You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by fredrick255 <fu...@hotmail.com> on 2008/07/25 22:53:27 UTC
LDAPAuthoizationMap permissions
Judging from exceptions I'm no longer receiving the plugin is able to
authenticate the user and find the topic and queue objects. However it does
not see the admin attribute and refuses to let my user create the
ActiveMQ.Advisory.Connections topic. I don't see anywhere in the
configuration what the plugin looks for in the permission attributes. I've
tried putting both the DN
(member=cn=users,ou=Group,ou=ActiveMQ,ou=systems,dc=example,dc=com) and just
cn=users. I've also tried this for the group objects (member =
uid=user,ou=User,ou=ActiveMQ,ou=systems,dc=example,dc=com).
Anyone know what exactly the plugin is looking for in the specified
permission attribute?
I've based my configuration on these two articles:
http://www.nabble.com/Adding-users-on-the-fly-ACTIVEMQ-to16825211s2354.html#a16984528
http://www.nabble.com/Help-with-SimpleAuthenticationPlugin-td4607329.html#a4609098
Any ideas?
LoginLdapConfiguration {
org.apache.activemq.jaas.LDAPLoginModule required
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://127.0.0.1:10389"
connectionUsername="cn=mqbroker,ou=Services,dc=example,dc=com"
connectionPassword=password
connectionProtocol=s
authentication=simple
userBase="ou=User,ou=ActiveMQ,ou=systems,dc=example,dc=com"
userRoleName=dummyUserRoleName
userSearchMatching="(uid={0})"
userSearchSubtree=true
roleBase="ou=Group,ou=ActiveMQ,ou=systems,dc=example,dc=com"
roleName=cn
roleSearchMatching="(member=uid={0})"
roleSearchSubtree=true
;
};
<authorizationPlugin>
<map>
<bean xmlns="http://www.springframework.org/schema/beans"
id="lDAPAuthorizationMap"
class="org.apache.activemq.security.LDAPAuthorizationMap" >
<property name="initialContextFactory"
value="com.sun.jndi.ldap.LdapCtxFactory"/>
<property name="connectionURL"
value="ldap://127.0.0.1:10389"/>
<property name="authentication"
value="simple"/>
<property name="connectionUsername"
value="cn=mqbroker,ou=Services,dc=example,dc=com"/>
<property name="connectionPassword"
value="password"/>
<property name="connectionProtocol"
value="s"/>
<property name="topicSearchSubtreeBool"
value="true"/>
<property name="queueSearchMatchingFormat"
ref="myQSearchMatchingFormat"/>
<property name="topicSearchMatchingFormat"
ref="myTSearchMatchingFormat"/>
<property name="queueSearchSubtreeBool"
value="true"/>
<property name="adminBase"
value="(cn=admin)"/>
<property name="adminAttribute"
value="member"/>
<property name="readBase"
value="(cn=read)"/>
<property name="readAttribute"
value="member"/>
<property name="writeBase"
value="(cn=write)"/>
<property name="writeAttribute"
value="member"/>
</bean>
</map>
</authorizationPlugin>
</plugins>
</broker>
<bean xmlns="http://www.springframework.org/schema/beans"
id="myQSearchMatchingFormat" class="java.text.MessageFormat">
<constructor-arg
value="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=systems,dc=example,dc=com"/>
</bean>
<bean xmlns="http://www.springframework.org/schema/beans"
id="myTSearchMatchingFormat" class="java.text.MessageFormat">
<constructor-arg
value="cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=systems,dc=example,dc=com"/>
</bean>
--
View this message in context: http://www.nabble.com/LDAPAuthoizationMap-permissions-tp18659415p18659415.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: LDAPAuthoizationMap permissions
Posted by fredrick255 <fu...@hotmail.com>.
To fix this I made some changes in the LDAPLoginModule. The problem appears
to lie in the getRoles method. I based my changes on the code that finds the
topic and queue objects in the LDAPAuthorizationMAP and the code that finds
the user in LDAPLoginModule. Here is the diff:
@@ -49,6 +49,8 @@
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
+import org.apache.activemq.jaas.GroupPrincipal;
+import org.apache.activemq.jaas.UserPrincipal;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -234,7 +236,7 @@
// check the credentials by binding to server
if (bindUser(context, dn, password)) {
// if authenticated add more roles
- roles = getRoles(context, dn, username, roles);
+ roles = getRoles(context, dn, username,
roles,entryName.toString());
for (int i = 0; i < roles.size(); i++) {
groups.add(new GroupPrincipal(roles.get(i)));
}
@@ -253,7 +255,7 @@
return true;
}
- protected ArrayList<String> getRoles(DirContext context, String dn,
String username, ArrayList<String> currentRoles) throws NamingException {
+ protected ArrayList<String> getRoles(DirContext context, String dn,
String username, ArrayList<String> currentRoles, String userObject) throws
NamingException {
ArrayList<String> list = currentRoles;
if (list == null) {
list = new ArrayList<String>();
@@ -261,9 +263,12 @@
if (roleName == null || "".equals(roleName)) {
return list;
}
+ /*
String filter = roleSearchMatchingFormat.format(new String[] {
doRFC2254Encoding(dn), username
});
+ */
+ String filter = roleSearchMatchingFormat.format(null);
SearchControls constraints = new SearchControls();
if (roleSearchSubtreeBool) {
@@ -271,14 +276,29 @@
} else {
constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
}
+ constraints.setReturningAttributes(new String[] {roleName});
+
NamingEnumeration results = context.search(roleBase, filter,
constraints);
while (results.hasMore()) {
SearchResult result = (SearchResult)results.next();
+ String currentRoleName = result.getName();
Attributes attrs = result.getAttributes();
+ Attribute attr = attrs.get(roleName);
+ NamingEnumeration e = attr.getAll();
+ while (e.hasMore()) {
+ String value = (String)e.next();
+ if(value.equals(userObject))
+ {
+ list.add(currentRoleName);
+ }
+ }
+ /*
if (attrs == null) {
continue;
}
+
list = addAttributeValues(roleName, attrs, list);
+ */
}
return list;
Here is the config I'm using:
LoginLdapConfiguration {
org.acme.activemq.security.LDAPLoginModule required <---- This is
just because I implemented the fix as a plugin
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://127.0.0.1:10389"
connectionUsername="cn=mqbroker,ou=Services,dc=example,dc=com"
connectionPassword=password
connectionProtocol=s
authentication=simple
userBase="ou=User,ou=ActiveMQ,ou=systems,dc=example,dc=com"
userRoleName=test
userSearchMatching="(uid={0})"
userSearchSubtree=true
roleBase="ou=Group,ou=ActiveMQ,ou=systems,dc=example,dc=com"
roleName=member
roleSearchMatching="(cn=*)"
roleSearchSubtree=true
;
};
--
View this message in context: http://www.nabble.com/LDAPAuthoizationMap-permissions-tp18659415p19186803.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.