It certainly makes sense to reconnect if there's a problem. Will 5.7.0 also keep the current authorization cache if there's an ldap issue? In a production scenario it's probably okay to keep functioning if the ldap server goes away for a while.
Thank you for the pointer, very much appreciated. On Fri, Jun 22, 2012 at 10:12:29AM +0200, Dejan Bosanac wrote: > Hi, > > there are some improvements in that area on the trunk (and will be > available in the next fuse release). Please take a look at > > https://issues.apache.org/jira/browse/AMQ-3845 > > > Regards > -- > Dejan Bosanac > Senior Software Engineer | FuseSource Corp. > dej...@fusesource.com | fusesource.com > skype: dejan.bosanac | twitter: @dejanb > blog: http://www.nighttale.net > ActiveMQ in Action: http://www.manning.com/snyder/ > > > On Thu, Jun 21, 2012 at 6:56 PM, Christopher Wood > <christopher_w...@pobox.com> wrote: > > I upgraded our lab ActiveMQ to 5.6.0 and am using the cached ldap auth > > module. I appear to be having a problem where at times ActiveMQ loses its > > authorization data cache and does not refresh this from ldap. Is there any > > way of forcing a retry if it has a connection issue, or otherwise further > > diagnosing what is happening? > > > > Details: > > > > Three times now (solved by an ActiveMQ restart) I have started seeing these > > errors in the log (but for all queues that they are trying to access): > > > > 2012-06-21 11:57:31,538 | DEBUG | Error occured while processing sync > > command: ConsumerInfo {commandId = 28936, responseRequired = true, > > consumerId = ID:myhost-53793-1340295272790-0:6:-1:1, destination = > > ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic, prefetchSize = 0, > > maximumPendingMessageLimit = 0, browser = false, dispatchAsync = false, > > selector = null, subscriptionName = null, noLocal = true, exclusive = > > false, retroactive = false, priority = 0, brokerPath = null, > > optimizedAcknowledge = false, noRangeAcks = false, additionalPredicate = > > null}, exception: java.lang.SecurityException: User vm5a is not authorized > > to read from: ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic | > > org.apache.activemq.broker.TransportConnection.Service | ActiveMQ > > Transport: tcp:///10.201.147.250:51236 > > java.lang.SecurityException: User vm5a is not authorized to read from: > > ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic > > > > Per our developers, they are seeing: > > > > 12:16:53,926 WARN DefaultMessageListenerContainer:822 - Setup of JMS > > message listener invoker failed for destination 'queue://vm5.queuename' - > > trying to recover. Cause: User vm5a is not authorized to read from: > > ActiveMQ.Advisory.TempQueue,ActiveMQ.Advisory.TempTopic > > > > I ran some tcpdumps. While this is in the logs, I do not see any ldap > > searches attempting to update the authorization info. Just after a restart, > > I do see intermittent searches for the entries under > > ou=destination,ou=activemq,ou=systems,o=me. > > > > My plugin info: > > > > <authorizationPlugin> > > <map> > > <cachedLDAPAuthorizationMap > > connectionURL="ldap://ldap-lab.me:389"; > > connectionUsername="cn=mqbroker,ou=services,o=me" > > connectionPassword="password" > > baseDn="ou=systems,o=me" > > refreshInterval="5000" > > /> > > </map> > > </authorizationPlugin> >
