LDAP authorization with multiple LDAP servers

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP authorization with multiple LDAP servers

Weil, Janus
Dear ActiveMQ people,


we have a neatly working setup of several ActiveMQ 5 brokers which rely on an LDAP server for authorization.


The configuration in activemq.xml looks roughly like this (some parts omitted):


        <plugins>
            <jaasAuthenticationPlugin configuration="LdapConfiguration" />
            <authorizationPlugin>
                <map>
                    <cachedLDAPAuthorizationMap
                        connectionURL="ldap://my.ldap.server:389"
                        connectionUsername="..."
                        connectionPassword="..."
                        queueSearchBase="..."
                        topicSearchBase="..."
                        tempSearchBase="..."
                        refreshInterval="300000"
                        legacyGroupMapping="false"
                        groupObjectClass="groupOfNames"
                        permissionGroupMemberAttribute="member"
                        userObjectClass="person"
                        userNameAttribute="uid"
                    />
                </map>
            </authorizationPlugin>
        </plugins>



Now we plan to add some redundancy / high-availability for the LDAP part by using two or more mirrored LDAP servers. My simple question is: Does ActiveMQ have support for working with multiple LDAP servers?


The documentation at https://activemq.apache.org/cached-ldap-authorization-module does not give any hint on whether the connectionURL can specify multiple servers.


However I found another reference to the JAAS LDAP Login Module at https://access.redhat.com/documentation/en-us/red_hat_jboss_a-mq/6.3/html/security_guide/esbsecurecontainer#JAASAuth-LDAPLoginModule, which seems to indicate that connection.url may specify multiple URLs as a space-separated list.


Can I expect that to work also in the ActiveMQ context?


Best regards,

Janus


DFS Deutsche Flugsicherung GmbH
Am DFS-Campus
D - 63225 Langen

Tel.: +49-(0)6103-707-0

Sitz der Gesellschaft: Langen/Hessen
Zustaendiges Registergericht: AG Offenbach am Main, HRB 34977
Vorsitzende des Aufsichtsrats: Dr. Martina Hinricher
Geschaeftsfuehrer: Prof. Klaus-Dieter Scheurle (Vors.), Robert Schickling, Dr. Michael Hann

Internet: http://www.dfs.de
Public-Key der DFS: http://www.dfs.de/dfs/public_key.asc


Reply | Threaded
Open this post in threaded view
|

Re: LDAP authorization with multiple LDAP servers

jbertram
Under the covers the cachedLDAPAuthorizationMap uses
com.sun.jndi.ldap.LdapCtxFactory for connectivity with LDAP [1].  The
Oracle documentation states [2], "Instead of just one URL, you can also
supply a space-separated list of URLs. In this case, the LDAP provider will
attempt to use each URL in turn until it is able to create a successful
connection." It then provides a simple example [3]:

  // Specify list of space-separated URLs
  env.put(Context.PROVIDER_URL,
      "ldap://notthere:389/o=JNDITutorial " +
      "ldap://localhost:389/o=JNDITutorial " +
      "ldap://remotehost/o=JNDITutorial " +
      "ldap://thirdhost:389/o=JNDITutorial");


Justin

[1]
https://github.com/apache/activemq/blob/master/activemq-broker/src/main/java/org/apache/activemq/security/SimpleCachedLDAPAuthorizationMap.java#L64
[2] https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html
[3]
https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/src/MultiUrls.java

On Fri, Nov 22, 2019 at 10:26 AM Weil, Janus <[hidden email]> wrote:

> Dear ActiveMQ people,
>
>
> we have a neatly working setup of several ActiveMQ 5 brokers which rely on
> an LDAP server for authorization.
>
>
> The configuration in activemq.xml looks roughly like this (some parts
> omitted):
>
>
>         <plugins>
>             <jaasAuthenticationPlugin configuration="LdapConfiguration" />
>             <authorizationPlugin>
>                 <map>
>                     <cachedLDAPAuthorizationMap
>                         connectionURL="ldap://my.ldap.server:389"
>                         connectionUsername="..."
>                         connectionPassword="..."
>                         queueSearchBase="..."
>                         topicSearchBase="..."
>                         tempSearchBase="..."
>                         refreshInterval="300000"
>                         legacyGroupMapping="false"
>                         groupObjectClass="groupOfNames"
>                         permissionGroupMemberAttribute="member"
>                         userObjectClass="person"
>                         userNameAttribute="uid"
>                     />
>                 </map>
>             </authorizationPlugin>
>         </plugins>
>
>
>
> Now we plan to add some redundancy / high-availability for the LDAP part
> by using two or more mirrored LDAP servers. My simple question is: Does
> ActiveMQ have support for working with multiple LDAP servers?
>
>
> The documentation at
> https://activemq.apache.org/cached-ldap-authorization-module does not
> give any hint on whether the connectionURL can specify multiple servers.
>
>
> However I found another reference to the JAAS LDAP Login Module at
> https://access.redhat.com/documentation/en-us/red_hat_jboss_a-mq/6.3/html/security_guide/esbsecurecontainer#JAASAuth-LDAPLoginModule,
> which seems to indicate that connection.url may specify multiple URLs as a
> space-separated list.
>
>
> Can I expect that to work also in the ActiveMQ context?
>
>
> Best regards,
>
> Janus
>
>
> DFS Deutsche Flugsicherung GmbH
> Am DFS-Campus
> D - 63225 Langen
>
> Tel.: +49-(0)6103-707-0
>
> Sitz der Gesellschaft: Langen/Hessen
> Zustaendiges Registergericht: AG Offenbach am Main, HRB 34977
> Vorsitzende des Aufsichtsrats: Dr. Martina Hinricher
> Geschaeftsfuehrer: Prof. Klaus-Dieter Scheurle (Vors.), Robert Schickling,
> Dr. Michael Hann
>
> Internet: http://www.dfs.de
> Public-Key der DFS: http://www.dfs.de/dfs/public_key.asc
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authorization with multiple LDAP servers

Weil, Janus
In reply to this post by Weil, Janus
Dear Justin,


thanks a lot for your reply (and please keep me in CC, since I'm not subscribed to the ActiveMQ mailing list).


By now I have tried to use a space-separated list of URLs and indeed it seems to work. Very nice!


I guess it would be good to mention this in the documentation, wouldn't it? Am I right in assuming that a documentation patch should target the following file?


https://github.com/apache/activemq-website/blob/master/src/cached-ldap-authorization-module.md


Cheers,

Janus




Justin Bertram <[hidden email]> wrote:

> Under the covers the cachedLDAPAuthorizationMap uses
> com.sun.jndi.ldap.LdapCtxFactory for connectivity with LDAP [1].  The
> Oracle documentation states [2], "Instead of just one URL, you can also
> supply a space-separated list of URLs. In this case, the LDAP provider will
> attempt to use each URL in turn until it is able to create a successful
> connection." It then provides a simple example [3]:
>
>   // Specify list of space-separated URLs
>   env.put(Context.PROVIDER_URL,
>       "ldap://notthere:389/o=JNDITutorial " +
>       "ldap://localhost:389/o=JNDITutorial " +
>       "ldap://remotehost/o=JNDITutorial " +
>       "ldap://thirdhost:389/o=JNDITutorial");
>
>
> Justin
>
> [1]https://github.com/apache/activemq/blob/master/activemq-broker/src/main/java/org/apache/activemq/security/SimpleCachedLDAPAuthorizationMap.java#L64
> [2] https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html
> [3] https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/src/MultiUrls.java



________________________________
From: Weil, Janus
Sent: Friday, November 22, 2019 5:21 PM
To: [hidden email]
Subject: LDAP authorization with multiple LDAP servers


Dear ActiveMQ people,


we have a neatly working setup of several ActiveMQ 5 brokers which rely on an LDAP server for authorization.


The configuration in activemq.xml looks roughly like this (some parts omitted):


        <plugins>
            <jaasAuthenticationPlugin configuration="LdapConfiguration" />
            <authorizationPlugin>
                <map>
                    <cachedLDAPAuthorizationMap
                        connectionURL="ldap://my.ldap.server:389"
                        connectionUsername="..."
                        connectionPassword="..."
                        queueSearchBase="..."
                        topicSearchBase="..."
                        tempSearchBase="..."
                        refreshInterval="300000"
                        legacyGroupMapping="false"
                        groupObjectClass="groupOfNames"
                        permissionGroupMemberAttribute="member"
                        userObjectClass="person"
                        userNameAttribute="uid"
                    />
                </map>
            </authorizationPlugin>
        </plugins>



Now we plan to add some redundancy / high-availability for the LDAP part by using two or more mirrored LDAP servers. My simple question is: Does ActiveMQ have support for working with multiple LDAP servers?


The documentation at https://activemq.apache.org/cached-ldap-authorization-module does not give any hint on whether the connectionURL can specify multiple servers.


However I found another reference to the JAAS LDAP Login Module at https://access.redhat.com/documentation/en-us/red_hat_jboss_a-mq/6.3/html/security_guide/esbsecurecontainer#JAASAuth-LDAPLoginModule, which seems to indicate that connection.url may specify multiple URLs as a space-separated list.


Can I expect that to work also in the ActiveMQ context?


Best regards,

Janus


DFS Deutsche Flugsicherung GmbH
Am DFS-Campus
D - 63225 Langen

Tel.: +49-(0)6103-707-0

Sitz der Gesellschaft: Langen/Hessen
Zustaendiges Registergericht: AG Offenbach am Main, HRB 34977
Vorsitzende des Aufsichtsrats: Dr. Martina Hinricher
Geschaeftsfuehrer: Prof. Klaus-Dieter Scheurle (Vors.), Robert Schickling, Dr. Michael Hann

Internet: http://www.dfs.de
Public-Key der DFS: http://www.dfs.de/dfs/public_key.asc