activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From huntc <>
Subject Re: SSL authorisation using a client's subject DN for JNDI
Date Thu, 12 Mar 2009 12:49:21 GMT

huntc wrote:
> You're right in that activemq still has to bind itself to perform a search
> to see which groups an endpoint's dn belongs to. I did forget about that.
Perhaps this bind could be achieved using a mechanism such as SASL/GSSAPI?

After lots of reading, and experimenting, perhaps the way for AMQ to
determine the roles is via anonymous LDAP access.

What I've done is specified a hierarchy like:


I've then enabled anonymous access and enabled access control. By default
(at least with ApacheDS) no one can do a thing; you have to explicitly
enable who can see what. What I have done is allowed anonymous access to
browse and read everything below "ou=activemq,ou=groups,ou=system" only. I
have used an ACI under "ou=activemq,ou=groups,ou=system":

    identificationTag "allUsersBrowseACISubentry",
    precedence 0,
    authenticationLevel none,
    itemOrUserFirst userFirst: 
        userClasses { allUsers },
                precedence 0,
                protectedItems { allUserAttributeTypes, entry },
                grantsAndDenials { grantBrowse, grantRead } 

Now AMQ can potentially connect anonymously and determine the groups that a
uid belongs to. The following ldapsearch command demonstrates how to search
for the groups user "camel" belongs to:

ldapsearch -x -H ldap://localhost:10389 -s one -b
"ou=activemq,ou=groups,ou=system" "(member=uid=camel,ou=users,ou=system)" cn

My login plugin can therefore rely upon SSL for authentication. Upon
successful authentication the subject DN of the client's certificate can be
anonymously looked up via LDAP to determine the roles (groups) for

Am I barking mad or does this appear to be a secure solution? Remember that
nothing but mutual SSL authentication with AMQ will be permitted.

Kind regards,
View this message in context:
Sent from the ActiveMQ - User mailing list archive at

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message