Return-Path: 
 <users-return-30140-apmail-activemq-users-archive=activemq.apache.org@activemq.apache.org>
X-Original-To: apmail-activemq-users-archive@www.apache.org
Delivered-To: apmail-activemq-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id C5A1596A8
	for <apmail-activemq-users-archive@www.apache.org>;
 Mon,  6 Feb 2012 14:52:14 +0000 (UTC)
Received: (qmail 89812 invoked by uid 500); 6 Feb 2012 14:52:14 -0000
Delivered-To: apmail-activemq-users-archive@activemq.apache.org
Received: (qmail 89693 invoked by uid 500); 6 Feb 2012 14:52:13 -0000
Mailing-List: contact users-help@activemq.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@activemq.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@activemq.apache.org>
List-Post: <mailto:users@activemq.apache.org>
List-Id: <users.activemq.apache.org>
Reply-To: users@activemq.apache.org
Delivered-To: mailing list users@activemq.apache.org
Received: (qmail 89672 invoked by uid 99); 6 Feb 2012 14:52:13 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Feb 2012 14:52:13 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of gary.tully@gmail.com
 designates 209.85.216.171 as permitted sender)
Received: from [209.85.216.171] (HELO mail-qy0-f171.google.com)
 (209.85.216.171)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Feb 2012 14:52:07 +0000
Received: by qcsp15 with SMTP id p15so3476301qcs.2
        for <users@activemq.apache.org>; Mon, 06 Feb 2012 06:51:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=EaT7yTrPSGDVWEKyHgZvAMAHFkYQ7KaayS0mJYs1xsY=;
        b=Hn4eOm4uRTvC9FWmP1rAAGTYP8z2YG7RZtvOC8lOFkMcOlb3bhtIYdXKMOFGPhqrq/
         nxpr95ylxR3SvszIAiTzaUQCHqGWSs/XlMvp6TJKHue82wRbjFr/+CSF1K6sANXLTOfI
         DdKdStEMNwuTA5iRiOMxWqJAEd8Kz3oe/J5ms=
MIME-Version: 1.0
Received: by 10.229.135.201 with SMTP id o9mr6496676qct.148.1328539906902;
 Mon, 06 Feb 2012 06:51:46 -0800 (PST)
Received: by 10.229.32.65 with HTTP; Mon, 6 Feb 2012 06:51:46 -0800 (PST)
In-Reply-To: 
 <CACpOGk_K88yivzaa-vJ_wuLbppmqPxgt-_kYqFGKdDUp=kkkzg@mail.gmail.com>
References: 
 <CACpOGk_CqaXEHBUpC=pvKGLgbg1vchudv0KAg-CBqVWYt0E6mw@mail.gmail.com>
	<0F1EDD44-E402-4BCC-882D-739821ADEFD9@fusesource.com>
	<CACpOGk_K88yivzaa-vJ_wuLbppmqPxgt-_kYqFGKdDUp=kkkzg@mail.gmail.com>
Date: Mon, 6 Feb 2012 14:51:46 +0000
Message-ID: 
 <CAH+vQmP896jw=8ssZLN_0ksdbruFgZ=1eOWpYBatKLmutoHdeQ@mail.gmail.com>
Subject: Re: LDAPAuthorizationMap and Active Directory
From: Gary Tully <gary.tully@gmail.com>
To: users@activemq.apache.org
Content-Type: text/plain; charset=ISO-8859-1

Is that something you can/want to contribute back. Would be great if
we got a solution that worked for both.

If you want to get that onto trunk, attach a patch to a new jira and
tick the license grant check box on file upload.
http://activemq.apache.org/contributing.html

On 3 February 2012 21:13, Chris Robison <chrisdrobison@gmail.com> wrote:
> I looked at that tutorial already. And you're right, works fine with Apache
> Directory, but I have to use Active Directory. I just created a plugin that
> inherited LDAPAuthorizationMap and changed the one method preventing what
> was currently there from working.
>
> Chris
>
> On Fri, Feb 3, 2012 at 2:48 AM, Torsten Mielke <torsten@fusesource.com>wrote:
>
>> > Has anyone been able to use the LDAPAuthorizationMap successfully with
>> > Active Directory?
>>
>> Not with ActiveDirectory but when following the LDAP tutorial of the
>> ActiveMQ Security Guide from FuseSource, the LDAPAuthorizationMap works
>> fine against Apache Directory Server.
>> http://fusesource.com/docs/broker/5.5/security/LDAP.html
>>
>> Perhaps this tutorial can help?
>>
>>
>> Torsten Mielke
>> torsten@fusesource.com
>> tmielke@blogspot.com
>>
>> On Feb 2, 2012, at 10:13 PM, Chris Robison wrote:
>>
>> > Has anyone been able to use the LDAPAuthorizationMap successfully with
>> > Active Directory? In my investigation, I don't think it will ever work in
>> > its current state. When looking at the code, it is making the assumption
>> > that the value of the member attribute (or what ever attribute you are
>> > using) is always going to be in the form "{0}={1}" (a RDN). But,
>> according
>> > to the OpenLDAP spec, the member attribute value is a distinguished name.
>> > That means values are a comma delimited list of RDNs. So, for example I
>> > have AD groups that represent MQ roles. Here's one I use:
>> > "CN=MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". The
>> LDAPAuthorizationMap
>> > considers the name of the
>> > role "MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". Is this by design? I
>> > would be happy to submit a patch to change this behavior. Thoughts?
>> >
>> > Chris Robison
>>
>>
>>
>>
>>



-- 
http://fusesource.com
http://blog.garytully.com