added note that the 'EXTC' variant is supported only by LdapExtended login module. * Added mention that if the "expiration_in_millis" is set to 0 it doesn't expire. * Removed option "Use a specified class". * In example "Obtain a password from an external file and cache it for 500 milliseconds", removed the square brackets. [1] http://virt-ecs-01.lab.eng.bne.redhat.com:8080/pressgang-ccms-ui-next/#TopicHistoryView;38715;680750;681306 LINK: http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Security_Guide/index.html#Mechanism_to_Cache_Passwords_from_External_Source
Verified in Revision 6.3.0-32