Return-Path: X-Original-To: apmail-activemq-users-archive@www.apache.org Delivered-To: apmail-activemq-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2F8FA90E6 for ; Fri, 3 Feb 2012 09:49:52 +0000 (UTC) Received: (qmail 98892 invoked by uid 500); 3 Feb 2012 09:49:50 -0000 Delivered-To: apmail-activemq-users-archive@activemq.apache.org Received: (qmail 98328 invoked by uid 500); 3 Feb 2012 09:49:29 -0000 Mailing-List: contact users-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@activemq.apache.org Delivered-To: mailing list users@activemq.apache.org Received: (qmail 98261 invoked by uid 99); 3 Feb 2012 09:49:19 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Feb 2012 09:49:19 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of torsten@fusesource.com designates 74.125.245.76 as permitted sender) Received: from [74.125.245.76] (HELO na3sys010aog104.obsmtp.com) (74.125.245.76) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Feb 2012 09:49:12 +0000 Received: from mail-ee0-f48.google.com ([74.125.83.48]) (using TLSv1) by na3sys010aob104.postini.com ([74.125.244.12]) with SMTP ID DSNKTyutgh6AUaMXbGEY6XRo9vcmwTR7YpJd@postini.com; Fri, 03 Feb 2012 01:48:51 PST Received: by mail-ee0-f48.google.com with SMTP id d4so1371006eek.21 for ; Fri, 03 Feb 2012 01:48:50 -0800 (PST) Received: by 10.14.126.10 with SMTP id a10mr1663021eei.42.1328262530037; Fri, 03 Feb 2012 01:48:50 -0800 (PST) Received: from [192.168.178.31] (p57BD6A2C.dip0.t-ipconnect.de. [87.189.106.44]) by mx.google.com with ESMTPS id n17sm20022656eei.3.2012.02.03.01.48.48 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 03 Feb 2012 01:48:48 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1084) Subject: Re: LDAPAuthorizationMap and Active Directory From: Torsten Mielke In-Reply-To: Date: Fri, 3 Feb 2012 10:48:46 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <0F1EDD44-E402-4BCC-882D-739821ADEFD9@fusesource.com> References: To: users@activemq.apache.org X-Mailer: Apple Mail (2.1084) > Has anyone been able to use the LDAPAuthorizationMap successfully with > Active Directory?=20 Not with ActiveDirectory but when following the LDAP tutorial of the = ActiveMQ Security Guide from FuseSource, the LDAPAuthorizationMap works = fine against Apache Directory Server. http://fusesource.com/docs/broker/5.5/security/LDAP.html Perhaps this tutorial can help? Torsten Mielke torsten@fusesource.com tmielke@blogspot.com On Feb 2, 2012, at 10:13 PM, Chris Robison wrote: > Has anyone been able to use the LDAPAuthorizationMap successfully with > Active Directory? In my investigation, I don't think it will ever work = in > its current state. When looking at the code, it is making the = assumption > that the value of the member attribute (or what ever attribute you are > using) is always going to be in the form "{0}=3D{1}" (a RDN). But, = according > to the OpenLDAP spec, the member attribute value is a distinguished = name. > That means values are a comma delimited list of RDNs. So, for example = I > have AD groups that represent MQ roles. Here's one I use: > "CN=3DMQUser,OU=3DGroups,OU=3DActiveMQ,DC=3Dcdr,DC=3Dcorp". The = LDAPAuthorizationMap > considers the name of the > role "MQUser,OU=3DGroups,OU=3DActiveMQ,DC=3Dcdr,DC=3Dcorp". Is this by = design? I > would be happy to submit a patch to change this behavior. Thoughts? >=20 > Chris Robison