Cannot connect to DLQ when users/roles are defined in an LDA
osganian May 23, 2005 2:28 PMI'm having trouble connect to the default DLQ when my users and roles are defined in an LDAP server. What am I missing here?
In my LDAP server I have the following guest user and role (the unencrypted password value is 'guest'):
# Temporary guest role and user.
dn: cn=guest,ou=Roles,o=myorg,dc=mycompany,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: guest
uniqueMember: uid=guest,ou=People,o=myorg,dc=mycompany,dc=com
# Guest user account.
dn: uid=guest,ou=People,o=myorg,dc=mycompany,dc=com
objectClass: top
objectClass: uidObject
objectClass: person
objectClass: inetOrgPerson
objectClass: simpleSecurityObject
objectClass: organizationalPerson
cn: Joe Guest
description: The JMS guest account
mail: guest@mycompany.com
sn: Guest
title: No Title Specified
uid: guest
userPassword: CE4DQ6BIb/BVMN9scFyLtA==
If I get an exception in my MDB, I get the error when trying to connect to the DLQ:
2005-05-23 13:37:49,054 WARN [org.jboss.ejb.plugins.jms.DLQHandler] Message resent too many times; sending it to DLQ; message id=DUDE-11168698631352 2005-05-23 13:37:49,094 ERROR [org.jboss.ejb.plugins.jms.DLQHandler] Could not send message to Dead Letter Queue javax.jms.JMSSecurityException: Connection not authorized to addMessages to destination: DLQ at org.jboss.mq.security.ServerSecurityInterceptor.addMessage(ServerSecurityInterceptor.java:152) at org.jboss.mq.server.TracingInterceptor.addMessage(TracingInterceptor.java:270) at org.jboss.mq.server.JMSServerInvoker.addMessage(JMSServerInvoker.java:136) at org.jboss.mq.il.uil2.ServerSocketManagerHandler.handleMsg(ServerSocketManagerHandler.java:86) at org.jboss.mq.il.uil2.SocketManager$ReadTask.handleMsg(SocketManager.java:358) at org.jboss.mq.il.uil2.msgs.BaseMsg.run(BaseMsg.java:377) at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:748) at java.lang.Thread.run(Thread.java:534)
Here's my login-conf.xml file:
<policy> <application-policy name="other"> <authentication> <login-module flag="requisite" code="org.jboss.security.auth.spi.LdapLoginModule"> <!-- Standard LDAP Options --> <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory </module-option> <module-option name="java.naming.provider.url"> ldap://${ldap.host}:${ldap.port}/ </module-option> <module-option name="java.naming.security.authentication"> simple </module-option> <!-- JBoss's LDAP Options --> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix"> ,ou=People,o=myorg,dc=mycompany,dc=com </module-option> <module-option name="rolesCtxDN"> ou=Roles,o=myorg,dc=mycompany,dc=com </module-option> <module-option name="uidAttributeID">uniqueMember</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="matchOnUserDN">true</module-option> <module-option name="allowEmptyPasswords">false</module-option> <module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">base64</module-option> <module-option name="unauthenticatedIdentity"> guest </module-option> </login-module> </authentication> </application-policy> </policy>
Here's my SecurityManager mbean (the default one supplied by JBoss) which defines the role required to connect to the DLQ:
<mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager"> <attribute name="DefaultSecurityConfig"> <security> <role name="guest" read="true" write="true" create="true"/> </security> </attribute> <attribute name="SecurityDomain">java:/jaas/jbossmq</attribute> <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends> </mbean>
It should be connecting to the DLQ as the unauthenticatedIdentity (which should be guest) but its failing. Does anybody have any ideas?
Authorization for all my durable topics have no problem connecting to my LDAP db and authenticating.
Thanks!