Re: SSL authorisation using a client's subject DN for JNDI

Thu, 12 Mar 2009 05:49:59 -0700 


huntc wrote:
> 
> You're right in that activemq still has to bind itself to perform a search
> to see which groups an endpoint's dn belongs to. I did forget about that.
> 
> 
Perhaps this bind could be achieved using a mechanism such as SASL/GSSAPI?
> 

After lots of reading, and experimenting, perhaps the way for AMQ to
determine the roles is via anonymous LDAP access.

What I've done is specified a hierarchy like:


ou=system
  ou=groups
    ou=activemq
      cn=activemq-users
      cn=com.classactionpl.javaFlightTopic.subscribers
      cn=jms-services


I've then enabled anonymous access and enabled access control. By default
(at least with ApacheDS) no one can do a thing; you have to explicitly
enable who can see what. What I have done is allowed anonymous access to
browse and read everything below "ou=activemq,ou=groups,ou=system" only. I
have used an ACI under "ou=activemq,ou=groups,ou=system":


{
    identificationTag "allUsersBrowseACISubentry",
    precedence 0,
    authenticationLevel none,
    itemOrUserFirst userFirst: 
    {
        userClasses { allUsers },
        userPermissions 
        {
            {
                precedence 0,
                protectedItems { allUserAttributeTypes, entry },
                grantsAndDenials { grantBrowse, grantRead } 
            }
        }
    }
}


Now AMQ can potentially connect anonymously and determine the groups that a
uid belongs to. The following ldapsearch command demonstrates how to search
for the groups user "camel" belongs to:


ldapsearch -x -H ldap://localhost:10389 -s one -b
"ou=activemq,ou=groups,ou=system" "(member=uid=camel,ou=users,ou=system)" cn
member


My login plugin can therefore rely upon SSL for authentication. Upon
successful authentication the subject DN of the client's certificate can be
anonymously looked up via LDAP to determine the roles (groups) for
authorisation.

Am I barking mad or does this appear to be a secure solution? Remember that
nothing but mutual SSL authentication with AMQ will be permitted.

Kind regards,
Christopher
-- 
View this message in context: 
http://www.nabble.com/SSL-authorisation-using-a-client%27s-subject-DN-for-JNDI-tp22470806p22475654.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Reply via email to