From users-return-30099-apmail-activemq-users-archive=activemq.apache.org@activemq.apache.org  Thu Feb  2 10:00:55 2012
Return-Path: <users-return-30099-apmail-activemq-users-archive=activemq.apache.org@activemq.apache.org>
X-Original-To: apmail-activemq-users-archive@www.apache.org
Delivered-To: apmail-activemq-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id E25449166
	for <apmail-activemq-users-archive@www.apache.org>; Thu,  2 Feb 2012 10:00:55 +0000 (UTC)
Received: (qmail 36808 invoked by uid 500); 2 Feb 2012 10:00:54 -0000
Delivered-To: apmail-activemq-users-archive@activemq.apache.org
Received: (qmail 35789 invoked by uid 500); 2 Feb 2012 10:00:35 -0000
Mailing-List: contact users-help@activemq.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@activemq.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@activemq.apache.org>
List-Post: <mailto:users@activemq.apache.org>
List-Id: <users.activemq.apache.org>
Reply-To: users@activemq.apache.org
Delivered-To: mailing list users@activemq.apache.org
Received: (qmail 35778 invoked by uid 99); 2 Feb 2012 10:00:32 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Feb 2012 10:00:31 +0000
X-ASF-Spam-Status: No, hits=-2.3 required=5.0
	tests=RCVD_IN_DNSWL_MED,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of torsten@fusesource.com designates 74.125.245.94 as permitted sender)
Received: from [74.125.245.94] (HELO na3sys010aog113.obsmtp.com) (74.125.245.94)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Feb 2012 10:00:25 +0000
Received: from mail-ee0-f47.google.com ([74.125.83.47]) (using TLSv1) by na3sys010aob113.postini.com ([74.125.244.12]) with SMTP
	ID DSNKTypepPck6vDGIs5s0tKwd4CGQTgRheZk@postini.com; Thu, 02 Feb 2012 02:00:05 PST
Received: by mail-ee0-f47.google.com with SMTP id d41so637585eek.20
        for <users@activemq.apache.org>; Thu, 02 Feb 2012 02:00:04 -0800 (PST)
Received: by 10.14.39.202 with SMTP id d50mr691053eeb.79.1328176804084;
        Thu, 02 Feb 2012 02:00:04 -0800 (PST)
Received: from [192.168.178.31] (p57BD6830.dip0.t-ipconnect.de. [87.189.104.48])
        by mx.google.com with ESMTPS id b49sm7411265eec.9.2012.02.02.02.00.02
        (version=TLSv1/SSLv3 cipher=OTHER);
        Thu, 02 Feb 2012 02:00:03 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1084)
Subject: Re: Using LDAP login module
From: Torsten Mielke <torsten@fusesource.com>
In-Reply-To: <4F29A894.5060802@gmail.com>
Date: Thu, 2 Feb 2012 11:00:00 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <CC684E00-1943-4FB2-B2C8-5F4694287756@fusesource.com>
References: <CACpOGk-ObcQFHFuwXUzOuZ0-L690DYREM=+0xA-isbJowgOpgQ@mail.gmail.com> <4F2995A3.7020703@gmail.com> <CACpOGk9kUX6=4zoAxDqgH4WVv5dWW1qkDkg6QbDpsC5K=H=saw@mail.gmail.com> <4F2998CD.3050104@gmail.com> <CACpOGk-_v7iYFEsiEqUcwRxWOGs3SLVpg9BYwC1wyi9HpGvOMg@mail.gmail.com> <4F299E43.9090004@gmail.com> <CACpOGk-OUa9Kr5p8ECieS=TLCh_wrmiEbCmPKLe1EBZbeSmkSw@mail.gmail.com> <4F29A16D.2050808@gmail.com> <CACpOGk_DQtJjG0QQKUjcxnkKt_T-m4=7jM2sVVHkaGtC+GVwcw@mail.gmail.com> <CACpOGk_-ktA6gb+cD2Ciowg5ZFFCEbnAaZ+w+3Cv9H9WW0CRUg@mail.gmail.com> <4F29A6ED.4040601@gmail.com> <CACpOGk_cqSRPXGbrzkyR5bsC1Cy8L-gMbrogUvpsu9CVBZcinA@mail.gmail.com> <4F29A894.5060802@gmail.com>
To: users@activemq.apache.org
X-Mailer: Apple Mail (2.1084)

Hi,


There is an tutorial for configuring ActiveMQ to authenticate against an =
LDAP server in the ActiveMQ Security Guide from FuseSource.
http://fusesource.com/docs/broker/5.5/security/front.html

See chapter 6 "LDAP tutorial" for a step-by-step guide.


Further, my blog contains two posts that extend this tutorial with the =
following topics

- Securing the broker using LDAP based authentication but also allowing =
anonymous connections
  with restricted permissions
  =
http://tmielke.blogspot.com/2011/12/activemq-ldap-based-authentication-and=
.html

- Securing the ActiveMQ web console to do LDAP based authentication
  =
http://tmielke.blogspot.com/2011/12/securing-activemq-web-console-using.ht=
ml


Hope this will be helpful.



Torsten Mielke
torsten@fusesource.com
tmielke@blogspot.com


On Feb 1, 2012, at 10:03 PM, Matt Pavlovich wrote:

> Glad to hear :-)
>=20
> On 2/1/12 3:00 PM, Chris Robison wrote:
>> Sweet! Now I'm getting an LDAP error, which is progress.
>>=20
>> On Wed, Feb 1, 2012 at 1:56 PM, Matt Pavlovich<mattrpav@gmail.com>  =
wrote:
>>=20
>>> Ah, start w/ line 0.. that puts it at connectionPassword.  Try =
adding " "
>>> around "Password!".  The exclamation point may be throwing it off.
>>>=20
>>>=20
>>> On 2/1/12 2:47 PM, Chris Robison wrote:
>>>=20
>>>> The error says line 6 which in my login.config is =
connectionUsername.
>>>>=20
>>>> Chris
>>>>=20
>>>> On Wed, Feb 1, 2012 at 1:42 PM, Chris =
Robison<chrisdrobison@gmail.**com<chrisdrobison@gmail.com>
>>>>> wrote:
>>>>  When I run it, I still get the error.
>>>>>=20
>>>>> On Wed, Feb 1, 2012 at 1:32 PM, Matt Pavlovich<mattrpav@gmail.com>
>>>>>  wrote:
>>>>>=20
>>>>>  Chris-
>>>>>> I whipped up a quick unit test, and this passed.  I set the
>>>>>> connectionProtocol=3Ds, w/o quotes.
>>>>>>=20
>>>>>>=20
>>>>>> ldap-login {
>>>>>>  org.apache.activemq.jaas.****LDAPLoginModule required
>>>>>>    debug=3Dtrue
>>>>>>    initialContextFactory=3Dcom.sun.****jndi.ldap.LdapCtxFactory
>>>>>>    connectionURL=3D"ldap://dc101.****cdr.corp"
>>>>>>=20
>>>>>>    connectionUsername=3D"CN=3DAMQ Service =
User,CN=3DUsers,DC=3Dcdr,DC=3Dcorp"
>>>>>>    connectionPassword=3DPassword!
>>>>>>    connectionProtocol=3Ds
>>>>>>=20
>>>>>>    authentication=3Dsimple
>>>>>>    userBase=3D"OU=3DUsers,OU=3D****ActiveMQ,DC=3Dcdr,DC=3Dcorp"
>>>>>>    userSearchMatching=3D"(****samaccountname=3D{0})"
>>>>>>    userSearchSubtree=3Dfalse
>>>>>>    roleBase=3D"OU=3DGroups,OU=3D****ActiveMQ,DC=3Dcdr,DC=3Dcorp"
>>>>>>    roleName=3Dcn
>>>>>>    roleSearchMatching=3D"(member=3D{****0})"
>>>>>>=20
>>>>>>    roleSearchSubtree=3Dfalse
>>>>>>    ;
>>>>>> };
>>>>>>=20
>>>>>>=20
>>>>>> On 2/1/12 2:24 PM, Chris Robison wrote:
>>>>>>=20
>>>>>>  I can do that. I'll let you know.
>>>>>>> On Wed, Feb 1, 2012 at 1:19 PM, Matt =
Pavlovich<mattrpav@gmail.com>
>>>>>>>  wrote:
>>>>>>>=20
>>>>>>>  How comfortable are you with Java?  The next step to try would =
be to
>>>>>>>=20
>>>>>>>> write
>>>>>>>> up a quick Java unit test that has the ConfigFile class try to
>>>>>>>> intialize
>>>>>>>> against your login.config file.
>>>>>>>>=20
>>>>>>>> See:
>>>>>>>>=20
>>>>>>>> com.sun.security.auth.login.******ConfigFile
>>>>>>>>=20
>>>>>>>>=20
>>>>>>>>=20
>>>>>>>>=20
>>>>>>>>=20
>>>>>>>> On 2/1/12 1:59 PM, Chris Robison wrote:
>>>>>>>>=20
>>>>>>>>  Yeah, it's the exact same exception.
>>>>>>>>=20
>>>>>>>>> On Wed, Feb 1, 2012 at 12:55 PM, Matt =
Pavlovich<mattrpav@gmail.com>
>>>>>>>>>  wrote:
>>>>>>>>>=20
>>>>>>>>>  Are you getting the exact same exception?  Your original =
exception
>>>>>>>>> cause
>>>>>>>>>=20
>>>>>>>>>  shows a null value for a key in that config:
>>>>>>>>>>=20
>>>>>>>>>> Caused by: java.io.IOException: Configuration Error:
>>>>>>>>>> Line 6: expected [option key], found [null]
>>>>>>>>>> at com.sun.security.auth.login.**********ConfigFile.match(**
>>>>>>>>>> ConfigFile.******
>>>>>>>>>> java:577)
>>>>>>>>>> at
>>>>>>>>>> com.sun.security.auth.login.**********ConfigFile.**
>>>>>>>>>> parseLoginEntry(******ry(**
>>>>>>>>>>=20
>>>>>>>>>>=20
>>>>>>>>>>=20
>>>>>>>>>>=20
>>>>>>>>>>=20