ActiveMQ 5.15.3 Active Directory (LDAP) integration

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

ActiveMQ 5.15.3 Active Directory (LDAP) integration

mtod
Hi,

I'm trying to get ActiveMQ to use Active Directory to authenticate our
client service accounts.

*The issue:*
What I get is it will find that service account but will not authenticate. I
first thought it was a bad password but we validated that is not the case.

*My environment:*
A local Windows 10 desktop running ActiveMQ 5.15.3 I have used this test bed
hundreds of times so I know it's not the issue.
The client is a local test app I have used in the past the AD server is over
VPN.

*Error Message:*
jvm 1    |  WARN | Failed to add Connection
id=ID:1T9M5Q2-50257-1534966215221-25:1, clientId=Client1 due to {}
jvm 1    | java.lang.SecurityException: User name [svc_xxxxx] or password is
invalid.
jvm 1    |      at
org.apache.activemq.security.JaasAuthenticationBroker.authenticate(JaasAuthenticationBroker.java:97)[activemq-broker-5.15.3.jar:5.15.3]
jvm 1    |      at
org.apache.activemq.security.JaasAuthenticationBroker.addConnection(JaasAuthenticationBroker.java:68)[activemq-broker-5.15.3.jar:5.15.3]
jvm 1    |      at
org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)[activemq-broker-5.15.3.jar:5.15.3]
jvm 1    |      at
org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:843)[activemq-broker-5.15.3.jar:5.15.3]
jvm 1    |      at
org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:77)[activemq-broker-5.15.3.jar:5.15.3]
jvm 1    |      at
org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)[activemq-client-5.15.3.jar:5.15.3]
jvm 1    |      at
org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:330)[activemq-broker-5.15.3.jar:5.15.3]
jvm 1    |      at
org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:194)[activemq-broker-5.15.3.jar:5.15.3]
jvm 1    |      at
org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)[activemq-client-5.15.3.jar:5.15.3]
jvm 1    |      at
org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:125)[activemq-client-5.15.3.jar:5.15.3]
jvm 1    |      at
org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:301)[activemq-client-5.15.3.jar:5.15.3]
jvm 1    |      at
org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)[activemq-client-5.15.3.jar:5.15.3]
jvm 1    |      at
org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)[activemq-client-5.15.3.jar:5.15.3]
jvm 1    |      at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)[activemq-client-5.15.3.jar:5.15.3]
jvm 1    |      at java.lang.Thread.run(Unknown Source)[:1.8.0_181]

*My ActiveMQ Setup:*
    <broker xmlns="http://activemq.apache.org/schema/core"
brokerName="localhost" dataDirectory="${activemq.data}">

                <plugins>
                  <jaasAuthenticationPlugin configuration="LDAPLogin" />
                 </plugins>

</broker>

LDAPLogin {
  org.apache.activemq.jaas.LDAPLoginModule required
     debug=true
     initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
     connectionURL="ldap://abc.local:389"
     connectionUsername="CN=ABC Service Account,OU=Service
Accounts,DC=abc,DC=local"
     connectionPassword="XXXXXXXX"
     connectionProtocol=s
     authentication=simple
     userBase="OU=Service Accounts,DC=abc,DC=local"
     userSearchMatching="(sAMAccountName={0})"
     userSearchSubtree=true
     ;
};

Note: I have tried :
        userSearchMatching="(sAMAccountName={0})"
        userSearchMatching="(cn={0})"
        userSearchMatching="(cn={1})"

No luck

Thanks for helping.

Mike

 



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ 5.15.3 Active Directory (LDAP) integration

mtod
Update:

I have the same error when hitting Apache DS locally.




--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ 5.15.3 Active Directory (LDAP) integration

mtod
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ 5.15.3 Active Directory (LDAP) integration

Tim Bain
Mike,

Most questions relating to Active Directory (including a few from you over
the years, if I'm not mistaken) go unanswered on this list, even ones that
sound easy, which makes me think that the people monitoring the list don't
know/use AD. (That describes me.)

With that said, it seems like attaching a debugger with the ActiveMQ source
code and stepping through the calls that are failing would pretty quickly
indicate what's wrong, so that's my advice to you.

Tim

On Tue, Sep 4, 2018, 1:07 PM mtod <[hidden email]> wrote:

> Can anyone help me?
>
>
>
> --
> Sent from:
> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ 5.15.3 Active Directory (LDAP) integration

mtod
Hi Tim,

I think this is more of an LDAP question then AD.

Good point I will have to setup a debugging session to see if I can resolve
it.

Thanks for the help

Mike



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ 5.15.3 Active Directory (LDAP) integration

mtod
I found the issue I was missing the "userRoleName=dummyUserRoleName"
key/value in the login.config

It was throwing an exception when hitting

<http://activemq.2283324.n4.nabble.com/file/t374899/Capture1.png>

The error was a password error not a missing config error so I was going in
the wrong direction.

Thanks for the help.




--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ 5.15.3 Active Directory (LDAP) integration

Tim Bain
I'm glad to hear you solved the problem, and thanks for posting the
solution in case someone else hits this.

Tim

On Mon, Sep 10, 2018, 5:10 PM mtod <[hidden email]> wrote:

> I found the issue I was missing the "userRoleName=dummyUserRoleName"
> key/value in the login.config
>
> It was throwing an exception when hitting
>
> <http://activemq.2283324.n4.nabble.com/file/t374899/Capture1.png>
>
> The error was a password error not a missing config error so I was going in
> the wrong direction.
>
> Thanks for the help.
>
>
>
>
> --
> Sent from:
> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>