activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Coward <...@jive-videos.net>
Subject Re: Is anyone using cachedLDAPAuthorizationMap with ActiveMQ 5.7.0 ?
Date Mon, 10 Dec 2012 14:42:48 GMT
So it seems I needed a few more parameters on the 
cachedLDAPAuthorizationMap as the defaults wont work out of the box. If 
anyone else is struggling, this is what my config ended up as - perhaps 
someone could update the web documentation to reflect the changes in 5.7 ?

                 <cachedLDAPAuthorizationMap
                    connectionURL="ldap://ldap:389"
connectionUsername="uid=activemq,ou=Systems,dc=myorg,dc=net"
                    connectionPassword="Secret"
                    refreshInterval="60000"
                    legacyGroupMapping="false"
queueSearchBase="ou=Queues,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
topicSearchBase="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
tempSearchBase="ou=Temp,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
                    userObjectClass="posixAccount"
                    />


On 07/12/2012 17:41, Rob Coward wrote:
> I'm in the process of upgrading from 5.5.1 to the 5.7.0 release and 
> would like to try taking advantage of our ldap directory for queue 
> authorizations (we are already using the jaasAuthenticationPlugin 
> against our openldap server for authenticating connections but are 
> currently using a static 
> <authorizationMap><authorizationEntries><authorizationEntry ...> setup).
>
> I've been trying to follow 
> http://activemq.apache.org/cached-ldap-authorization-module.html but 
> the documentation in out of date and contains sample configs that just 
> don't work. After much google searching, I eventually figured out that 
> instead of the documented baseDn attribute, I had to use 
> queueSearchBase, topicSearchBase & tempSearchBase giving me a config 
> looking like the following:
>
>         <plugins>
>             <jaasAuthenticationPlugin configuration="ActiveMQ" />
>             <authorizationPlugin>
>                 <map>
>                 <cachedLDAPAuthorizationMap
>                    connectionURL="ldap://ldap:389"
> connectionUsername="uid=activemq,ou=Systems,dc=myorg,dc=net"
>                    connectionPassword="Secret"
>                    refreshInterval="300000"
> queueSearchBase="ou=Queues,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net" 
>
> topicSearchBase="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net" 
>
> tempSearchBase="ou=Temp,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net" 
>
>                    />
>                 </map>
>             </authorizationPlugin>
>         </plugins>
>
> starting activemq in console mode, it starts cleanly enough, and from 
> examining the logging from openldap, I can see that an ldap connection 
> is made and several searches done returning a number of results, for 
> example:
>
> Dec  7 17:24:21 ldap slapd[7553]: conn=3512 op=6 SRCH 
> base="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net" scope=2 
> deref=3 filter="(cn=admin)"
> Dec  7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY 
> dn="cn=admin,cn=activemq.advisory.$,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"
> Dec  7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY 
> dn="cn=admin,cn=activemq.advisory.connection,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"
>
> The entries returned are groupOfNames entries created identically to the
> cn=admin,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org

> entry in the sample file 
> https://svn.apache.org/repos/asf/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap.ldif
>
> The 'member' entries are further groupOfNames entries defining the 
> roles as in the sample ldif file, and I have a userid called activemq 
> that is a member of the admin role.
>
> By all accounts, everything should be ok, however the 
> cachedLDAPAuthorizationMap does not authorized connections and I get 
> errors such as the following:
>
>  WARN | Failed to add Connection 
> ID:robdev.office.eseye.net-38820-1354901062452-5:1, reason: 
> java.lang.SecurityException: User activemq is not authorized to 
> create: topic://ActiveMQ.Advisory.Connection
>  WARN | Async error occurred: java.lang.SecurityException: User 
> activemq is not authorized to create: 
> topic://ActiveMQ.Advisory.Connection
> java.lang.SecurityException: User activemq is not authorized to 
> create: topic://ActiveMQ.Advisory.Connection
>  at 
> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:76)
>  at 
> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:145)
> ......
>
> Clearly there have been changes to the cachedLDAPAuthorizationMap 
> since it was released in ActiveMQ 5.6 as highlighted by the inaccurate 
> documentation, but is anyone using it with 5.7 and would be willing to 
> point me in the right direction or share their config with me please ?
>
> Thanks in advance,
> Rob
>
>



Mime
View raw message