diff options
Diffstat (limited to 'qpid/cpp/src')
| -rw-r--r-- | qpid/cpp/src/qpid/broker/Broker.cpp | 3 | ||||
| -rw-r--r-- | qpid/cpp/src/qpid/broker/Broker.h | 1 | ||||
| -rw-r--r-- | qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp | 22 |
3 files changed, 24 insertions, 2 deletions
diff --git a/qpid/cpp/src/qpid/broker/Broker.cpp b/qpid/cpp/src/qpid/broker/Broker.cpp index 4917502fdf..e9b1db0413 100644 --- a/qpid/cpp/src/qpid/broker/Broker.cpp +++ b/qpid/cpp/src/qpid/broker/Broker.cpp @@ -85,6 +85,7 @@ Broker::Options::Options(const std::string& name) : #else auth(false), #endif + realm("QPID"), ack(0) { int c = sys::SystemInfo::concurrency(); @@ -110,6 +111,8 @@ Broker::Options::Options(const std::string& name) : "Management Publish Interval") ("auth", optValue(auth, "yes|no"), "Enable authentication, if disabled all incoming connections will be trusted") + ("realm", optValue(realm, "REALM"), + "Use the given realm when performing authentication") ("ack", optValue(ack, "N"), "Send session.ack/solicit-ack at least every N frames. 0 disables voluntary ack/solitict-ack"); } diff --git a/qpid/cpp/src/qpid/broker/Broker.h b/qpid/cpp/src/qpid/broker/Broker.h index 7297241763..e48f3dc23f 100644 --- a/qpid/cpp/src/qpid/broker/Broker.h +++ b/qpid/cpp/src/qpid/broker/Broker.h @@ -80,6 +80,7 @@ class Broker : public sys::Runnable, public Plugin::Target, bool enableMgmt; uint16_t mgmtPubInterval; bool auth; + std::string realm; uint32_t ack; }; diff --git a/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp b/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp index 56718502f1..d48b258ba2 100644 --- a/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp +++ b/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp @@ -109,8 +109,26 @@ CyrusAuthenticator::CyrusAuthenticator(Connection& c) : sasl_conn(0), connection void CyrusAuthenticator::init() { - int code = sasl_server_new(BROKER_SASL_NAME, - NULL, NULL, NULL, NULL, NULL, 0, + /* Next to the service name, which specifies the + * /etc/sasl2/<service name>.conf file to read, the realm is + * currently the most important argument below. When + * performing authentication the user that is authenticating + * will be looked up in a specific realm. If none is given + * then the realm defaults to the hostname, which can cause + * confusion when the daemon is run on different hosts that + * may be logically sharing a realm (aka a user domain). This + * is especially important for SASL PLAIN authentication, + * which cannot specify a realm for the user that is + * authenticating. + */ + const char *realm = connection.getBroker().getOptions().realm.c_str(); + int code = sasl_server_new(BROKER_SASL_NAME, /* Service name */ + NULL, /* Server FQDN, gethostname() */ + realm, /* Authentication realm */ + NULL, /* Local IP, needed for some mechanism */ + NULL, /* Remote IP, needed for some mechanism */ + NULL, /* Callbacks */ + 0, /* Connection flags */ &sasl_conn); if (SASL_OK != code) { |