You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by pmambekar <pm...@gmail.com> on 2019/05/13 14:48:58 UTC

ActiveMQ with AD/LDAP

Hello,

This may be a redundant post, however I'm having trouble connecting ActiveMQ
with AD for authenticating the admin-console. Please see more details below
-


* Jetty version - jetty-9.2.25.v20180606 (packaged with ActiveMQ-5.15.8)
* Java Version - 1.8.0_131
* Steps to reproduce - Followed the steps mentioned on the page -
https://activemq.apache.org/security (LDAP Authentication Using the JAAS
Plugin). The changes made to following files - 

login.config (actual values replaced by dummy)

LDAPLogin { 
    org.apache.activemq.jaas.LDAPLoginModule required 
    debug=true 
    initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory 
    connectionURL="ldap://test.ldap.com:389" 
    connectionUsername="CN=<name>,OU=Dummy Accounts,OU=Dummy Accounts and
Groups,DC=corp,DC=company,DC=com" 
    connectionPassword="password"
	connectionProtocol=s 
    authentication=simple 
    userBase="OU=Dummy User Accounts,OU=Test User
Accounts,DC=corp,DC=company,DC=com" 
    userRoleName=dummyUserRoleName 
    userSearchMatching="(sAMAccountName={0})" 
    userSearchSubtree=true 
    roleBase="OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy
Application Accounts and Groups,DC=corp,DC=company,DC=com" 
    roleName=cn 
    roleSearchMatching="(member={0})" 
    roleSearchSubtree=true 
    ; 
 };

activemq.xml (added following into the xml)
....
	<plugins> 
        <jaasAuthenticationPlugin configuration="LDAPLogin" /> 
	 </plugins>
.....

jetty.xml (added following to the xml)

	<bean id="ldapLoginService"
class="org.eclipse.jetty.jaas.JAASLoginService">
        <property name="name" value="LdapRealm" />
        <property name="loginModuleName" value="LDAPLogin" />
        <property name="roleClassNames"
value="org.eclipse.jetty.jaas.JAASRole" />
        <property name="identityService" ref="identityService" />
    </bean>
.......
.......
<bean id="securityHandler"
class="org.eclipse.jetty.security.ConstraintSecurityHandler">
        <property name="loginService" ref="ldapLoginService" />
        <property name="identityService" ref="identityService" />
        <property name="realmName" value="LdapRealm" />
        <property name="authenticator">
            <bean
class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
        </property>
        <property name="constraintMappings">
            <list>
                <ref bean="adminSecurityConstraintMapping" />
                <ref bean="securityConstraintMapping" />
            </list>
        </property> 
        <property name="handler" ref="secHandlerCollection" />
    </bean>
    <bean id="contexts"
class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
    </bean>

No Error in the logs -

2019-05-10 20:35:01,662 | DEBUG | Create the LDAP initial context. |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,711 | DEBUG | Get the user DN. |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,712 | DEBUG | Looking for the user in LDAP with  |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,712 | DEBUG |   base DN: OU=Dummy User Accounts,OU=Test
User Accounts,DC=corp,DC=company,DC=com |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,713 | DEBUG |   filter: (sAMAccountName=user1) |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,734 | DEBUG | LDAP returned a relative name: CN=test
user1 | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,735 | DEBUG | Using DN [CN=test user1,OU=Dummy User
Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com ] for binding. |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,736 | DEBUG | Binding the user. |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,780 | DEBUG | User CN=test user1,OU=Dummy User
Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com successfully bound.
| org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,782 | DEBUG | Get user roles. |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,783 | DEBUG | Looking for the user roles in LDAP with  |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,785 | DEBUG |   base DN:
OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy Application
Accounts and Groups,DC=corp,DC=company,DC=com |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,786 | DEBUG |   filter: (member=CN=test user1,OU=Dummy
User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com) |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,835 | DEBUG | Roles [administrator_group] for user user1
| org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:03,821 | DEBUG | Checkpoint started. |
org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal
Checkpoint Worker
2019-05-10 20:35:03,832 | DEBUG | Checkpoint done. |
org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal
Checkpoint Worker
*
Error on the browser -
HTTP ERROR: 403

Problem accessing /admin/. Reason: 
    !role  *

My suspicion is that the query it's running against AD is unable to find the
associated group. Has anyone successfully configured this before? Any help
is appreciated.




--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-Dev-f2368404.html