Hi,

this might help

http://tmielke.blogspot.com/2011/12/activemq-ldap-based-authentication-and.html

also you can consider using new CachedLDAPAuthorizationModule

http://activemq.apache.org/cached-ldap-authorization-module.html

Regards
--
Dejan Bosanac
Senior Software Engineer | FuseSource Corp.
dej...@fusesource.com | fusesource.com
skype: dejan.bosanac | twitter: @dejanb
blog: http://www.nighttale.net
ActiveMQ in Action: http://www.manning.com/snyder/


On Mon, Jun 18, 2012 at 11:55 PM, Christopher Wood
<christopher_w...@pobox.com> wrote:
> What gives the "system" user permission to create 
> topic://ActiveMQ.Advisory.Connection? Without this ActiveMQ will not start. 
> (Working with 5.5.1 since 5.6.0 is a jump requiring further testing.)
>
> I'm getting this error (all pasted text munged slightly to obfuscate things):
>
> 2012-06-18 17:35:46,941 | DEBUG | Error occured while processing sync 
> command: ConnectionInfo {commandId = 1, responseRequired = true, connectionId 
> = ID:upuppet-01.lab.me.ca-56804-1340055346339-2:1, clientId = 
> ID:upuppet.me-56804-1340055346339-3:1, userName = system, password = *****, 
> brokerPath = null, brokerMasterConnector = false, manageable = true, 
> clientMaster = true, faultTolerant = false}, exception: 
> java.lang.SecurityException: User system is not authorized to create: 
> topic://ActiveMQ.Advisory.Connection | 
> org.apache.activemq.broker.TransportConnection.Service | ActiveMQ Transport: 
> tcp:///127.0.0.1:50328
>
> The system user is in the admin and users groups.
>
> This is my plugin config:
>
>
> <authorizationPlugin>
>  <map>
>    <bean xmlns="http://www.springframework.org/schema/beans"; 
> id="lDAPAuthorizationMap"
>          class="org.apache.activemq.security.LDAPAuthorizationMap">
>      <property name="initialContextFactory" 
> value="com.sun.jndi.ldap.LdapCtxFactory"/>
>      <property name="connectionURL" value="ldap://ldap.me:389"/>
>      <property name="authentication" value="simple"/>
>      <property name="connectionUsername" 
> value="cn=mqbroker,ou=services,o=me"/>
>      <property name="connectionPassword" value="me"/>
>      <property name="connectionProtocol" value="s"/>
>      <property name="topicSearchMatchingFormat" 
> value="cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=systems,o=me"/>
>      <property name="topicSearchSubtreeBool" value="true"/>
>      <property name="queueSearchMatchingFormat" 
> value="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=systems,o=me"/>
>      <property name="queueSearchSubtreeBool" value="true"/>
>      <property name="adminBase" value="(cn=admin)"/>
>      <property name="adminAttribute" value="member"/>
>      <!-- <property name="adminAttributePrefix" value="cn="/> -->
>      <property name="readBase" value="(cn=read)"/>
>      <property name="readAttribute" value="member"/>
>      <!-- <property name="readAttributePrefix" value="cn="/>  -->
>      <property name="writeBase" value="(cn=write)"/>
>      <property name="writeAttribute" value="member"/>
>      <!-- <property name="writeAttributePrefix" value="cn="/>  -->
>    </bean>
>  </map>
> </authorizationPlugin>
>
>
> These are the advisory topic configs I have right now (I thought .> meant 
> access to the namespace?):
>
>
> # ActiveMQ.Advisory.>, topic, destination, activemq, systems, me
> dn: cn=ActiveMQ.Advisory.>,ou=topic,ou=destination,ou=activemq,ou=systems,o=me
> cn: ActiveMQ.Advisory.>
> description: user access to advisory topics
> objectClass: applicationProcess
>
> # read, ActiveMQ.Advisory.>, topic, destination, activemq, systems, me
> dn: 
> cn=read,cn=ActiveMQ.Advisory.>,ou=topic,ou=destination,ou=activemq,ou=systems,o=me
> cn: read
> member: cn=users
> objectClass: groupOfNames
>
> # write, ActiveMQ.Advisory.>, topic, destination, activemq, systems, me
> dn: 
> cn=write,cn=ActiveMQ.Advisory.>,ou=topic,ou=destination,ou=activemq,ou=systems,o=me
> cn: write
> member: cn=users
> objectClass: groupOfNames
>
> # admin, ActiveMQ.Advisory.>, topic, destination, activemq, systems, me
> dn: 
> cn=admin,cn=ActiveMQ.Advisory.>,ou=topic,ou=destination,ou=activemq,ou=systems,o=me
> cn: admin
> member: cn=users
> objectClass: groupOfNames
>
> # ActiveMQ.Advisory.Connection, topic, destination, activemq, systems, me
> dn: 
> cn=ActiveMQ.Advisory.Connection,ou=topic,ou=destination,ou=activemq,ou=systems,o=me
> cn: ActiveMQ.Advisory.Connection
> description: user access to advisory topics
> objectClass: applicationProcess
>
> # read, ActiveMQ.Advisory.Connection, topic, destination, activemq, systems, 
> me
> dn: 
> cn=read,cn=ActiveMQ.Advisory.Connection,ou=topic,ou=destination,ou=activemq,ou=systems,o=me
> cn: read
> member: cn=admin
> objectClass: groupOfNames
>
> # write, ActiveMQ.Advisory.Connection, topic, destination, activemq, systems, 
> me
> dn: 
> cn=write,cn=ActiveMQ.Advisory.Connection,ou=topic,ou=destination,ou=activemq,ou=systems,o=me
> cn: write
> member: cn=admin
> objectClass: groupOfNames
>
> # admin, ActiveMQ.Advisory.Connection, topic, destination, activemq, systems, 
> me
> dn: 
> cn=admin,cn=ActiveMQ.Advisory.Connection,ou=topic,ou=destination,ou=activemq,ou=systems,o=me
> cn: admin
> member: cn=admin
> objectClass: groupOfNames
>
>

Reply via email to