You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Chris Robison <ch...@gmail.com> on 2012/02/02 22:13:16 UTC
LDAPAuthorizationMap and Active Directory
Has anyone been able to use the LDAPAuthorizationMap successfully with
Active Directory? In my investigation, I don't think it will ever work in
its current state. When looking at the code, it is making the assumption
that the value of the member attribute (or what ever attribute you are
using) is always going to be in the form "{0}={1}" (a RDN). But, according
to the OpenLDAP spec, the member attribute value is a distinguished name.
That means values are a comma delimited list of RDNs. So, for example I
have AD groups that represent MQ roles. Here's one I use:
"CN=MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". The LDAPAuthorizationMap
considers the name of the
role "MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". Is this by design? I
would be happy to submit a patch to change this behavior. Thoughts?
Chris Robison
Re: LDAPAuthorizationMap and Active Directory
Posted by Chris Robison <ch...@gmail.com>.
Submitted the patch to https://issues.apache.org/jira/browse/AMQ-3701
Chris
On Mon, Feb 6, 2012 at 8:55 AM, Chris Robison <ch...@gmail.com>wrote:
> I'd be happy to do that. What package do you want me to put the class in?
>
> Chris
>
>
> On Mon, Feb 6, 2012 at 7:51 AM, Gary Tully <ga...@gmail.com> wrote:
>
>> Is that something you can/want to contribute back. Would be great if
>> we got a solution that worked for both.
>>
>> If you want to get that onto trunk, attach a patch to a new jira and
>> tick the license grant check box on file upload.
>> http://activemq.apache.org/contributing.html
>>
>> On 3 February 2012 21:13, Chris Robison <ch...@gmail.com> wrote:
>> > I looked at that tutorial already. And you're right, works fine with
>> Apache
>> > Directory, but I have to use Active Directory. I just created a plugin
>> that
>> > inherited LDAPAuthorizationMap and changed the one method preventing
>> what
>> > was currently there from working.
>> >
>> > Chris
>> >
>> > On Fri, Feb 3, 2012 at 2:48 AM, Torsten Mielke <torsten@fusesource.com
>> >wrote:
>> >
>> >> > Has anyone been able to use the LDAPAuthorizationMap successfully
>> with
>> >> > Active Directory?
>> >>
>> >> Not with ActiveDirectory but when following the LDAP tutorial of the
>> >> ActiveMQ Security Guide from FuseSource, the LDAPAuthorizationMap works
>> >> fine against Apache Directory Server.
>> >> http://fusesource.com/docs/broker/5.5/security/LDAP.html
>> >>
>> >> Perhaps this tutorial can help?
>> >>
>> >>
>> >> Torsten Mielke
>> >> torsten@fusesource.com
>> >> tmielke@blogspot.com
>> >>
>> >> On Feb 2, 2012, at 10:13 PM, Chris Robison wrote:
>> >>
>> >> > Has anyone been able to use the LDAPAuthorizationMap successfully
>> with
>> >> > Active Directory? In my investigation, I don't think it will ever
>> work in
>> >> > its current state. When looking at the code, it is making the
>> assumption
>> >> > that the value of the member attribute (or what ever attribute you
>> are
>> >> > using) is always going to be in the form "{0}={1}" (a RDN). But,
>> >> according
>> >> > to the OpenLDAP spec, the member attribute value is a distinguished
>> name.
>> >> > That means values are a comma delimited list of RDNs. So, for
>> example I
>> >> > have AD groups that represent MQ roles. Here's one I use:
>> >> > "CN=MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". The
>> >> LDAPAuthorizationMap
>> >> > considers the name of the
>> >> > role "MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". Is this by
>> design? I
>> >> > would be happy to submit a patch to change this behavior. Thoughts?
>> >> >
>> >> > Chris Robison
>> >>
>> >>
>> >>
>> >>
>> >>
>>
>>
>>
>> --
>> http://fusesource.com
>> http://blog.garytully.com
>>
>
>
Re: LDAPAuthorizationMap and Active Directory
Posted by Chris Robison <ch...@gmail.com>.
I'd be happy to do that. What package do you want me to put the class in?
Chris
On Mon, Feb 6, 2012 at 7:51 AM, Gary Tully <ga...@gmail.com> wrote:
> Is that something you can/want to contribute back. Would be great if
> we got a solution that worked for both.
>
> If you want to get that onto trunk, attach a patch to a new jira and
> tick the license grant check box on file upload.
> http://activemq.apache.org/contributing.html
>
> On 3 February 2012 21:13, Chris Robison <ch...@gmail.com> wrote:
> > I looked at that tutorial already. And you're right, works fine with
> Apache
> > Directory, but I have to use Active Directory. I just created a plugin
> that
> > inherited LDAPAuthorizationMap and changed the one method preventing what
> > was currently there from working.
> >
> > Chris
> >
> > On Fri, Feb 3, 2012 at 2:48 AM, Torsten Mielke <torsten@fusesource.com
> >wrote:
> >
> >> > Has anyone been able to use the LDAPAuthorizationMap successfully with
> >> > Active Directory?
> >>
> >> Not with ActiveDirectory but when following the LDAP tutorial of the
> >> ActiveMQ Security Guide from FuseSource, the LDAPAuthorizationMap works
> >> fine against Apache Directory Server.
> >> http://fusesource.com/docs/broker/5.5/security/LDAP.html
> >>
> >> Perhaps this tutorial can help?
> >>
> >>
> >> Torsten Mielke
> >> torsten@fusesource.com
> >> tmielke@blogspot.com
> >>
> >> On Feb 2, 2012, at 10:13 PM, Chris Robison wrote:
> >>
> >> > Has anyone been able to use the LDAPAuthorizationMap successfully with
> >> > Active Directory? In my investigation, I don't think it will ever
> work in
> >> > its current state. When looking at the code, it is making the
> assumption
> >> > that the value of the member attribute (or what ever attribute you are
> >> > using) is always going to be in the form "{0}={1}" (a RDN). But,
> >> according
> >> > to the OpenLDAP spec, the member attribute value is a distinguished
> name.
> >> > That means values are a comma delimited list of RDNs. So, for example
> I
> >> > have AD groups that represent MQ roles. Here's one I use:
> >> > "CN=MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". The
> >> LDAPAuthorizationMap
> >> > considers the name of the
> >> > role "MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". Is this by
> design? I
> >> > would be happy to submit a patch to change this behavior. Thoughts?
> >> >
> >> > Chris Robison
> >>
> >>
> >>
> >>
> >>
>
>
>
> --
> http://fusesource.com
> http://blog.garytully.com
>
Re: LDAPAuthorizationMap and Active Directory
Posted by Gary Tully <ga...@gmail.com>.
Is that something you can/want to contribute back. Would be great if
we got a solution that worked for both.
If you want to get that onto trunk, attach a patch to a new jira and
tick the license grant check box on file upload.
http://activemq.apache.org/contributing.html
On 3 February 2012 21:13, Chris Robison <ch...@gmail.com> wrote:
> I looked at that tutorial already. And you're right, works fine with Apache
> Directory, but I have to use Active Directory. I just created a plugin that
> inherited LDAPAuthorizationMap and changed the one method preventing what
> was currently there from working.
>
> Chris
>
> On Fri, Feb 3, 2012 at 2:48 AM, Torsten Mielke <to...@fusesource.com>wrote:
>
>> > Has anyone been able to use the LDAPAuthorizationMap successfully with
>> > Active Directory?
>>
>> Not with ActiveDirectory but when following the LDAP tutorial of the
>> ActiveMQ Security Guide from FuseSource, the LDAPAuthorizationMap works
>> fine against Apache Directory Server.
>> http://fusesource.com/docs/broker/5.5/security/LDAP.html
>>
>> Perhaps this tutorial can help?
>>
>>
>> Torsten Mielke
>> torsten@fusesource.com
>> tmielke@blogspot.com
>>
>> On Feb 2, 2012, at 10:13 PM, Chris Robison wrote:
>>
>> > Has anyone been able to use the LDAPAuthorizationMap successfully with
>> > Active Directory? In my investigation, I don't think it will ever work in
>> > its current state. When looking at the code, it is making the assumption
>> > that the value of the member attribute (or what ever attribute you are
>> > using) is always going to be in the form "{0}={1}" (a RDN). But,
>> according
>> > to the OpenLDAP spec, the member attribute value is a distinguished name.
>> > That means values are a comma delimited list of RDNs. So, for example I
>> > have AD groups that represent MQ roles. Here's one I use:
>> > "CN=MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". The
>> LDAPAuthorizationMap
>> > considers the name of the
>> > role "MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". Is this by design? I
>> > would be happy to submit a patch to change this behavior. Thoughts?
>> >
>> > Chris Robison
>>
>>
>>
>>
>>
--
http://fusesource.com
http://blog.garytully.com
Re: LDAPAuthorizationMap and Active Directory
Posted by Chris Robison <ch...@gmail.com>.
I looked at that tutorial already. And you're right, works fine with Apache
Directory, but I have to use Active Directory. I just created a plugin that
inherited LDAPAuthorizationMap and changed the one method preventing what
was currently there from working.
Chris
On Fri, Feb 3, 2012 at 2:48 AM, Torsten Mielke <to...@fusesource.com>wrote:
> > Has anyone been able to use the LDAPAuthorizationMap successfully with
> > Active Directory?
>
> Not with ActiveDirectory but when following the LDAP tutorial of the
> ActiveMQ Security Guide from FuseSource, the LDAPAuthorizationMap works
> fine against Apache Directory Server.
> http://fusesource.com/docs/broker/5.5/security/LDAP.html
>
> Perhaps this tutorial can help?
>
>
> Torsten Mielke
> torsten@fusesource.com
> tmielke@blogspot.com
>
> On Feb 2, 2012, at 10:13 PM, Chris Robison wrote:
>
> > Has anyone been able to use the LDAPAuthorizationMap successfully with
> > Active Directory? In my investigation, I don't think it will ever work in
> > its current state. When looking at the code, it is making the assumption
> > that the value of the member attribute (or what ever attribute you are
> > using) is always going to be in the form "{0}={1}" (a RDN). But,
> according
> > to the OpenLDAP spec, the member attribute value is a distinguished name.
> > That means values are a comma delimited list of RDNs. So, for example I
> > have AD groups that represent MQ roles. Here's one I use:
> > "CN=MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". The
> LDAPAuthorizationMap
> > considers the name of the
> > role "MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". Is this by design? I
> > would be happy to submit a patch to change this behavior. Thoughts?
> >
> > Chris Robison
>
>
>
>
>
Re: LDAPAuthorizationMap and Active Directory
Posted by Torsten Mielke <to...@fusesource.com>.
> Has anyone been able to use the LDAPAuthorizationMap successfully with
> Active Directory?
Not with ActiveDirectory but when following the LDAP tutorial of the ActiveMQ Security Guide from FuseSource, the LDAPAuthorizationMap works fine against Apache Directory Server.
http://fusesource.com/docs/broker/5.5/security/LDAP.html
Perhaps this tutorial can help?
Torsten Mielke
torsten@fusesource.com
tmielke@blogspot.com
On Feb 2, 2012, at 10:13 PM, Chris Robison wrote:
> Has anyone been able to use the LDAPAuthorizationMap successfully with
> Active Directory? In my investigation, I don't think it will ever work in
> its current state. When looking at the code, it is making the assumption
> that the value of the member attribute (or what ever attribute you are
> using) is always going to be in the form "{0}={1}" (a RDN). But, according
> to the OpenLDAP spec, the member attribute value is a distinguished name.
> That means values are a comma delimited list of RDNs. So, for example I
> have AD groups that represent MQ roles. Here's one I use:
> "CN=MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". The LDAPAuthorizationMap
> considers the name of the
> role "MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". Is this by design? I
> would be happy to submit a patch to change this behavior. Thoughts?
>
> Chris Robison
Re: LDAPAuthorizationMap and Active Directory
Posted by Matt Pavlovich <ma...@gmail.com>.
Chris-
This is one of the major flaws in LDAP. There are a number of
conventions for handling group membership, and no strictly followed
"standard". Listing of common names, such as CN values, or listing full
DNs. Then, there is the model of dynamic groups, where the user entry
has the group listing, vs the group having the user listing. Confused yet?
There are a couple of member-related attributes: member, memberOf and a
couple other attributes that are used for membership. I'm not an expert
in AD, but I believe I have seen instances where they use both the DN
list on the group and the dynamic group model, where the groups are
listed on the users. I think it may depend on how many "upgrades" that
AD instance has been through.a
A patch may make sense, but it would need to be consider all the weird
LDAP grouping models.
Matt Pavlovich
On 2/2/12 3:13 PM, Chris Robison wrote:
> Has anyone been able to use the LDAPAuthorizationMap successfully with
> Active Directory? In my investigation, I don't think it will ever work in
> its current state. When looking at the code, it is making the assumption
> that the value of the member attribute (or what ever attribute you are
> using) is always going to be in the form "{0}={1}" (a RDN). But, according
> to the OpenLDAP spec, the member attribute value is a distinguished name.
> That means values are a comma delimited list of RDNs. So, for example I
> have AD groups that represent MQ roles. Here's one I use:
> "CN=MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". The LDAPAuthorizationMap
> considers the name of the
> role "MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". Is this by design? I
> would be happy to submit a patch to change this behavior. Thoughts?
>
> Chris Robison
>