On Mar 11, 2009, at 11:56 PM, huntc wrote:
Hi there,
I have a situation where I need to support authentication and
authorisation
for endpoints connecting to my broker. I have successfully
configured an
LDAP server for this purpose and have everything working.
My concern though is that endpoints must provide a username and
password to
establish their identity. Indeed ActiveMQ also needs to provide its
username
and password so that it can interrogate the LDAP store.
??? I'm not familiar with the activemq stuff but the ldap login
modules I've seen work by binding to ldap using the client's supplied
user name and password. If it works, then the user name/password is
valid and you can go on to look for groups/roles/whatever, otherwise
the username/password is not valid. So, activemq does not need a
"system identity" known to ldap for this to work.
In ldap I think the usual strategy is to hash the stored passwords and
also hash the incoming supplied passwords. Thus, no passwords in the
clear.
This then requires that passwords are stored in the clear somewhere;
generally in some configuration file like activemq.xml. I realise
that I can
use operating system permissions to lock the configuration files
down, but I
am looking for a better way.
I am presently thinking of writing my own JAAS LoginModule to
authorise
endpoints that have successfully authenticated using mutual SSL
authentication i.e. verifies the client's certificate. On login my
module
would extract the subject DN from the client's certificate by
getting the
public certificate from the Subject object. It would then perform an
JNDI
search for the groups that has the DN as a member. The CNs of member
groups
would then be established as roles (much like the existing
org.apache.activemq.jaas.LDAPLoginModule does).
With this strategy I think you need to authenticate activemq to the
ldap system?? or can you use the client cert to authenticate the
original client? In either case it doesn't really seem different to
me than the username/password case except your description appears to
require an identity known to ldap for activemq. Unless you require
the admin to type in the credentials when starting activemq, I don't
see how you're going to avoid storing the credentials in the clear on
disk.
Maybe I'm misunderstanding what you are proposing....
david jencks
To further aid security I would disallow all but SSL based
communication
with the broker.
Does the strategy make sense? Is there a better way of avoiding
storing
usernames and passwords in the clear?
Thank you for your time.
Kind regards,
Christopher
--
View this message in context:
http://www.nabble.com/SSL-authorisation-using-a-client%27s-subject-DN-for-JNDI-tp22470806p22470806.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
