You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Rob Coward <ro...@jive-videos.net> on 2012/12/07 18:41:13 UTC
Is anyone using cachedLDAPAuthorizationMap with ActiveMQ 5.7.0 ?
I'm in the process of upgrading from 5.5.1 to the 5.7.0 release and
would like to try taking advantage of our ldap directory for queue
authorizations (we are already using the jaasAuthenticationPlugin
against our openldap server for authenticating connections but are
currently using a static
<authorizationMap><authorizationEntries><authorizationEntry ...> setup).
I've been trying to follow
http://activemq.apache.org/cached-ldap-authorization-module.html but the
documentation in out of date and contains sample configs that just don't
work. After much google searching, I eventually figured out that instead
of the documented baseDn attribute, I had to use queueSearchBase,
topicSearchBase & tempSearchBase giving me a config looking like the
following:
<plugins>
<jaasAuthenticationPlugin configuration="ActiveMQ" />
<authorizationPlugin>
<map>
<cachedLDAPAuthorizationMap
connectionURL="ldap://ldap:389"
connectionUsername="uid=activemq,ou=Systems,dc=myorg,dc=net"
connectionPassword="Secret"
refreshInterval="300000"
queueSearchBase="ou=Queues,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
topicSearchBase="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
tempSearchBase="ou=Temp,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
/>
</map>
</authorizationPlugin>
</plugins>
starting activemq in console mode, it starts cleanly enough, and from
examining the logging from openldap, I can see that an ldap connection
is made and several searches done returning a number of results, for
example:
Dec 7 17:24:21 ldap slapd[7553]: conn=3512 op=6 SRCH
base="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
scope=2 deref=3 filter="(cn=admin)"
Dec 7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY
dn="cn=admin,cn=activemq.advisory.$,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"
Dec 7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY
dn="cn=admin,cn=activemq.advisory.connection,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"
The entries returned are groupOfNames entries created identically to the
cn=admin,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
entry in the sample file
https://svn.apache.org/repos/asf/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap.ldif
The 'member' entries are further groupOfNames entries defining the roles
as in the sample ldif file, and I have a userid called activemq that is
a member of the admin role.
By all accounts, everything should be ok, however the
cachedLDAPAuthorizationMap does not authorized connections and I get
errors such as the following:
WARN | Failed to add Connection
ID:robdev.office.eseye.net-38820-1354901062452-5:1, reason:
java.lang.SecurityException: User activemq is not authorized to create:
topic://ActiveMQ.Advisory.Connection
WARN | Async error occurred: java.lang.SecurityException: User
activemq is not authorized to create: topic://ActiveMQ.Advisory.Connection
java.lang.SecurityException: User activemq is not authorized to create:
topic://ActiveMQ.Advisory.Connection
at
org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:76)
at
org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:145)
......
Clearly there have been changes to the cachedLDAPAuthorizationMap since
it was released in ActiveMQ 5.6 as highlighted by the inaccurate
documentation, but is anyone using it with 5.7 and would be willing to
point me in the right direction or share their config with me please ?
Thanks in advance,
Rob
Re: Is anyone using cachedLDAPAuthorizationMap with ActiveMQ 5.7.0 ?
Posted by Dejan Bosanac <de...@nighttale.net>.
Hi Rob,
thanks for pointing to this.
I updated docs a bit to reflect the changes introduced by
https://issues.apache.org/jira/browse/AMQ-3791
https://cwiki.apache.org/confluence/display/ACTIVEMQ/Cached+LDAP+Authorization+Module
There's certainly more that can be added so any contribution is welcomed.
Regards
--
Dejan Bosanac
----------------------
Red Hat, Inc.
FuseSource is now part of Red Hat
dbosanac@redhat.com
Twitter: @dejanb
Blog: http://sensatic.net
ActiveMQ in Action: http://www.manning.com/snyder/
On Mon, Dec 10, 2012 at 3:42 PM, Rob Coward <ro...@jive-videos.net> wrote:
> So it seems I needed a few more parameters on the cachedLDAPAuthorizationMap
> as the defaults wont work out of the box. If anyone else is struggling, this
> is what my config ended up as - perhaps someone could update the web
> documentation to reflect the changes in 5.7 ?
>
>
> <cachedLDAPAuthorizationMap
> connectionURL="ldap://ldap:389"
> connectionUsername="uid=activemq,ou=Systems,dc=myorg,dc=net"
> connectionPassword="Secret"
> refreshInterval="60000"
> legacyGroupMapping="false"
>
> queueSearchBase="ou=Queues,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
> topicSearchBase="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
> tempSearchBase="ou=Temp,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
> userObjectClass="posixAccount"
> />
>
>
>
> On 07/12/2012 17:41, Rob Coward wrote:
>>
>> I'm in the process of upgrading from 5.5.1 to the 5.7.0 release and would
>> like to try taking advantage of our ldap directory for queue authorizations
>> (we are already using the jaasAuthenticationPlugin against our openldap
>> server for authenticating connections but are currently using a static
>> <authorizationMap><authorizationEntries><authorizationEntry ...> setup).
>>
>> I've been trying to follow
>> http://activemq.apache.org/cached-ldap-authorization-module.html but the
>> documentation in out of date and contains sample configs that just don't
>> work. After much google searching, I eventually figured out that instead of
>> the documented baseDn attribute, I had to use queueSearchBase,
>> topicSearchBase & tempSearchBase giving me a config looking like the
>> following:
>>
>> <plugins>
>> <jaasAuthenticationPlugin configuration="ActiveMQ" />
>> <authorizationPlugin>
>> <map>
>> <cachedLDAPAuthorizationMap
>> connectionURL="ldap://ldap:389"
>> connectionUsername="uid=activemq,ou=Systems,dc=myorg,dc=net"
>> connectionPassword="Secret"
>> refreshInterval="300000"
>>
>> queueSearchBase="ou=Queues,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
>>
>> topicSearchBase="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
>>
>> tempSearchBase="ou=Temp,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
>> />
>> </map>
>> </authorizationPlugin>
>> </plugins>
>>
>> starting activemq in console mode, it starts cleanly enough, and from
>> examining the logging from openldap, I can see that an ldap connection is
>> made and several searches done returning a number of results, for example:
>>
>> Dec 7 17:24:21 ldap slapd[7553]: conn=3512 op=6 SRCH
>> base="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
>> scope=2 deref=3 filter="(cn=admin)"
>> Dec 7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY
>> dn="cn=admin,cn=activemq.advisory.$,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"
>> Dec 7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY
>> dn="cn=admin,cn=activemq.advisory.connection,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"
>>
>> The entries returned are groupOfNames entries created identically to the
>>
>> cn=admin,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
>> entry in the sample file
>> https://svn.apache.org/repos/asf/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap.ldif
>>
>> The 'member' entries are further groupOfNames entries defining the roles
>> as in the sample ldif file, and I have a userid called activemq that is a
>> member of the admin role.
>>
>> By all accounts, everything should be ok, however the
>> cachedLDAPAuthorizationMap does not authorized connections and I get errors
>> such as the following:
>>
>> WARN | Failed to add Connection
>> ID:robdev.office.eseye.net-38820-1354901062452-5:1, reason:
>> java.lang.SecurityException: User activemq is not authorized to create:
>> topic://ActiveMQ.Advisory.Connection
>> WARN | Async error occurred: java.lang.SecurityException: User activemq
>> is not authorized to create: topic://ActiveMQ.Advisory.Connection
>> java.lang.SecurityException: User activemq is not authorized to create:
>> topic://ActiveMQ.Advisory.Connection
>> at
>> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:76)
>> at
>> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:145)
>> ......
>>
>> Clearly there have been changes to the cachedLDAPAuthorizationMap since it
>> was released in ActiveMQ 5.6 as highlighted by the inaccurate documentation,
>> but is anyone using it with 5.7 and would be willing to point me in the
>> right direction or share their config with me please ?
>>
>> Thanks in advance,
>> Rob
>>
>>
>
>
Re: Is anyone using cachedLDAPAuthorizationMap with ActiveMQ 5.7.0
?
Posted by Rob Coward <ro...@jive-videos.net>.
So it seems I needed a few more parameters on the
cachedLDAPAuthorizationMap as the defaults wont work out of the box. If
anyone else is struggling, this is what my config ended up as - perhaps
someone could update the web documentation to reflect the changes in 5.7 ?
<cachedLDAPAuthorizationMap
connectionURL="ldap://ldap:389"
connectionUsername="uid=activemq,ou=Systems,dc=myorg,dc=net"
connectionPassword="Secret"
refreshInterval="60000"
legacyGroupMapping="false"
queueSearchBase="ou=Queues,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
topicSearchBase="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
tempSearchBase="ou=Temp,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
userObjectClass="posixAccount"
/>
On 07/12/2012 17:41, Rob Coward wrote:
> I'm in the process of upgrading from 5.5.1 to the 5.7.0 release and
> would like to try taking advantage of our ldap directory for queue
> authorizations (we are already using the jaasAuthenticationPlugin
> against our openldap server for authenticating connections but are
> currently using a static
> <authorizationMap><authorizationEntries><authorizationEntry ...> setup).
>
> I've been trying to follow
> http://activemq.apache.org/cached-ldap-authorization-module.html but
> the documentation in out of date and contains sample configs that just
> don't work. After much google searching, I eventually figured out that
> instead of the documented baseDn attribute, I had to use
> queueSearchBase, topicSearchBase & tempSearchBase giving me a config
> looking like the following:
>
> <plugins>
> <jaasAuthenticationPlugin configuration="ActiveMQ" />
> <authorizationPlugin>
> <map>
> <cachedLDAPAuthorizationMap
> connectionURL="ldap://ldap:389"
> connectionUsername="uid=activemq,ou=Systems,dc=myorg,dc=net"
> connectionPassword="Secret"
> refreshInterval="300000"
> queueSearchBase="ou=Queues,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
>
> topicSearchBase="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
>
> tempSearchBase="ou=Temp,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
>
> />
> </map>
> </authorizationPlugin>
> </plugins>
>
> starting activemq in console mode, it starts cleanly enough, and from
> examining the logging from openldap, I can see that an ldap connection
> is made and several searches done returning a number of results, for
> example:
>
> Dec 7 17:24:21 ldap slapd[7553]: conn=3512 op=6 SRCH
> base="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net" scope=2
> deref=3 filter="(cn=admin)"
> Dec 7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY
> dn="cn=admin,cn=activemq.advisory.$,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"
> Dec 7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY
> dn="cn=admin,cn=activemq.advisory.connection,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"
>
> The entries returned are groupOfNames entries created identically to the
> cn=admin,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
> entry in the sample file
> https://svn.apache.org/repos/asf/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap.ldif
>
> The 'member' entries are further groupOfNames entries defining the
> roles as in the sample ldif file, and I have a userid called activemq
> that is a member of the admin role.
>
> By all accounts, everything should be ok, however the
> cachedLDAPAuthorizationMap does not authorized connections and I get
> errors such as the following:
>
> WARN | Failed to add Connection
> ID:robdev.office.eseye.net-38820-1354901062452-5:1, reason:
> java.lang.SecurityException: User activemq is not authorized to
> create: topic://ActiveMQ.Advisory.Connection
> WARN | Async error occurred: java.lang.SecurityException: User
> activemq is not authorized to create:
> topic://ActiveMQ.Advisory.Connection
> java.lang.SecurityException: User activemq is not authorized to
> create: topic://ActiveMQ.Advisory.Connection
> at
> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:76)
> at
> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:145)
> ......
>
> Clearly there have been changes to the cachedLDAPAuthorizationMap
> since it was released in ActiveMQ 5.6 as highlighted by the inaccurate
> documentation, but is anyone using it with 5.7 and would be willing to
> point me in the right direction or share their config with me please ?
>
> Thanks in advance,
> Rob
>
>