activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From huntc <>
Subject Re: SSL authorisation using a client's subject DN for JNDI
Date Thu, 12 Mar 2009 10:13:27 GMT

Hi David,

My responses:

djencks wrote:
> ??? I'm not familiar with the activemq stuff but the ldap login  
> modules I've seen work by binding to ldap using the client's supplied  
> user name and password.  If it works, then the user name/password is  
> valid and you can go on to look for groups/roles/whatever, otherwise  
> the username/password is not valid.  So, activemq does not need a  
> "system identity" known to ldap for this to work.

This does not appear to be so with the
org.apache.activemq.jaas.LDAPLoginModule. What happens is the following
happy path according to Wireshark:

1. bind as activemq user
2. search for endpoint user
3. bind as endpoint user
4. get the base object for the endpoint user (not sure why...)
5. bind as activemq user
6. search for groups that the endpoint user belongs to

djencks wrote:
> In ldap I think the usual strategy is to hash the stored passwords and  
> also hash the incoming supplied passwords.  Thus, no passwords in the  
> clear.
Yes indeed - over the wire - my issue is with passwords being stored on

djencks wrote:
> With this strategy I think you need to authenticate activemq to the  
> ldap system??  or can you use the client cert to authenticate the  
> original client?  In either case it doesn't really seem different to  
> me than the username/password case except your description appears to  
> require an identity known to ldap for activemq.  Unless you require  
> the admin to type in the credentials when starting activemq, I don't  
> see how you're going to avoid storing the credentials in the clear on  
> disk.

You're right in that activemq still has to bind itself to perform a search
to see which groups an endpoint's dn belongs to. I did forget about that.

Perhaps this bind could be achieved using a mechanism such as SASL/GSSAPI?

djencks wrote:
> Maybe I'm misunderstanding what you are proposing....

I appreciate your response.

Kind regards,

View this message in context:
Sent from the ActiveMQ - User mailing list archive at

View raw message