535360 – (RHQ-2064) enhanced security support for LDAP integration

Bug 535360 (RHQ-2064) - enhanced security support for LDAP integration

Summary: enhanced security support for LDAP integration

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	RHQ-2064
Product:	RHQ Project
Classification:	Other
Component:	Core Server
Sub Component:
Version:	1.2
Hardware:	All
OS:	All
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	John Mazzitelli
QA Contact:
Docs Contact:
URL:	http://jira.rhq-project.org/browse/RH...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-05-06 19:00 UTC by Joseph Marques
Modified:	2009-08-03 18:40 UTC (History)
CC List:	0 users
Fixed In Version:	1.3
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Joseph Marques 2009-05-06 19:00:00 UTC

Documentation states that "JON does not currently check server certificates for LDAP over SSL, nor can it provide client side certificates to the LDAP server."

This is correct.  To date, we do not support SSL cert auth for our LDAP integration, only username/password credentials. We currently extend LdapExtLoginModule but build up the initial context ourselves.  If we enabled users to override the context variable "java.naming.ldap.factory.socket", then they could their own more sophisticated mechanisms.  This is hard-coded to the untrusted socket factory today:

        // Setup SSL if requested
        String protocol = env.getProperty(Context.SECURITY_PROTOCOL);
        if ((protocol != null) && protocol.equals("ssl")) {
            env.put("java.naming.ldap.factory.socket", UntrustedSSLSocketFactory.class.getName());
            env.put(Context.SECURITY_PROTOCOL, "ssl");
        }

Comment 1 John Mazzitelli 2009-05-11 16:22:17 UTC

I checked this into LdapLoginModule:

        // Setup SSL if requested
        String protocol = env.getProperty(Context.SECURITY_PROTOCOL);
        if ((protocol != null) && protocol.equals("ssl")) {
            String ldapSocketFactory = env.getProperty("java.naming.ldap.factory.socket");
            if (ldapSocketFactory == null) {
                env.put("java.naming.ldap.factory.socket", UntrustedSSLSocketFactory.class.getName());
            }
            env.put(Context.SECURITY_PROTOCOL, "ssl");
        }

So if you set that env var in rhq-server.properties, and put your custom classes in a jar in the Jbossas lib directory, it "should" work. Need to test this. All we would be doing is delegating to the custom class implementation, its up to that impl to do the right thing.

svn rev 3931

Comment 2 Jeff Weiss 2009-07-21 13:20:20 UTC

needsReproSteps

Comment 3 John Mazzitelli 2009-07-27 16:02:04 UTC

I made this a "code change" issue, not "bug". This just added code that allows someone to customize the server to allow for secure LDAP access using certs (as opposed to user/pass creds).

Someone would have to write their own factory that does the cert handling, deploy its jar file in the server's lib directory, set "java.naming.ldap.factory.socket" to the class name of the new factory class and restart the server. I've never done this, it isn't officially supported due to all the customization that needs to happen, and its never been tested. However, its here now for someone who really needs this to try and use it. If we can confirm someone has used this and can give us the code and steps necessary to hook all this up, we can add it to the docs and perhaps put it in the QA task list. But for now, consider this a code change with nothing to test now.

Comment 4 Red Hat Bugzilla 2009-11-10 20:57:01 UTC

This bug was previously known as http://jira.rhq-project.org/browse/RHQ-2064
This bug relates to RHQ-243

Note You need to log in before you can comment on or make changes to this bug.