Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-3370

LegacyLDAPSecuritySettingPlugin ignore group changes

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • AMQ 7.7.0.CR2
    • AMQ 7.5.0.GA
    • security
    • None
    • +
    • Hide
      Previously, if you made an update on an LDAP server, the `LegacyLDAPSecuritySettingPlugin` security settings plugin configured on the broker might not immediately detect the change. For example, if you added a new user to an existing group on the LDAP server, the plugin did not immediately authorize the new user with the same broker permissions as existing users in the same group. Instead, for a change such as this to take effect, you needed to restart the broker. This issue is now resolved.
      Show
      Previously, if you made an update on an LDAP server, the `LegacyLDAPSecuritySettingPlugin` security settings plugin configured on the broker might not immediately detect the change. For example, if you added a new user to an existing group on the LDAP server, the plugin did not immediately authorize the new user with the same broker permissions as existing users in the same group. Instead, for a change such as this to take effect, you needed to restart the broker. This issue is now resolved.
    • Documented as Resolved Issue
    • Hide
      1. Create a server in Apache DS Studio
      2. Create partition dc=cloud,dc=smals,dc=be
      3. Start the server and import the ldap-export.ldif under the partition
      4. Create a broker using the broker.xml and login.config
      5. Test user3 access 
        sh bin/artemis queue stat --queueName project1.testldap --password user3  --user user3
      6. Import team4.ldif under the partition, with Update existing entries checked
      7. Test user4 access that will fail with the message AMQ229213: User: user4 does not have permission='CREATE_NON_DURABLE_QUEUE' 
        sh bin/artemis queue stat --queueName project1.testldap --password user4  --user user4
      8. restart the broker
      9. Test user4 access that now will works.
      Show
      Create a server in Apache DS Studio Create partition dc=cloud,dc=smals,dc=be Start the server and import the ldap-export.ldif under the partition Create a broker using the broker.xml and login.config Test user3 access sh bin/artemis queue stat --queueName project1.testldap --password user3 --user user3 Import team4.ldif under the partition, with Update existing entries checked Test user4 access that will fail with the message AMQ229213: User: user4 does not have permission='CREATE_NON_DURABLE_QUEUE' sh bin/artemis queue stat --queueName project1.testldap --password user4 --user user4 restart the broker Test user4 access that now will works.

      The option enableListener is true by default so is expected that LegacyLDAPSecuritySettingPlugin automatically receive updates made in the LDAP server.
      However, a new user within a new group is correctly authenticated but not authorized until the broker has been restart.

        1. broker.xml
          12 kB
        2. ldap-export.ldif
          35 kB
        3. login.config
          2 kB
        4. team4.ldif
          2 kB

              rhn-support-jbertram Justin Bertram
              rhn-support-agagliar Antonio Gagliardi
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: