Re: [jetty-users] ActiveMQ on Jetty with LDAP Issue

Fri, 10 May 2019 18:30:41 -0700 

Hello,

Here's more details on this -

** Jetty version - *jetty-9.2.25.v20180606 (packaged with ActiveMQ-5.15.8)
** Java Version -* 1.8.0_131
** Steps to reproduce - *Followed the steps mentioned on the page -
https://activemq.apache.org/security (LDAP Authentication Using the JAAS
Plugin). The changes made to following files -

*login.config *(actual values replaced by dummy)

LDAPLogin {
    org.apache.activemq.jaas.LDAPLoginModule required
    debug=true
    initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
    connectionURL="ldap://nyc-dc01.corp.nypiua.com:389";
    connectionUsername="CN=<name>,OU=Dummy Accounts,OU=Dummy Accounts and
Groups,DC=corp,DC=company,DC=com"
    connectionPassword="password"
connectionProtocol=s
    authentication=simple
    userBase="OU=Dummy User Accounts,OU=Test User
Accounts,DC=corp,DC=company,DC=com"
    userRoleName=dummyUserRoleName
    userSearchMatching="(sAMAccountName={0})"
    userSearchSubtree=true
    roleBase="OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy
Application Accounts and Groups,DC=corp,DC=company,DC=com"
    roleName=cn
    roleSearchMatching="(member={0})"
    roleSearchSubtree=true
    ;
 };

*activemq.xml *(added following into the xml)
....
<plugins>
        <jaasAuthenticationPlugin configuration="LDAPLogin" />
 </plugins>
.....

*jetty.xml *(added following to the xml)

<bean id="ldapLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
        <property name="name" value="LdapRealm" />
        <property name="loginModuleName" value="LDAPLogin" />
        <property name="roleClassNames"
value="org.eclipse.jetty.jaas.JAASRole" />
        <property name="identityService" ref="identityService" />
    </bean>
.......
.......
<bean id="securityHandler"
class="org.eclipse.jetty.security.ConstraintSecurityHandler">
        <property name="loginService" ref="ldapLoginService" />
        <property name="identityService" ref="identityService" />
        <property name="realmName" value="LdapRealm" />
        <property name="authenticator">
            <bean
class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
        </property>
        <property name="constraintMappings">
            <list>
                <ref bean="adminSecurityConstraintMapping" />
                <ref bean="securityConstraintMapping" />
            </list>
        </property>
        <property name="handler" ref="secHandlerCollection" />
    </bean>
    <bean id="contexts"
class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
    </bean>

*No Error in the logs -*

2019-05-10 20:35:01,662 | DEBUG | Create the LDAP initial context. |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,711 | DEBUG | Get the user DN. |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,712 | DEBUG | Looking for the user in LDAP with  |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,712 | DEBUG |   base DN: OU=Dummy User Accounts,OU=Test
User Accounts,DC=corp,DC=company,DC=com |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,713 | DEBUG |   filter: (sAMAccountName=user1) |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,734 | DEBUG | LDAP returned a relative name: CN=test
user1 | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,735 | DEBUG | Using DN [CN=test user1,OU=Dummy User
Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com ] for binding. |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,736 | DEBUG | Binding the user. |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,780 | DEBUG | User CN=test user1,OU=Dummy User
Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com successfully
bound. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,782 | DEBUG | Get user roles. |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,783 | DEBUG | Looking for the user roles in LDAP with
| org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,785 | DEBUG |   base DN:
OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy Application
Accounts and Groups,DC=corp,DC=company,DC=com |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,786 | DEBUG |   filter: (member=CN=test user1,OU=Dummy
User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com) |
org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,835 | DEBUG | Roles [administrator_group] for user
user1 | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:03,821 | DEBUG | Checkpoint started. |
org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal
Checkpoint Worker
2019-05-10 20:35:03,832 | DEBUG | Checkpoint done. |
org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal
Checkpoint Worker

*Error on the browser -*
HTTP ERROR: 403

Problem accessing /admin/. Reason:
    !role

On Fri, May 10, 2019 at 9:06 PM Olivier Lamy <ol...@webtide.com> wrote:

> Hi
> In order to help you, we need more details such:
> - Jetty version
> - Java version
> - exact steps to reproduce your problem
>
> cheers
> Olivier
>
>
> On Sat, May 11, 2019 at 10:16 AM Pankaj Ambekar <pmambe...@gmail.com>
> wrote:
>
>> Hello,
>>
>> I'm using apache-activemq-5.15.8 with Jetty and trying to get the
>> configurations working by connecting the admin-console authentication with
>> LDAP/AD. I've followed all the necessary configs on logon.config,
>> activemq.xml, jetty.xml and I can see in the logs that the user is
>> authenticated. However, on the broweser, I see following error -
>>
>> HTTP ERROR: 403
>>
>> Problem accessing /admin/. Reason:
>>     !role
>>
>> Could you please advise if you changed anything specific in web.xml (or
>> any other config file) to get pass this error ?
>>
>> --
>> Thanks
>>
>> Regards,
>> Pankaj Ambekar
>>
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@eclipse.org
>> To change your delivery options, retrieve your password, or unsubscribe
>> from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users
>
>
>
> --
> Olivier
> _______________________________________________
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users



-- 
Thanks

Regards,
Pankaj Ambekar

_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Reply via email to