activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Pavlovich <>
Subject Re: LDAPAuthorizationMap and Active Directory
Date Thu, 02 Feb 2012 21:37:54 GMT

This is one of the major flaws in LDAP.  There are a number of 
conventions for handling group membership, and no strictly followed 
"standard".  Listing of common names, such as CN values, or listing full 
DNs.  Then, there is the model of dynamic groups, where the user entry 
has the group listing, vs the group having the user listing.  Confused yet?

There are a couple of member-related attributes: member, memberOf and a 
couple other attributes that are used for membership.  I'm not an expert 
in AD, but I believe I have seen instances where they use both the DN 
list on the group and the dynamic group model, where the groups are 
listed on the users.  I think it may depend on how many "upgrades" that 
AD instance has been through.a

A patch may make sense, but it would need to be consider all the weird 
LDAP grouping models.

Matt Pavlovich

On 2/2/12 3:13 PM, Chris Robison wrote:
> Has anyone been able to use the LDAPAuthorizationMap successfully with
> Active Directory? In my investigation, I don't think it will ever work in
> its current state. When looking at the code, it is making the assumption
>   that the value of the member attribute (or what ever attribute you are
> using) is always going to be in the form "{0}={1}" (a RDN). But, according
> to the OpenLDAP spec, the member attribute value is a distinguished name.
> That means values are a comma delimited list of RDNs. So, for example I
> have AD groups that represent MQ roles. Here's one I use:
> "CN=MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". The LDAPAuthorizationMap
> considers the name of the
> role "MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". Is this by design? I
> would be happy to submit a patch to change this behavior. Thoughts?
> Chris Robison

View raw message