QPID-5768 : Allow authenticated LDAP search

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1612381 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 41 insertions, 2 deletions

diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
index ec735ad4e8..4e285df384 100644
--- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
+++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManager.java
@@ -51,4 +51,10 @@ public interface SimpleLDAPAuthenticationManager<X extends SimpleLDAPAuthenticat
 
     @ManagedAttribute( description = "Trust store name")
     TrustStore getTrustStore();
+
+    @ManagedAttribute( description = "(Optional) username for authenticated search")
+    String getSearchUsername();
+
+    @ManagedAttribute( description = "(Optional) password for authenticated search", secure = true)
+    String getSearchPassword();
 }
diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
index a0b2032dac..94c297d8db 100644
--- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
+++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
@@ -93,6 +93,11 @@ public class SimpleLDAPAuthenticationManagerImpl extends AbstractAuthenticationM
     @ManagedAttributeField
     private boolean _bindWithoutSearch;
 
+    @ManagedAttributeField
+    private String _searchUsername;
+    @ManagedAttributeField
+    private String _searchPassword;
+
     /**
      * Dynamically created SSL Socket Factory implementation used in the case where user has specified a trust store.
      */
@@ -149,6 +154,18 @@ public class SimpleLDAPAuthenticationManagerImpl extends AbstractAuthenticationM
         return _trustStore;
     }
 
+    @Override
+    public String getSearchUsername()
+    {
+        return _searchUsername;
+    }
+
+    @Override
+    public String getSearchPassword()
+    {
+        return _searchPassword;
+    }
+
 
     @Override
     public String getMechanisms()
@@ -344,7 +361,8 @@ public class SimpleLDAPAuthenticationManagerImpl extends AbstractAuthenticationM
     private void validateInitialDirContext()
     {
         Hashtable<String,Object> env = createInitialDirContextEnvironment(_providerUrl);
-        env.put(Context.SECURITY_AUTHENTICATION, "none");
+
+        setupSearchContext(env);
 
         InitialDirContext ctx = null;
         try
@@ -361,6 +379,20 @@ public class SimpleLDAPAuthenticationManagerImpl extends AbstractAuthenticationM
         }
     }
 
+    private void setupSearchContext(final Hashtable<String, Object> env)
+    {
+        if(_searchUsername != null && _searchUsername.trim().length()>0)
+        {
+            env.put(Context.SECURITY_AUTHENTICATION, "simple");
+            env.put(Context.SECURITY_PRINCIPAL, _searchUsername);
+            env.put(Context.SECURITY_CREDENTIALS, _searchPassword);
+        }
+        else
+        {
+            env.put(Context.SECURITY_AUTHENTICATION, "none");
+        }
+    }
+
 
     private class SimpleLDAPPlainCallbackHandler implements CallbackHandler
     {
@@ -418,7 +450,8 @@ public class SimpleLDAPAuthenticationManagerImpl extends AbstractAuthenticationM
         {
             Hashtable<String, Object> env = createInitialDirContextEnvironment(_providerUrl);
 
-            env.put(Context.SECURITY_AUTHENTICATION, "none");
+            setupSearchContext(env);
+
             InitialDirContext ctx = createInitialDirContext(env);
 
             try