Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-7118

LegacyLDAPSecuritySettingPlugin allows new user to access new destinations if a default wildcard address '$' exists in LDAP

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Hide

      add the following entries to LDAP server:

      dn: cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com
objectClass: top
objectClass: applicationProcess
cn: $

dn: cn=admin,cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: admin
uniqueMember: cn=some_role,ou=roles,dc=example,dc=com

dn: cn=write,cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: write
uniqueMember: cn=some_role,ou=roles,dc=example,dc=com 

dn: cn=read,cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: read
uniqueMember: cn=some_role,ou=roles,dc=example,dc=com

      Note, the new user does not belong to the "some_role". And the rest of testing steps can be the same as the JIRA ENTMQBR-3719.

      Show
      add the following entries to LDAP server: dn: cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com objectClass: top objectClass: applicationProcess cn: $ dn: cn=admin,cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: admin uniqueMember: cn=some_role,ou=roles,dc=example,dc=com dn: cn=write,cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: write uniqueMember: cn=some_role,ou=roles,dc=example,dc=com dn: cn=read,cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: read uniqueMember: cn=some_role,ou=roles,dc=example,dc=com Note, the new user does not belong to the "some_role". And the rest of testing steps can be the same as the JIRA ENTMQBR-3719 .

    Description

      The Jira ENTMQBR-3719 fixed an issue that when a new user was added to LDAP server it allows the new user to create and access new destinations. 

      However, it is not fully fixed. In a case when a default wildcard destination such as: 

      dn: cn=$,ou=queues,ou=destinations,ou=ActiveMQ,dc=example,dc=com
objectClass: top
objectClass: applicationProcess
cn: $

      exists in the LDAP server, a newly created user would be able to create and access any new destination and such behaviour will only be rectified after broker is restarted.

      Attachments

        3. broker.xml
          12 kB
          Joe Luo
        4. test.ldif
          8 kB
          Joe Luo
        5. user5.ldif
          1 kB
          Joe Luo

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. ENTMQBR-3719 LegacyLDAPSecuritySettingPlugin allows new user to access any newly created destinations

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. ENTMQBR-8456 The fix of ENTMQBR-7118 does not work with Microsoft Active Directory specifically

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              rhn-support-jbertram Justin Bertram
              rhn-support-qluo Joe Luo
              Roman Vais Roman Vais
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: