Hello, This may be a redundant post, however I'm having trouble connecting ActiveMQ with AD for authenticating the admin-console. Please see more details below -
* Jetty version - jetty-9.2.25.v20180606 (packaged with ActiveMQ-5.15.8) * Java Version - 1.8.0_131 * Steps to reproduce - Followed the steps mentioned on the page - https://activemq.apache.org/security (LDAP Authentication Using the JAAS Plugin). The changes made to following files - login.config (actual values replaced by dummy) LDAPLogin { org.apache.activemq.jaas.LDAPLoginModule required debug=true initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connectionURL="ldap://test.ldap.com:389"; connectionUsername="CN=<name>,OU=Dummy Accounts,OU=Dummy Accounts and Groups,DC=corp,DC=company,DC=com" connectionPassword="password" connectionProtocol=s authentication=simple userBase="OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com" userRoleName=dummyUserRoleName userSearchMatching="(sAMAccountName={0})" userSearchSubtree=true roleBase="OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy Application Accounts and Groups,DC=corp,DC=company,DC=com" roleName=cn roleSearchMatching="(member={0})" roleSearchSubtree=true ; }; activemq.xml (added following into the xml) .... <plugins> <jaasAuthenticationPlugin configuration="LDAPLogin" /> </plugins> ..... jetty.xml (added following to the xml) <bean id="ldapLoginService" class="org.eclipse.jetty.jaas.JAASLoginService"> <property name="name" value="LdapRealm" /> <property name="loginModuleName" value="LDAPLogin" /> <property name="roleClassNames" value="org.eclipse.jetty.jaas.JAASRole" /> <property name="identityService" ref="identityService" /> </bean> ....... ....... <bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler"> <property name="loginService" ref="ldapLoginService" /> <property name="identityService" ref="identityService" /> <property name="realmName" value="LdapRealm" /> <property name="authenticator"> <bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" /> </property> <property name="constraintMappings"> <list> <ref bean="adminSecurityConstraintMapping" /> <ref bean="securityConstraintMapping" /> </list> </property> <property name="handler" ref="secHandlerCollection" /> </bean> <bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"> </bean> No Error in the logs - 2019-05-10 20:35:01,662 | DEBUG | Create the LDAP initial context. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:01,711 | DEBUG | Get the user DN. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:01,712 | DEBUG | Looking for the user in LDAP with | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:01,712 | DEBUG | base DN: OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:01,713 | DEBUG | filter: (sAMAccountName=user1) | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:01,734 | DEBUG | LDAP returned a relative name: CN=test user1 | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:01,735 | DEBUG | Using DN [CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com ] for binding. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:01,736 | DEBUG | Binding the user. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:01,780 | DEBUG | User CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com successfully bound. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:01,782 | DEBUG | Get user roles. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:01,783 | DEBUG | Looking for the user roles in LDAP with | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:01,785 | DEBUG | base DN: OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy Application Accounts and Groups,DC=corp,DC=company,DC=com | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:01,786 | DEBUG | filter: (member=CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com) | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:01,835 | DEBUG | Roles [administrator_group] for user user1 | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39 2019-05-10 20:35:03,821 | DEBUG | Checkpoint started. | org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal Checkpoint Worker 2019-05-10 20:35:03,832 | DEBUG | Checkpoint done. | org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal Checkpoint Worker * Error on the browser - HTTP ERROR: 403 Problem accessing /admin/. Reason: !role * My suspicion is that the query it's running against AD is unable to find the associated group. Has anyone successfully configured this before? Any help is appreciated. -- Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-Dev-f2368404.html
