Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-7118

LegacyLDAPSecuritySettingPlugin allows new user to access new destinations if a default wildcard address '$' exists in LDAP

XMLWordPrintable

    • False
    • None
    • False
    • Hide

      add the following entries to LDAP server:

      dn: cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com
      objectClass: top
      objectClass: applicationProcess
      cn: $
      
      dn: cn=admin,cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com
      objectClass: top
      objectClass: groupOfUniqueNames
      cn: admin
      uniqueMember: cn=some_role,ou=roles,dc=example,dc=com
      
      dn: cn=write,cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com
      objectClass: top
      objectClass: groupOfUniqueNames
      cn: write
      uniqueMember: cn=some_role,ou=roles,dc=example,dc=com 
      
      dn: cn=read,cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com
      objectClass: top
      objectClass: groupOfUniqueNames
      cn: read
      uniqueMember: cn=some_role,ou=roles,dc=example,dc=com
      

      Note, the new user does not belong to the "some_role". And the rest of testing steps can be the same as the JIRA ENTMQBR-3719.

      Show
      add the following entries to LDAP server: dn: cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com objectClass: top objectClass: applicationProcess cn: $ dn: cn=admin,cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: admin uniqueMember: cn=some_role,ou=roles,dc=example,dc=com dn: cn=write,cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: write uniqueMember: cn=some_role,ou=roles,dc=example,dc=com dn: cn=read,cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: read uniqueMember: cn=some_role,ou=roles,dc=example,dc=com Note, the new user does not belong to the "some_role". And the rest of testing steps can be the same as the JIRA ENTMQBR-3719 .

      The Jira ENTMQBR-3719 fixed an issue that when a new user was added to LDAP server it allows the new user to create and access new destinations. 

      However, it is not fully fixed. In a case when a default wildcard destination such as: 

      dn: cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com
      objectClass: top
      objectClass: applicationProcess
      cn: $
      

      exists in the LDAP server, a newly created user would be able to create and access any new destination and such behaviour will only be rectified after broker is restarted.

        1. broker.xml
          12 kB
          Joe Luo
        2. test.ldif
          8 kB
          Joe Luo
        3. user5.ldif
          1 kB
          Joe Luo

              rhn-support-jbertram Justin Bertram
              rhn-support-qluo Joe Luo
              Roman Vais Roman Vais (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: