Re: LDAP authorization with multiple LDAP servers

Fri, 22 Nov 2019 08:40:36 -0800 

Under the covers the cachedLDAPAuthorizationMap uses
com.sun.jndi.ldap.LdapCtxFactory for connectivity with LDAP [1].  The
Oracle documentation states [2], "Instead of just one URL, you can also
supply a space-separated list of URLs. In this case, the LDAP provider will
attempt to use each URL in turn until it is able to create a successful
connection." It then provides a simple example [3]:

  // Specify list of space-separated URLs
  env.put(Context.PROVIDER_URL,
      "ldap://notthere:389/o=JNDITutorial " +
      "ldap://localhost:389/o=JNDITutorial " +
      "ldap://remotehost/o=JNDITutorial " +
      "ldap://thirdhost:389/o=JNDITutorial";);


Justin

[1]
https://github.com/apache/activemq/blob/master/activemq-broker/src/main/java/org/apache/activemq/security/SimpleCachedLDAPAuthorizationMap.java#L64
[2] https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html
[3]
https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/src/MultiUrls.java

On Fri, Nov 22, 2019 at 10:26 AM Weil, Janus <[email protected]> wrote:

> Dear ActiveMQ people,
>
>
> we have a neatly working setup of several ActiveMQ 5 brokers which rely on
> an LDAP server for authorization.
>
>
> The configuration in activemq.xml looks roughly like this (some parts
> omitted):
>
>
>         <plugins>
>             <jaasAuthenticationPlugin configuration="LdapConfiguration" />
>             <authorizationPlugin>
>                 <map>
>                     <cachedLDAPAuthorizationMap
>                         connectionURL="ldap://my.ldap.server:389";
>                         connectionUsername="..."
>                         connectionPassword="..."
>                         queueSearchBase="..."
>                         topicSearchBase="..."
>                         tempSearchBase="..."
>                         refreshInterval="300000"
>                         legacyGroupMapping="false"
>                         groupObjectClass="groupOfNames"
>                         permissionGroupMemberAttribute="member"
>                         userObjectClass="person"
>                         userNameAttribute="uid"
>                     />
>                 </map>
>             </authorizationPlugin>
>         </plugins>
>
>
>
> Now we plan to add some redundancy / high-availability for the LDAP part
> by using two or more mirrored LDAP servers. My simple question is: Does
> ActiveMQ have support for working with multiple LDAP servers?
>
>
> The documentation at
> https://activemq.apache.org/cached-ldap-authorization-module does not
> give any hint on whether the connectionURL can specify multiple servers.
>
>
> However I found another reference to the JAAS LDAP Login Module at
> https://access.redhat.com/documentation/en-us/red_hat_jboss_a-mq/6.3/html/security_guide/esbsecurecontainer#JAASAuth-LDAPLoginModule,
> which seems to indicate that connection.url may specify multiple URLs as a
> space-separated list.
>
>
> Can I expect that to work also in the ActiveMQ context?
>
>
> Best regards,
>
> Janus
>
>
> DFS Deutsche Flugsicherung GmbH
> Am DFS-Campus
> D - 63225 Langen
>
> Tel.: +49-(0)6103-707-0
>
> Sitz der Gesellschaft: Langen/Hessen
> Zustaendiges Registergericht: AG Offenbach am Main, HRB 34977
> Vorsitzende des Aufsichtsrats: Dr. Martina Hinricher
> Geschaeftsfuehrer: Prof. Klaus-Dieter Scheurle (Vors.), Robert Schickling,
> Dr. Michael Hann
>
> Internet: http://www.dfs.de
> Public-Key der DFS: http://www.dfs.de/dfs/public_key.asc
>
>
>

Reply via email to