activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dejan Bosanac <de...@nighttale.net>
Subject Re: Is anyone using cachedLDAPAuthorizationMap with ActiveMQ 5.7.0 ?
Date Tue, 11 Dec 2012 12:41:21 GMT
Hi Rob,

thanks for pointing to this.

I updated docs a bit to reflect the changes introduced by
https://issues.apache.org/jira/browse/AMQ-3791


https://cwiki.apache.org/confluence/display/ACTIVEMQ/Cached+LDAP+Authorization+Module

There's certainly more that can be added so any contribution is welcomed.


Regards
--
Dejan Bosanac
----------------------
Red Hat, Inc.
FuseSource is now part of Red Hat
dbosanac@redhat.com
Twitter: @dejanb
Blog: http://sensatic.net
ActiveMQ in Action: http://www.manning.com/snyder/


On Mon, Dec 10, 2012 at 3:42 PM, Rob Coward <rob@jive-videos.net> wrote:
> So it seems I needed a few more parameters on the cachedLDAPAuthorizationMap
> as the defaults wont work out of the box. If anyone else is struggling, this
> is what my config ended up as - perhaps someone could update the web
> documentation to reflect the changes in 5.7 ?
>
>
>                 <cachedLDAPAuthorizationMap
>                    connectionURL="ldap://ldap:389"
> connectionUsername="uid=activemq,ou=Systems,dc=myorg,dc=net"
>                    connectionPassword="Secret"
>                    refreshInterval="60000"
>                    legacyGroupMapping="false"
>
> queueSearchBase="ou=Queues,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
> topicSearchBase="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
> tempSearchBase="ou=Temp,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
>                    userObjectClass="posixAccount"
>                    />
>
>
>
> On 07/12/2012 17:41, Rob Coward wrote:
>>
>> I'm in the process of upgrading from 5.5.1 to the 5.7.0 release and would
>> like to try taking advantage of our ldap directory for queue authorizations
>> (we are already using the jaasAuthenticationPlugin against our openldap
>> server for authenticating connections but are currently using a static
>> <authorizationMap><authorizationEntries><authorizationEntry ...>
setup).
>>
>> I've been trying to follow
>> http://activemq.apache.org/cached-ldap-authorization-module.html but the
>> documentation in out of date and contains sample configs that just don't
>> work. After much google searching, I eventually figured out that instead of
>> the documented baseDn attribute, I had to use queueSearchBase,
>> topicSearchBase & tempSearchBase giving me a config looking like the
>> following:
>>
>>         <plugins>
>>             <jaasAuthenticationPlugin configuration="ActiveMQ" />
>>             <authorizationPlugin>
>>                 <map>
>>                 <cachedLDAPAuthorizationMap
>>                    connectionURL="ldap://ldap:389"
>> connectionUsername="uid=activemq,ou=Systems,dc=myorg,dc=net"
>>                    connectionPassword="Secret"
>>                    refreshInterval="300000"
>>
>> queueSearchBase="ou=Queues,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
>>
>> topicSearchBase="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
>>
>> tempSearchBase="ou=Temp,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
>>                    />
>>                 </map>
>>             </authorizationPlugin>
>>         </plugins>
>>
>> starting activemq in console mode, it starts cleanly enough, and from
>> examining the logging from openldap, I can see that an ldap connection is
>> made and several searches done returning a number of results, for example:
>>
>> Dec  7 17:24:21 ldap slapd[7553]: conn=3512 op=6 SRCH
>> base="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
>> scope=2 deref=3 filter="(cn=admin)"
>> Dec  7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY
>> dn="cn=admin,cn=activemq.advisory.$,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"
>> Dec  7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY
>> dn="cn=admin,cn=activemq.advisory.connection,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"
>>
>> The entries returned are groupOfNames entries created identically to the
>>
>> cn=admin,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
>> entry in the sample file
>> https://svn.apache.org/repos/asf/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap.ldif
>>
>> The 'member' entries are further groupOfNames entries defining the roles
>> as in the sample ldif file, and I have a userid called activemq that is a
>> member of the admin role.
>>
>> By all accounts, everything should be ok, however the
>> cachedLDAPAuthorizationMap does not authorized connections and I get errors
>> such as the following:
>>
>>  WARN | Failed to add Connection
>> ID:robdev.office.eseye.net-38820-1354901062452-5:1, reason:
>> java.lang.SecurityException: User activemq is not authorized to create:
>> topic://ActiveMQ.Advisory.Connection
>>  WARN | Async error occurred: java.lang.SecurityException: User activemq
>> is not authorized to create: topic://ActiveMQ.Advisory.Connection
>> java.lang.SecurityException: User activemq is not authorized to create:
>> topic://ActiveMQ.Advisory.Connection
>>  at
>> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:76)
>>  at
>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:145)
>> ......
>>
>> Clearly there have been changes to the cachedLDAPAuthorizationMap since it
>> was released in ActiveMQ 5.6 as highlighted by the inaccurate documentation,
>> but is anyone using it with 5.7 and would be willing to point me in the
>> right direction or share their config with me please ?
>>
>> Thanks in advance,
>> Rob
>>
>>
>
>

Mime
View raw message