To fix this I made some changes in the LDAPLoginModule. The problem appears
to lie in the getRoles method. I based my changes on the code that finds the
topic and queue objects in the LDAPAuthorizationMAP and the code that finds
the user in LDAPLoginModule. Here is the diff:
@@ -49,6 +49,8 @@
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
+import org.apache.activemq.jaas.GroupPrincipal;
+import org.apache.activemq.jaas.UserPrincipal;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -234,7 +236,7 @@
// check the credentials by binding to server
if (bindUser(context, dn, password)) {
// if authenticated add more roles
- roles = getRoles(context, dn, username, roles);
+ roles = getRoles(context, dn, username,
roles,entryName.toString());
for (int i = 0; i < roles.size(); i++) {
groups.add(new GroupPrincipal(roles.get(i)));
}
@@ -253,7 +255,7 @@
return true;
}
- protected ArrayList<String> getRoles(DirContext context, String dn,
String username, ArrayList<String> currentRoles) throws NamingException {
+ protected ArrayList<String> getRoles(DirContext context, String dn,
String username, ArrayList<String> currentRoles, String userObject) throws
NamingException {
ArrayList<String> list = currentRoles;
if (list == null) {
list = new ArrayList<String>();
@@ -261,9 +263,12 @@
if (roleName == null || "".equals(roleName)) {
return list;
}
+ /*
String filter = roleSearchMatchingFormat.format(new String[] {
doRFC2254Encoding(dn), username
});
+ */
+ String filter = roleSearchMatchingFormat.format(null);
SearchControls constraints = new SearchControls();
if (roleSearchSubtreeBool) {
@@ -271,14 +276,29 @@
} else {
constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
}
+ constraints.setReturningAttributes(new String[] {roleName});
+
NamingEnumeration results = context.search(roleBase, filter,
constraints);
while (results.hasMore()) {
SearchResult result = (SearchResult)results.next();
+ String currentRoleName = result.getName();
Attributes attrs = result.getAttributes();
+ Attribute attr = attrs.get(roleName);
+ NamingEnumeration e = attr.getAll();
+ while (e.hasMore()) {
+ String value = (String)e.next();
+ if(value.equals(userObject))
+ {
+ list.add(currentRoleName);
+ }
+ }
+ /*
if (attrs == null) {
continue;
}
+
list = addAttributeValues(roleName, attrs, list);
+ */
}
return list;
Here is the config I'm using:
LoginLdapConfiguration {
org.acme.activemq.security.LDAPLoginModule required <---- This is
just because I implemented the fix as a plugin
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://127.0.0.1:10389";
connectionUsername="cn=mqbroker,ou=Services,dc=example,dc=com"
connectionPassword=password
connectionProtocol=s
authentication=simple
userBase="ou=User,ou=ActiveMQ,ou=systems,dc=example,dc=com"
userRoleName=test
userSearchMatching="(uid={0})"
userSearchSubtree=true
roleBase="ou=Group,ou=ActiveMQ,ou=systems,dc=example,dc=com"
roleName=member
roleSearchMatching="(cn=*)"
roleSearchSubtree=true
;
};
--
View this message in context:
http://www.nabble.com/LDAPAuthoizationMap-permissions-tp18659415p19186803.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
