activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Coward <...@jive-videos.net>
Subject Is anyone using cachedLDAPAuthorizationMap with ActiveMQ 5.7.0 ?
Date Fri, 07 Dec 2012 17:41:13 GMT
I'm in the process of upgrading from 5.5.1 to the 5.7.0 release and 
would like to try taking advantage of our ldap directory for queue 
authorizations (we are already using the jaasAuthenticationPlugin 
against our openldap server for authenticating connections but are 
currently using a static 
<authorizationMap><authorizationEntries><authorizationEntry ...> setup).

I've been trying to follow 
http://activemq.apache.org/cached-ldap-authorization-module.html but the 
documentation in out of date and contains sample configs that just don't 
work. After much google searching, I eventually figured out that instead 
of the documented baseDn attribute, I had to use queueSearchBase, 
topicSearchBase & tempSearchBase giving me a config looking like the 
following:

         <plugins>
             <jaasAuthenticationPlugin configuration="ActiveMQ" />
             <authorizationPlugin>
                 <map>
                 <cachedLDAPAuthorizationMap
                    connectionURL="ldap://ldap:389"
connectionUsername="uid=activemq,ou=Systems,dc=myorg,dc=net"
                    connectionPassword="Secret"
                    refreshInterval="300000"
queueSearchBase="ou=Queues,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
topicSearchBase="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
tempSearchBase="ou=Temp,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
                    />
                 </map>
             </authorizationPlugin>
         </plugins>

starting activemq in console mode, it starts cleanly enough, and from 
examining the logging from openldap, I can see that an ldap connection 
is made and several searches done returning a number of results, for 
example:

Dec  7 17:24:21 ldap slapd[7553]: conn=3512 op=6 SRCH 
base="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net" 
scope=2 deref=3 filter="(cn=admin)"
Dec  7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY 
dn="cn=admin,cn=activemq.advisory.$,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"
Dec  7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY 
dn="cn=admin,cn=activemq.advisory.connection,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"

The entries returned are groupOfNames entries created identically to the
cn=admin,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org 
entry in the sample file 
https://svn.apache.org/repos/asf/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap.ldif

The 'member' entries are further groupOfNames entries defining the roles 
as in the sample ldif file, and I have a userid called activemq that is 
a member of the admin role.

By all accounts, everything should be ok, however the 
cachedLDAPAuthorizationMap does not authorized connections and I get 
errors such as the following:

  WARN | Failed to add Connection 
ID:robdev.office.eseye.net-38820-1354901062452-5:1, reason: 
java.lang.SecurityException: User activemq is not authorized to create: 
topic://ActiveMQ.Advisory.Connection
  WARN | Async error occurred: java.lang.SecurityException: User 
activemq is not authorized to create: topic://ActiveMQ.Advisory.Connection
java.lang.SecurityException: User activemq is not authorized to create: 
topic://ActiveMQ.Advisory.Connection
  at 
org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:76)
  at 
org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:145)
......

Clearly there have been changes to the cachedLDAPAuthorizationMap since 
it was released in ActiveMQ 5.6 as highlighted by the inaccurate 
documentation, but is anyone using it with 5.7 and would be willing to 
point me in the right direction or share their config with me please ?

Thanks in advance,
Rob



Mime
View raw message