[Artemis] Howto authenticate against LDAP with a local authorization? [Solved]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Artemis] Howto authenticate against LDAP with a local authorization? [Solved]

Benjamin Buehlmann
This post was updated on .
I successfully configured the integration of ActiveMQ Artemis 2.4 with an
ActiveDirectory used just for authentication of the users. Integration is
done over JAAS with the
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.

Now I would like to restrict access to the queues for the users looked up in
the AD. But there will be no groups in the AD we can use for authorization
and changes in the AD are not possible.

What is the simplest way in ActiveMQ Artemis to protect queues for a list uf
users?

In Wildfly / EAP 7 we use as a workaround a local mapping file that defines
a mapping between users looked up in the AD to local roles.



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: [Artemis] Howto authenticate against LDAP with a local authorization?

Justin Bertram
I don't think Artemis supports the functionality you're looking for.  Roles
come from whatever JAAS login module you're using.  There's no way to lump
users into an arbitrary role.

You can arbitrarily map one role to another using the <role-mapping>
in <security-settings>, but that doesn't sound like what you're looking for.


Justin

On Wed, Nov 8, 2017 at 4:08 AM, ben <[hidden email]> wrote:

> I successfully configured the integration of ActiveMQ Artemis 2.4 with an
> ActiveDirectory used just for authentication of the users. Integration is
> done over JAAS with the
> org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.
>
> Now I would like to restrict access to the queues for the users looked up
> in
> the AD. But there will be no groups in the AD we can use for authorization
> and changes in the AD are not possible.
>
> What is the simplest way in ActiveMQ Artemis to protect queues for a list
> uf
> users?
>
> In Wildfly / EAP 7 we use as a workaround a local mapping file that defines
> a mapping between users looked up in the AD to local roles.
>
>
>
> --
> Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-
> f2341805.html
>
Reply | Threaded
Open this post in threaded view
|

Re: [Artemis] Howto authenticate against LDAP with a local authorization?

Benjamin Buehlmann
This post was updated on .
Thank you Justin for the quick response.

I found even an easier way to achieve the same result: I changed the configuration of the LDAPLoginModule as follows:

activemq {
   org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required
      debug=true
      initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
      connectionURL="ldap://ldap-server:389"
      connectionUsername="CN=user,OU=Service-Accounts,OU=foo,DC=bar,DC=corp,DC=test"
      connectionPassword=pass
      connectionProtocol=s
      authentication=simple
      userBase="OU=foo,DC=bar,DC=corp,DC=test"
      userSearchMatching="(CN={0})"
      userSearchSubtree=true
      userRoleName=CN; /* map the username as role */
};

With the attribute userRoleName=CN I map the username of the authenticated user as the role name.  Against this role name I will secure my destinations.