Dear Justin,
thanks a lot for your reply (and please keep me in CC, since I'm not subscribed to the ActiveMQ mailing list). By now I have tried to use a space-separated list of URLs and indeed it seems to work. Very nice! I guess it would be good to mention this in the documentation, wouldn't it? Am I right in assuming that a documentation patch should target the following file? https://github.com/apache/activemq-website/blob/master/src/cached-ldap-authorization-module.md Cheers, Janus Justin Bertram <[email protected]> wrote: > Under the covers the cachedLDAPAuthorizationMap uses > com.sun.jndi.ldap.LdapCtxFactory for connectivity with LDAP [1]. The > Oracle documentation states [2], "Instead of just one URL, you can also > supply a space-separated list of URLs. In this case, the LDAP provider will > attempt to use each URL in turn until it is able to create a successful > connection." It then provides a simple example [3]: > > // Specify list of space-separated URLs > env.put(Context.PROVIDER_URL, > "ldap://notthere:389/o=JNDITutorial " + > "ldap://localhost:389/o=JNDITutorial " + > "ldap://remotehost/o=JNDITutorial " + > "ldap://thirdhost:389/o=JNDITutorial";); > > > Justin > > [1]https://github.com/apache/activemq/blob/master/activemq-broker/src/main/java/org/apache/activemq/security/SimpleCachedLDAPAuthorizationMap.java#L64 > [2] https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html > [3] https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/src/MultiUrls.java ________________________________ From: Weil, Janus Sent: Friday, November 22, 2019 5:21 PM To: [email protected] Subject: LDAP authorization with multiple LDAP servers Dear ActiveMQ people, we have a neatly working setup of several ActiveMQ 5 brokers which rely on an LDAP server for authorization. The configuration in activemq.xml looks roughly like this (some parts omitted): <plugins> <jaasAuthenticationPlugin configuration="LdapConfiguration" /> <authorizationPlugin> <map> <cachedLDAPAuthorizationMap connectionURL="ldap://my.ldap.server:389"; connectionUsername="..." connectionPassword="..." queueSearchBase="..." topicSearchBase="..." tempSearchBase="..." refreshInterval="300000" legacyGroupMapping="false" groupObjectClass="groupOfNames" permissionGroupMemberAttribute="member" userObjectClass="person" userNameAttribute="uid" /> </map> </authorizationPlugin> </plugins> Now we plan to add some redundancy / high-availability for the LDAP part by using two or more mirrored LDAP servers. My simple question is: Does ActiveMQ have support for working with multiple LDAP servers? The documentation at https://activemq.apache.org/cached-ldap-authorization-module does not give any hint on whether the connectionURL can specify multiple servers. However I found another reference to the JAAS LDAP Login Module at https://access.redhat.com/documentation/en-us/red_hat_jboss_a-mq/6.3/html/security_guide/esbsecurecontainer#JAASAuth-LDAPLoginModule, which seems to indicate that connection.url may specify multiple URLs as a space-separated list. Can I expect that to work also in the ActiveMQ context? Best regards, Janus DFS Deutsche Flugsicherung GmbH Am DFS-Campus D - 63225 Langen Tel.: +49-(0)6103-707-0 Sitz der Gesellschaft: Langen/Hessen Zustaendiges Registergericht: AG Offenbach am Main, HRB 34977 Vorsitzende des Aufsichtsrats: Dr. Martina Hinricher Geschaeftsfuehrer: Prof. Klaus-Dieter Scheurle (Vors.), Robert Schickling, Dr. Michael Hann Internet: http://www.dfs.de Public-Key der DFS: http://www.dfs.de/dfs/public_key.asc
