LDAP bind authentication with Jetty

I am trying to secure Confluent Control Center 7.2.2 with the jetty LdapLoginModule. I have the following jaas configuration working.

c3 {
  org.eclipse.jetty.jaas.spi.LdapLoginModule required
  useLdaps="true"
  contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
  hostname="ldaps.xxxx.xxxxx"
  port="xxx"
  bindDn=<user principal name>
  bindPassword=<user password>
  authenticationMethod="simple"
  forceBindingLogin="true"
  userBaseDn="DC=xxxx,DC=xxxx,DC=xxx,DC=xx"
  userRdnAttribute="userPrincipalName"
  userIdAttribute="userPrincipalName"
  userObjectClass="user"
  roleBaseDn="OU=xxxxxx,OU=xxx,OU=xxxxx,DC=xxxx,DC=xxxx,DC=xxx,DC=xx"
  roleNameAttribute="cn"
  roleMemberAttribute="member"
  roleObjectClass="group";
};

I would like to avoid passing a bindDn and bindPassword and use the authenticating user credentials to bind instead. My understanding is that forceBindingLogin set to true should make that possible.

forceBindingLogin Indicate whether to bind as the user that is authenticating (true), otherwise bind as the manager and perform a search to verify user password (false).

Although when I remove bindDn and bindPassword from my config I get the following error:

DAP: error code 1 - 000004DC: LdapErr: DSID-0C090A71, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839

It looks like bindDn is still used when forceBindingLogin is set to true.

I noticed that in the Confluence documentation, the bindDn config went from optional to required between 6.1.9 and 6.2.0. There is no mention of the reason in the release notes.



Comments

Popular posts from this blog

Today Walkin 14th-Sept

Spring Elasticsearch Operations

Hibernate Search - Elasticsearch with JSON manipulation