I'm in the process of upgrading from 5.5.1 to the 5.7.0 release and
would like to try taking advantage of our ldap directory for queue
authorizations (we are already using the jaasAuthenticationPlugin
against our openldap server for authenticating connections but are
currently using a static
<authorizationMap><authorizationEntries><authorizationEntry ...> setup).
I've been trying to follow
http://activemq.apache.org/cached-ldap-authorization-module.html but the
documentation in out of date and contains sample configs that just don't
work. After much google searching, I eventually figured out that instead
of the documented baseDn attribute, I had to use queueSearchBase,
topicSearchBase & tempSearchBase giving me a config looking like the
following:
<plugins>
<jaasAuthenticationPlugin configuration="ActiveMQ" />
<authorizationPlugin>
<map>
<cachedLDAPAuthorizationMap
connectionURL="ldap://ldap:389";
connectionUsername="uid=activemq,ou=Systems,dc=myorg,dc=net"
connectionPassword="Secret"
refreshInterval="300000"
queueSearchBase="ou=Queues,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
topicSearchBase="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
tempSearchBase="ou=Temp,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
/>
</map>
</authorizationPlugin>
</plugins>
starting activemq in console mode, it starts cleanly enough, and from
examining the logging from openldap, I can see that an ldap connection
is made and several searches done returning a number of results, for
example:
Dec 7 17:24:21 ldap slapd[7553]: conn=3512 op=6 SRCH
base="ou=Topics,ou=Destinations,ou=ActiveMQ,ou=Systems,dc=myorg,dc=net"
scope=2 deref=3 filter="(cn=admin)"
Dec 7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY
dn="cn=admin,cn=activemq.advisory.$,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"
Dec 7 17:24:21 ldapslapd[7553]: conn=3512 op=6 ENTRY
dn="cn=admin,cn=activemq.advisory.connection,ou=topics,ou=destinations,ou=activemq,ou=systems,dc=myorg,dc=net"
The entries returned are groupOfNames entries created identically to the
cn=admin,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
entry in the sample file
https://svn.apache.org/repos/asf/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap.ldif
The 'member' entries are further groupOfNames entries defining the roles
as in the sample ldif file, and I have a userid called activemq that is
a member of the admin role.
By all accounts, everything should be ok, however the
cachedLDAPAuthorizationMap does not authorized connections and I get
errors such as the following:
WARN | Failed to add Connection
ID:robdev.office.eseye.net-38820-1354901062452-5:1, reason:
java.lang.SecurityException: User activemq is not authorized to create:
topic://ActiveMQ.Advisory.Connection
WARN | Async error occurred: java.lang.SecurityException: User
activemq is not authorized to create: topic://ActiveMQ.Advisory.Connection
java.lang.SecurityException: User activemq is not authorized to create:
topic://ActiveMQ.Advisory.Connection
at
org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:76)
at
org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:145)
......
Clearly there have been changes to the cachedLDAPAuthorizationMap since
it was released in ActiveMQ 5.6 as highlighted by the inaccurate
documentation, but is anyone using it with 5.7 and would be willing to
point me in the right direction or share their config with me please ?
Thanks in advance,
Rob
