activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rbramley <apa...@rbramley.com>
Subject Re: Adding users on the fly ACTIVEMQ
Date Wed, 30 Apr 2008 14:53:55 GMT


greenapple wrote:
> 
> Say a new application yyy requested to use JMS. 
> 
> My job as a JMS admin is to create the queues needed (on the fly), add
> users and groups (on the fly) and grant permissions to certain users and
> groups to read/write/both/etc (also on the fly).
> 
> By on the fly, I mean: without having to restart ActiveMQ. TIBCO EMS for
> example had some user interface to do this.
> 

I'm in the middle of an ActiveMQ 5.1 rollout using LDAP configuration for
this very reason 
(I will be contributing some patches so apologies if the following
instructions won't work out of the box)... 

There are several components required for an LDAP solution:
1. An LDAP server (there are several Open Source options - we're using
OpenLDAP)
2. An LDAP GUI client - you don't want to be editing/importing LDIF files
all the time or mucking about with the command line - we've got
phpldapadmin.

Once these are installed you need to perform a base set-up on LDAP:
1. Create the structure for ActiveMQ in your LDAP server (sample LDIF file
attached)
2. Create a 'bind user' for ActiveMQ to logon to the LDAP server (included
in LDIF)

To configure ActiveMQ (assuming you don't need networked brokers):
1. Configure the JAAS LDAPLoginModule and the LDAPAuthorizationMap in
activemq.xml:
    <plugins>
      <!--  use JAAS to authenticate using the login.config file on the
classpath to configure JAAS -->
      <jaasAuthenticationPlugin configuration="LdapConfiguration" />
      <!--  lets configure a destination based role/group authorization
mechanism -->
      <authorizationPlugin>
        <map>
		  <bean xmlns="http://www.springframework.org/schema/beans"
id="lDAPAuthorizationMap"
class="org.apache.activemq.security.LDAPAuthorizationMap">
				<property name="initialContextFactory"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
				<property name="connectionURL" value="ldap://ldap.acme.com:389"/>
				<property name="authentication" value="simple"/>
				<property name="connectionUsername"
value="cn=mqbroker,ou=Services,dc=acme,dc=com"/>
				<property name="connectionPassword" value="password"/>
				<property name="connectionProtocol" value="s"/>
				<property name="topicSearchMatching"
value="cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=systems,dc=acme,dc=com"/>
				<property name="topicSearchSubtreeBool" value="true"/>
				<property name="queueSearchMatching"
value="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=systems,dc=acme,dc=com"/>
				<property name="queueSearchSubtreeBool" value="true"/>
				<property name="adminBase" value="(cn=admin)"/>
				<property name="adminAttribute" value="member"/>
				<property name="adminAttributePrefix" value="cn="/>
				<property name="readBase" value="(cn=read)"/>
				<property name="readAttribute" value="member"/>
				<property name="readAttributePrefix" value="cn="/>
				<property name="writeBase" value="(cn=write)"/>
				<property name="writeAttribute" value="member"/>
				<property name="writeAttributePrefix" value="cn="/>
			</bean>
        </map>
      </authorizationPlugin>
    </plugins>

2. Configure the JAAS login.config (I haven't de-duplicated the config yet):

LdapConfiguration {
   org.apache.activemq.jaas.LDAPLoginModule required
       debug=true
       initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
       connectionURL="ldap://ldap.acme.com:389"
       connectionUsername="cn=mqbroker,ou=Services,dc=acme,dc=com"
       connectionPassword=password
       connectionProtocol=s
       authentication=simple
       userBase="ou=User,ou=ActiveMQ,ou=systems,dc=acme,dc=com"
       userRoleName=dummyUserRoleName
       userSearchMatching="(uid={0})"
       userSearchSubtree=false
       roleBase="ou=Group,ou=ActiveMQ,ou=systems,dc=acme,dc=com"
       roleName=cn
       roleSearchMatching="(member:=uid={1})"
       roleSearchSubtree=true
       ;
};

3. Fire it up...

You can then perform your runtime tasks using the LDAP admin tool.

Hope this helps,

Robin
http://www.nabble.com/file/p16984528/sample.ldif sample.ldif 
-- 
View this message in context: http://www.nabble.com/Adding-users-on-the-fly-ACTIVEMQ-tp16825211s2354p16984528.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.


Mime
View raw message