activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: SSL authorisation using a client's subject DN for JNDI
Date Thu, 12 Mar 2009 17:55:29 GMT

On Mar 12, 2009, at 5:49 AM, huntc wrote:

>
>
> huntc wrote:
>>
>> You're right in that activemq still has to bind itself to perform a  
>> search
>> to see which groups an endpoint's dn belongs to. I did forget about  
>> that.
>>
>>
> Perhaps this bind could be achieved using a mechanism such as SASL/ 
> GSSAPI?
>>
>
> After lots of reading, and experimenting, perhaps the way for AMQ to
> determine the roles is via anonymous LDAP access.
>
> What I've done is specified a hierarchy like:
>
>
> ou=system
>  ou=groups
>    ou=activemq
>      cn=activemq-users
>      cn=com.classactionpl.javaFlightTopic.subscribers
>      cn=jms-services
>
>
> I've then enabled anonymous access and enabled access control. By  
> default
> (at least with ApacheDS) no one can do a thing; you have to explicitly
> enable who can see what. What I have done is allowed anonymous  
> access to
> browse and read everything below "ou=activemq,ou=groups,ou=system"  
> only. I
> have used an ACI under "ou=activemq,ou=groups,ou=system":
>
>
> {
>    identificationTag "allUsersBrowseACISubentry",
>    precedence 0,
>    authenticationLevel none,
>    itemOrUserFirst userFirst:
>    {
>        userClasses { allUsers },
>        userPermissions
>        {
>            {
>                precedence 0,
>                protectedItems { allUserAttributeTypes, entry },
>                grantsAndDenials { grantBrowse, grantRead }
>            }
>        }
>    }
> }
>
>
> Now AMQ can potentially connect anonymously and determine the groups  
> that a
> uid belongs to. The following ldapsearch command demonstrates how to  
> search
> for the groups user "camel" belongs to:
>
>
> ldapsearch -x -H ldap://localhost:10389 -s one -b
> "ou=activemq,ou=groups,ou=system"  
> "(member=uid=camel,ou=users,ou=system)" cn
> member
>
>
> My login plugin can therefore rely upon SSL for authentication. Upon
> successful authentication the subject DN of the client's certificate  
> can be
> anonymously looked up via LDAP to determine the roles (groups) for
> authorisation.
>
> Am I barking mad or does this appear to be a secure solution?  
> Remember that
> nothing but mutual SSL authentication with AMQ will be permitted.

I'm actually not an ldap expert :-)

This looks to me like it will work but I don't understand why it would  
be more secure than having an activemq ldap user password on disk  
somewhere.

IIUC you have:

roles exposed to anyone who can get to your ldap
secret activemq cert on disk
secret cert for each client on disk

I think this would be more secure:

create activemq user who can only read the roles info from ldap and  
disable anonymous access
put that user/pw info on disk accessible to activemq server
use ssl certs as now for client auth

Once you've done this however it looks like there is the same number  
of places you'd have secure info on disk as with the plain user/pw +  
ldap solution, although the info would be certs rather than passwords.

thanks
david jencks

>
>
> Kind regards,
> Christopher
> -- 
> View this message in context: http://www.nabble.com/SSL-authorisation-using-a-client%27s-subject-DN-for-JNDI-tp22470806p22475654.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.


Mime
View raw message