Return-Path: 
 <users-return-31118-apmail-activemq-users-archive=activemq.apache.org@activemq.apache.org>
X-Original-To: apmail-activemq-users-archive@www.apache.org
Delivered-To: apmail-activemq-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 4D230DFAA
	for <apmail-activemq-users-archive@www.apache.org>;
 Tue, 19 Jun 2012 14:05:54 +0000 (UTC)
Received: (qmail 56038 invoked by uid 500); 19 Jun 2012 14:05:53 -0000
Delivered-To: apmail-activemq-users-archive@activemq.apache.org
Received: (qmail 56015 invoked by uid 500); 19 Jun 2012 14:05:53 -0000
Mailing-List: contact users-help@activemq.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@activemq.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@activemq.apache.org>
List-Post: <mailto:users@activemq.apache.org>
List-Id: <users.activemq.apache.org>
Reply-To: users@activemq.apache.org
Delivered-To: mailing list users@activemq.apache.org
Received: (qmail 56007 invoked by uid 99); 19 Jun 2012 14:05:53 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jun 2012 14:05:53 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of chubrilo@gmail.com designates
 209.85.215.171 as permitted sender)
Received: from [209.85.215.171] (HELO mail-ey0-f171.google.com)
 (209.85.215.171)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jun 2012 14:05:48 +0000
Received: by eaaa12 with SMTP id a12so2207145eaa.2
        for <users@activemq.apache.org>; Tue, 19 Jun 2012 07:05:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=l1Ky+GEd54ld6ddKnfO3E8+p08ceoQk2WhXMNlXiQfU=;
        b=fymdCd+k6eFojAu/ay1YxFyPFJCIwUN40ZxBItx/GcBW3aLoFXxyIsxKFH1xZq/6Z+
         onscZbi2Az3De3hLOJ1Begpt+IG6q4Q2J1kJF9Oj0npzT9e9fjOIDno410gtb65DtXZ3
         AdlHIKo1Rw2TFMlJ/WAV8dxf17zF/PHhj7uStt9E3OYWC2H8fshXJcqFRH0q5M5UfNpb
         hoa+hx8i5jsnbUB5EeaV6rN87XIH4kaO/dB1pN8Mn7t9NLEfVSluLmXzIExzU+VzVCdv
         qzHAt4jFmFd48isEIZfZZd/HNWVb81f91LW3QTuKmCYuFzISUqz7WTrBHZqnmbZnfYQC
         WSEg==
MIME-Version: 1.0
Received: by 10.152.104.171 with SMTP id gf11mr18701852lab.5.1340114727768;
 Tue, 19 Jun 2012 07:05:27 -0700 (PDT)
Sender: chubrilo@gmail.com
Received: by 10.114.16.98 with HTTP; Tue, 19 Jun 2012 07:05:27 -0700 (PDT)
In-Reply-To: <20120618215512.GA14655@iniquitous.heresiarch.ca>
References: <20120618215512.GA14655@iniquitous.heresiarch.ca>
Date: Tue, 19 Jun 2012 16:05:27 +0200
X-Google-Sender-Auth: g982HSLNiHlpe-zyOYcybGrzHUo
Message-ID: 
 <CAGeh-pFZiYeOfg9pvY1TGBEiQS6zfPPAgHzDDzF7HrNcMebfew@mail.gmail.com>
Subject: Re: ldap, system user can't create a topic
From: Dejan Bosanac <dejan@nighttale.net>
To: users@activemq.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,

this might help

http://tmielke.blogspot.com/2011/12/activemq-ldap-based-authentication-and.=
html

also you can consider using new CachedLDAPAuthorizationModule

http://activemq.apache.org/cached-ldap-authorization-module.html

Regards
--
Dejan Bosanac
Senior Software Engineer | FuseSource Corp.
dejanb@fusesource.com | fusesource.com
skype: dejan.bosanac | twitter: @dejanb
blog: http://www.nighttale.net
ActiveMQ in Action: http://www.manning.com/snyder/


On Mon, Jun 18, 2012 at 11:55 PM, Christopher Wood
<christopher_wood@pobox.com> wrote:
> What gives the "system" user permission to create topic://ActiveMQ.Adviso=
ry.Connection? Without this ActiveMQ will not start. (Working with 5.5.1 si=
nce 5.6.0 is a jump requiring further testing.)
>
> I'm getting this error (all pasted text munged slightly to obfuscate thin=
gs):
>
> 2012-06-18 17:35:46,941 | DEBUG | Error occured while processing sync com=
mand: ConnectionInfo {commandId =3D 1, responseRequired =3D true, connectio=
nId =3D ID:upuppet-01.lab.me.ca-56804-1340055346339-2:1, clientId =3D ID:up=
uppet.me-56804-1340055346339-3:1, userName =3D system, password =3D *****, =
brokerPath =3D null, brokerMasterConnector =3D false, manageable =3D true, =
clientMaster =3D true, faultTolerant =3D false}, exception: java.lang.Secur=
ityException: User system is not authorized to create: topic://ActiveMQ.Adv=
isory.Connection | org.apache.activemq.broker.TransportConnection.Service |=
 ActiveMQ Transport: tcp:///127.0.0.1:50328
>
> The system user is in the admin and users groups.
>
> This is my plugin config:
>
>
> <authorizationPlugin>
> =A0<map>
> =A0 =A0<bean xmlns=3D"http://www.springframework.org/schema/beans" id=3D"=
lDAPAuthorizationMap"
> =A0 =A0 =A0 =A0 =A0class=3D"org.apache.activemq.security.LDAPAuthorizatio=
nMap">
> =A0 =A0 =A0<property name=3D"initialContextFactory" value=3D"com.sun.jndi=
.ldap.LdapCtxFactory"/>
> =A0 =A0 =A0<property name=3D"connectionURL" value=3D"ldap://ldap.me:389"/=
>
> =A0 =A0 =A0<property name=3D"authentication" value=3D"simple"/>
> =A0 =A0 =A0<property name=3D"connectionUsername" value=3D"cn=3Dmqbroker,o=
u=3Dservices,o=3Dme"/>
> =A0 =A0 =A0<property name=3D"connectionPassword" value=3D"me"/>
> =A0 =A0 =A0<property name=3D"connectionProtocol" value=3D"s"/>
> =A0 =A0 =A0<property name=3D"topicSearchMatchingFormat" value=3D"cn=3D{0}=
,ou=3DTopic,ou=3DDestination,ou=3DActiveMQ,ou=3Dsystems,o=3Dme"/>
> =A0 =A0 =A0<property name=3D"topicSearchSubtreeBool" value=3D"true"/>
> =A0 =A0 =A0<property name=3D"queueSearchMatchingFormat" value=3D"cn=3D{0}=
,ou=3DQueue,ou=3DDestination,ou=3DActiveMQ,ou=3Dsystems,o=3Dme"/>
> =A0 =A0 =A0<property name=3D"queueSearchSubtreeBool" value=3D"true"/>
> =A0 =A0 =A0<property name=3D"adminBase" value=3D"(cn=3Dadmin)"/>
> =A0 =A0 =A0<property name=3D"adminAttribute" value=3D"member"/>
> =A0 =A0 =A0<!-- <property name=3D"adminAttributePrefix" value=3D"cn=3D"/>=
 -->
> =A0 =A0 =A0<property name=3D"readBase" value=3D"(cn=3Dread)"/>
> =A0 =A0 =A0<property name=3D"readAttribute" value=3D"member"/>
> =A0 =A0 =A0<!-- <property name=3D"readAttributePrefix" value=3D"cn=3D"/> =
=A0-->
> =A0 =A0 =A0<property name=3D"writeBase" value=3D"(cn=3Dwrite)"/>
> =A0 =A0 =A0<property name=3D"writeAttribute" value=3D"member"/>
> =A0 =A0 =A0<!-- <property name=3D"writeAttributePrefix" value=3D"cn=3D"/>=
 =A0-->
> =A0 =A0</bean>
> =A0</map>
> </authorizationPlugin>
>
>
> These are the advisory topic configs I have right now (I thought .> meant=
 access to the namespace?):
>
>
> # ActiveMQ.Advisory.>, topic, destination, activemq, systems, me
> dn: cn=3DActiveMQ.Advisory.>,ou=3Dtopic,ou=3Ddestination,ou=3Dactivemq,ou=
=3Dsystems,o=3Dme
> cn: ActiveMQ.Advisory.>
> description: user access to advisory topics
> objectClass: applicationProcess
>
> # read, ActiveMQ.Advisory.>, topic, destination, activemq, systems, me
> dn: cn=3Dread,cn=3DActiveMQ.Advisory.>,ou=3Dtopic,ou=3Ddestination,ou=3Da=
ctivemq,ou=3Dsystems,o=3Dme
> cn: read
> member: cn=3Dusers
> objectClass: groupOfNames
>
> # write, ActiveMQ.Advisory.>, topic, destination, activemq, systems, me
> dn: cn=3Dwrite,cn=3DActiveMQ.Advisory.>,ou=3Dtopic,ou=3Ddestination,ou=3D=
activemq,ou=3Dsystems,o=3Dme
> cn: write
> member: cn=3Dusers
> objectClass: groupOfNames
>
> # admin, ActiveMQ.Advisory.>, topic, destination, activemq, systems, me
> dn: cn=3Dadmin,cn=3DActiveMQ.Advisory.>,ou=3Dtopic,ou=3Ddestination,ou=3D=
activemq,ou=3Dsystems,o=3Dme
> cn: admin
> member: cn=3Dusers
> objectClass: groupOfNames
>
> # ActiveMQ.Advisory.Connection, topic, destination, activemq, systems, me
> dn: cn=3DActiveMQ.Advisory.Connection,ou=3Dtopic,ou=3Ddestination,ou=3Dac=
tivemq,ou=3Dsystems,o=3Dme
> cn: ActiveMQ.Advisory.Connection
> description: user access to advisory topics
> objectClass: applicationProcess
>
> # read, ActiveMQ.Advisory.Connection, topic, destination, activemq, syste=
ms, me
> dn: cn=3Dread,cn=3DActiveMQ.Advisory.Connection,ou=3Dtopic,ou=3Ddestinati=
on,ou=3Dactivemq,ou=3Dsystems,o=3Dme
> cn: read
> member: cn=3Dadmin
> objectClass: groupOfNames
>
> # write, ActiveMQ.Advisory.Connection, topic, destination, activemq, syst=
ems, me
> dn: cn=3Dwrite,cn=3DActiveMQ.Advisory.Connection,ou=3Dtopic,ou=3Ddestinat=
ion,ou=3Dactivemq,ou=3Dsystems,o=3Dme
> cn: write
> member: cn=3Dadmin
> objectClass: groupOfNames
>
> # admin, ActiveMQ.Advisory.Connection, topic, destination, activemq, syst=
ems, me
> dn: cn=3Dadmin,cn=3DActiveMQ.Advisory.Connection,ou=3Dtopic,ou=3Ddestinat=
ion,ou=3Dactivemq,ou=3Dsystems,o=3Dme
> cn: admin
> member: cn=3Dadmin
> objectClass: groupOfNames
>
>