You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by "Weil, Janus" <ja...@dfs.de> on 2019/11/22 16:21:23 UTC
LDAP authorization with multiple LDAP servers
Dear ActiveMQ people,
we have a neatly working setup of several ActiveMQ 5 brokers which rely on an LDAP server for authorization.
The configuration in activemq.xml looks roughly like this (some parts omitted):
<plugins>
<jaasAuthenticationPlugin configuration="LdapConfiguration" />
<authorizationPlugin>
<map>
<cachedLDAPAuthorizationMap
connectionURL="ldap://my.ldap.server:389"
connectionUsername="..."
connectionPassword="..."
queueSearchBase="..."
topicSearchBase="..."
tempSearchBase="..."
refreshInterval="300000"
legacyGroupMapping="false"
groupObjectClass="groupOfNames"
permissionGroupMemberAttribute="member"
userObjectClass="person"
userNameAttribute="uid"
/>
</map>
</authorizationPlugin>
</plugins>
Now we plan to add some redundancy / high-availability for the LDAP part by using two or more mirrored LDAP servers. My simple question is: Does ActiveMQ have support for working with multiple LDAP servers?
The documentation at https://activemq.apache.org/cached-ldap-authorization-module does not give any hint on whether the connectionURL can specify multiple servers.
However I found another reference to the JAAS LDAP Login Module at https://access.redhat.com/documentation/en-us/red_hat_jboss_a-mq/6.3/html/security_guide/esbsecurecontainer#JAASAuth-LDAPLoginModule, which seems to indicate that connection.url may specify multiple URLs as a space-separated list.
Can I expect that to work also in the ActiveMQ context?
Best regards,
Janus
DFS Deutsche Flugsicherung GmbH
Am DFS-Campus
D - 63225 Langen
Tel.: +49-(0)6103-707-0
Sitz der Gesellschaft: Langen/Hessen
Zustaendiges Registergericht: AG Offenbach am Main, HRB 34977
Vorsitzende des Aufsichtsrats: Dr. Martina Hinricher
Geschaeftsfuehrer: Prof. Klaus-Dieter Scheurle (Vors.), Robert Schickling, Dr. Michael Hann
Internet: http://www.dfs.de
Public-Key der DFS: http://www.dfs.de/dfs/public_key.asc
Re: LDAP authorization with multiple LDAP servers
Posted by Justin Bertram <jb...@apache.org>.
Under the covers the cachedLDAPAuthorizationMap uses
com.sun.jndi.ldap.LdapCtxFactory for connectivity with LDAP [1]. The
Oracle documentation states [2], "Instead of just one URL, you can also
supply a space-separated list of URLs. In this case, the LDAP provider will
attempt to use each URL in turn until it is able to create a successful
connection." It then provides a simple example [3]:
// Specify list of space-separated URLs
env.put(Context.PROVIDER_URL,
"ldap://notthere:389/o=JNDITutorial " +
"ldap://localhost:389/o=JNDITutorial " +
"ldap://remotehost/o=JNDITutorial " +
"ldap://thirdhost:389/o=JNDITutorial");
Justin
[1]
https://github.com/apache/activemq/blob/master/activemq-broker/src/main/java/org/apache/activemq/security/SimpleCachedLDAPAuthorizationMap.java#L64
[2] https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html
[3]
https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/src/MultiUrls.java
On Fri, Nov 22, 2019 at 10:26 AM Weil, Janus <ja...@dfs.de> wrote:
> Dear ActiveMQ people,
>
>
> we have a neatly working setup of several ActiveMQ 5 brokers which rely on
> an LDAP server for authorization.
>
>
> The configuration in activemq.xml looks roughly like this (some parts
> omitted):
>
>
> <plugins>
> <jaasAuthenticationPlugin configuration="LdapConfiguration" />
> <authorizationPlugin>
> <map>
> <cachedLDAPAuthorizationMap
> connectionURL="ldap://my.ldap.server:389"
> connectionUsername="..."
> connectionPassword="..."
> queueSearchBase="..."
> topicSearchBase="..."
> tempSearchBase="..."
> refreshInterval="300000"
> legacyGroupMapping="false"
> groupObjectClass="groupOfNames"
> permissionGroupMemberAttribute="member"
> userObjectClass="person"
> userNameAttribute="uid"
> />
> </map>
> </authorizationPlugin>
> </plugins>
>
>
>
> Now we plan to add some redundancy / high-availability for the LDAP part
> by using two or more mirrored LDAP servers. My simple question is: Does
> ActiveMQ have support for working with multiple LDAP servers?
>
>
> The documentation at
> https://activemq.apache.org/cached-ldap-authorization-module does not
> give any hint on whether the connectionURL can specify multiple servers.
>
>
> However I found another reference to the JAAS LDAP Login Module at
> https://access.redhat.com/documentation/en-us/red_hat_jboss_a-mq/6.3/html/security_guide/esbsecurecontainer#JAASAuth-LDAPLoginModule,
> which seems to indicate that connection.url may specify multiple URLs as a
> space-separated list.
>
>
> Can I expect that to work also in the ActiveMQ context?
>
>
> Best regards,
>
> Janus
>
>
> DFS Deutsche Flugsicherung GmbH
> Am DFS-Campus
> D - 63225 Langen
>
> Tel.: +49-(0)6103-707-0
>
> Sitz der Gesellschaft: Langen/Hessen
> Zustaendiges Registergericht: AG Offenbach am Main, HRB 34977
> Vorsitzende des Aufsichtsrats: Dr. Martina Hinricher
> Geschaeftsfuehrer: Prof. Klaus-Dieter Scheurle (Vors.), Robert Schickling,
> Dr. Michael Hann
>
> Internet: http://www.dfs.de
> Public-Key der DFS: http://www.dfs.de/dfs/public_key.asc
>
>
>
Re: LDAP authorization with multiple LDAP servers
Posted by "Weil, Janus" <ja...@dfs.de>.
Dear Justin,
thanks a lot for your reply (and please keep me in CC, since I'm not subscribed to the ActiveMQ mailing list).
By now I have tried to use a space-separated list of URLs and indeed it seems to work. Very nice!
I guess it would be good to mention this in the documentation, wouldn't it? Am I right in assuming that a documentation patch should target the following file?
https://github.com/apache/activemq-website/blob/master/src/cached-ldap-authorization-module.md
Cheers,
Janus
Justin Bertram <jb...@apache.org> wrote:
> Under the covers the cachedLDAPAuthorizationMap uses
> com.sun.jndi.ldap.LdapCtxFactory for connectivity with LDAP [1]. The
> Oracle documentation states [2], "Instead of just one URL, you can also
> supply a space-separated list of URLs. In this case, the LDAP provider will
> attempt to use each URL in turn until it is able to create a successful
> connection." It then provides a simple example [3]:
>
> // Specify list of space-separated URLs
> env.put(Context.PROVIDER_URL,
> "ldap://notthere:389/o=JNDITutorial " +
> "ldap://localhost:389/o=JNDITutorial " +
> "ldap://remotehost/o=JNDITutorial " +
> "ldap://thirdhost:389/o=JNDITutorial");
>
>
> Justin
>
> [1]https://github.com/apache/activemq/blob/master/activemq-broker/src/main/java/org/apache/activemq/security/SimpleCachedLDAPAuthorizationMap.java#L64
> [2] https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html
> [3] https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/src/MultiUrls.java
________________________________
From: Weil, Janus
Sent: Friday, November 22, 2019 5:21 PM
To: users@activemq.apache.org
Subject: LDAP authorization with multiple LDAP servers
Dear ActiveMQ people,
we have a neatly working setup of several ActiveMQ 5 brokers which rely on an LDAP server for authorization.
The configuration in activemq.xml looks roughly like this (some parts omitted):
<plugins>
<jaasAuthenticationPlugin configuration="LdapConfiguration" />
<authorizationPlugin>
<map>
<cachedLDAPAuthorizationMap
connectionURL="ldap://my.ldap.server:389"
connectionUsername="..."
connectionPassword="..."
queueSearchBase="..."
topicSearchBase="..."
tempSearchBase="..."
refreshInterval="300000"
legacyGroupMapping="false"
groupObjectClass="groupOfNames"
permissionGroupMemberAttribute="member"
userObjectClass="person"
userNameAttribute="uid"
/>
</map>
</authorizationPlugin>
</plugins>
Now we plan to add some redundancy / high-availability for the LDAP part by using two or more mirrored LDAP servers. My simple question is: Does ActiveMQ have support for working with multiple LDAP servers?
The documentation at https://activemq.apache.org/cached-ldap-authorization-module does not give any hint on whether the connectionURL can specify multiple servers.
However I found another reference to the JAAS LDAP Login Module at https://access.redhat.com/documentation/en-us/red_hat_jboss_a-mq/6.3/html/security_guide/esbsecurecontainer#JAASAuth-LDAPLoginModule, which seems to indicate that connection.url may specify multiple URLs as a space-separated list.
Can I expect that to work also in the ActiveMQ context?
Best regards,
Janus
DFS Deutsche Flugsicherung GmbH
Am DFS-Campus
D - 63225 Langen
Tel.: +49-(0)6103-707-0
Sitz der Gesellschaft: Langen/Hessen
Zustaendiges Registergericht: AG Offenbach am Main, HRB 34977
Vorsitzende des Aufsichtsrats: Dr. Martina Hinricher
Geschaeftsfuehrer: Prof. Klaus-Dieter Scheurle (Vors.), Robert Schickling, Dr. Michael Hann
Internet: http://www.dfs.de
Public-Key der DFS: http://www.dfs.de/dfs/public_key.asc