activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From fredrick255 <fuzzyjo...@hotmail.com>
Subject Re: LDAPAuthoizationMap permissions
Date Wed, 27 Aug 2008 18:22:52 GMT

To fix this I made some changes in the LDAPLoginModule. The problem appears
to lie in the getRoles method. I based my changes on the code that finds the
topic and queue objects in the LDAPAuthorizationMAP and the code that finds
the user in LDAPLoginModule. Here is the diff:

@@ -49,6 +49,8 @@
 import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
 
+import org.apache.activemq.jaas.GroupPrincipal;
+import org.apache.activemq.jaas.UserPrincipal;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -234,7 +236,7 @@
             // check the credentials by binding to server
             if (bindUser(context, dn, password)) {
                 // if authenticated add more roles
-                roles = getRoles(context, dn, username, roles);
+                roles = getRoles(context, dn, username,
roles,entryName.toString());
                 for (int i = 0; i < roles.size(); i++) {
                     groups.add(new GroupPrincipal(roles.get(i)));
                 }
@@ -253,7 +255,7 @@
         return true;
     }
 
-    protected ArrayList<String> getRoles(DirContext context, String dn,
String username, ArrayList<String> currentRoles) throws NamingException {
+    protected ArrayList<String> getRoles(DirContext context, String dn,
String username, ArrayList<String> currentRoles, String userObject) throws
NamingException {
         ArrayList<String> list = currentRoles;
         if (list == null) {
             list = new ArrayList<String>();
@@ -261,9 +263,12 @@
         if (roleName == null || "".equals(roleName)) {
             return list;
         }
+        /*
         String filter = roleSearchMatchingFormat.format(new String[] {
             doRFC2254Encoding(dn), username
         });
+        */
+        String filter = roleSearchMatchingFormat.format(null);
 
         SearchControls constraints = new SearchControls();
         if (roleSearchSubtreeBool) {
@@ -271,14 +276,29 @@
         } else {
             constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
         }
+        constraints.setReturningAttributes(new String[] {roleName});
+        
         NamingEnumeration results = context.search(roleBase, filter,
constraints);
         while (results.hasMore()) {
             SearchResult result = (SearchResult)results.next();
+            String currentRoleName = result.getName();
             Attributes attrs = result.getAttributes();
+            Attribute attr = attrs.get(roleName);
+            NamingEnumeration e = attr.getAll();
+            while (e.hasMore()) {
+                String value = (String)e.next();
+                if(value.equals(userObject))
+                {
+                	list.add(currentRoleName);
+                }
+            }
+            /*
             if (attrs == null) {
                 continue;
             }
+              
             list = addAttributeValues(roleName, attrs, list);
+            */
         }
         return list;
 


Here is the config I'm using:
LoginLdapConfiguration {
    org.acme.activemq.security.LDAPLoginModule required      <---- This is
just because I implemented the fix as a plugin
        debug=true
        initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
        connectionURL="ldap://127.0.0.1:10389"
        connectionUsername="cn=mqbroker,ou=Services,dc=example,dc=com"
        connectionPassword=password
        connectionProtocol=s
        authentication=simple
        userBase="ou=User,ou=ActiveMQ,ou=systems,dc=example,dc=com"
        userRoleName=test
        userSearchMatching="(uid={0})"
        userSearchSubtree=true
        roleBase="ou=Group,ou=ActiveMQ,ou=systems,dc=example,dc=com"
        roleName=member
        roleSearchMatching="(cn=*)"
        roleSearchSubtree=true
;
}; 





-- 
View this message in context: http://www.nabble.com/LDAPAuthoizationMap-permissions-tp18659415p19186803.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.


Mime
View raw message