activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Robison <chrisdrobi...@gmail.com>
Subject Re: LDAPAuthorizationMap and Active Directory
Date Mon, 06 Feb 2012 17:43:11 GMT
Submitted the patch to  https://issues.apache.org/jira/browse/AMQ-3701

Chris

On Mon, Feb 6, 2012 at 8:55 AM, Chris Robison <chrisdrobison@gmail.com>wrote:

> I'd be happy to do that. What package do you want me to put the class in?
>
> Chris
>
>
> On Mon, Feb 6, 2012 at 7:51 AM, Gary Tully <gary.tully@gmail.com> wrote:
>
>> Is that something you can/want to contribute back. Would be great if
>> we got a solution that worked for both.
>>
>> If you want to get that onto trunk, attach a patch to a new jira and
>> tick the license grant check box on file upload.
>> http://activemq.apache.org/contributing.html
>>
>> On 3 February 2012 21:13, Chris Robison <chrisdrobison@gmail.com> wrote:
>> > I looked at that tutorial already. And you're right, works fine with
>> Apache
>> > Directory, but I have to use Active Directory. I just created a plugin
>> that
>> > inherited LDAPAuthorizationMap and changed the one method preventing
>> what
>> > was currently there from working.
>> >
>> > Chris
>> >
>> > On Fri, Feb 3, 2012 at 2:48 AM, Torsten Mielke <torsten@fusesource.com
>> >wrote:
>> >
>> >> > Has anyone been able to use the LDAPAuthorizationMap successfully
>> with
>> >> > Active Directory?
>> >>
>> >> Not with ActiveDirectory but when following the LDAP tutorial of the
>> >> ActiveMQ Security Guide from FuseSource, the LDAPAuthorizationMap works
>> >> fine against Apache Directory Server.
>> >> http://fusesource.com/docs/broker/5.5/security/LDAP.html
>> >>
>> >> Perhaps this tutorial can help?
>> >>
>> >>
>> >> Torsten Mielke
>> >> torsten@fusesource.com
>> >> tmielke@blogspot.com
>> >>
>> >> On Feb 2, 2012, at 10:13 PM, Chris Robison wrote:
>> >>
>> >> > Has anyone been able to use the LDAPAuthorizationMap successfully
>> with
>> >> > Active Directory? In my investigation, I don't think it will ever
>> work in
>> >> > its current state. When looking at the code, it is making the
>> assumption
>> >> > that the value of the member attribute (or what ever attribute you
>> are
>> >> > using) is always going to be in the form "{0}={1}" (a RDN). But,
>> >> according
>> >> > to the OpenLDAP spec, the member attribute value is a distinguished
>> name.
>> >> > That means values are a comma delimited list of RDNs. So, for
>> example I
>> >> > have AD groups that represent MQ roles. Here's one I use:
>> >> > "CN=MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". The
>> >> LDAPAuthorizationMap
>> >> > considers the name of the
>> >> > role "MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". Is this by
>> design? I
>> >> > would be happy to submit a patch to change this behavior. Thoughts?
>> >> >
>> >> > Chris Robison
>> >>
>> >>
>> >>
>> >>
>> >>
>>
>>
>>
>> --
>> http://fusesource.com
>> http://blog.garytully.com
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message