Return-Path: X-Original-To: apmail-activemq-users-archive@www.apache.org Delivered-To: apmail-activemq-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 15F229008 for ; Thu, 2 Feb 2012 21:13:45 +0000 (UTC) Received: (qmail 41318 invoked by uid 500); 2 Feb 2012 21:13:44 -0000 Delivered-To: apmail-activemq-users-archive@activemq.apache.org Received: (qmail 41217 invoked by uid 500); 2 Feb 2012 21:13:44 -0000 Mailing-List: contact users-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@activemq.apache.org Delivered-To: mailing list users@activemq.apache.org Received: (qmail 41209 invoked by uid 99); 2 Feb 2012 21:13:43 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Feb 2012 21:13:43 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of chrisdrobison@gmail.com designates 209.85.212.171 as permitted sender) Received: from [209.85.212.171] (HELO mail-wi0-f171.google.com) (209.85.212.171) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Feb 2012 21:13:37 +0000 Received: by wibhm2 with SMTP id hm2so2907104wib.2 for ; Thu, 02 Feb 2012 13:13:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=EIYtmuHnlz6okhrSklaOpPq20v5Cp3irjPSFbpBFhaw=; b=imWn7JSzimnguaRxhLlL1/k5YQA4Da+9CxqzUI/dbjalEBvNoaweOqniyfMYWN0xGD lpiWVl4CsWmf+6SIj+x8Fv08SYv2Tn05QdHFGOE2CO5cWcJRZL5RAmH9Ttl8qoHjhMCH +JhGuLjHusmgYFl5XxIVFmh3HkF4hTsbM2TKM= MIME-Version: 1.0 Received: by 10.181.12.106 with SMTP id ep10mr20578329wid.8.1328217196393; Thu, 02 Feb 2012 13:13:16 -0800 (PST) Received: by 10.216.181.18 with HTTP; Thu, 2 Feb 2012 13:13:16 -0800 (PST) Date: Thu, 2 Feb 2012 14:13:16 -0700 Message-ID: Subject: LDAPAuthorizationMap and Active Directory From: Chris Robison To: users@activemq.apache.org Content-Type: multipart/alternative; boundary=f46d043c7ec02cf2a804b801aac4 --f46d043c7ec02cf2a804b801aac4 Content-Type: text/plain; charset=ISO-8859-1 Has anyone been able to use the LDAPAuthorizationMap successfully with Active Directory? In my investigation, I don't think it will ever work in its current state. When looking at the code, it is making the assumption that the value of the member attribute (or what ever attribute you are using) is always going to be in the form "{0}={1}" (a RDN). But, according to the OpenLDAP spec, the member attribute value is a distinguished name. That means values are a comma delimited list of RDNs. So, for example I have AD groups that represent MQ roles. Here's one I use: "CN=MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". The LDAPAuthorizationMap considers the name of the role "MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". Is this by design? I would be happy to submit a patch to change this behavior. Thoughts? Chris Robison --f46d043c7ec02cf2a804b801aac4--