1 Reply Latest reply on May 23, 2005 3:42 PM by osganian

    Cannot connect to DLQ when users/roles are defined in an LDA

    osganian

      I'm having trouble connect to the default DLQ when my users and roles are defined in an LDAP server. What am I missing here?

      In my LDAP server I have the following guest user and role (the unencrypted password value is 'guest'):

      # Temporary guest role and user.
      dn: cn=guest,ou=Roles,o=myorg,dc=mycompany,dc=com
      objectClass: top
      objectClass: groupOfUniqueNames
      cn: guest
      uniqueMember: uid=guest,ou=People,o=myorg,dc=mycompany,dc=com

      # Guest user account.
      dn: uid=guest,ou=People,o=myorg,dc=mycompany,dc=com
      objectClass: top
      objectClass: uidObject
      objectClass: person
      objectClass: inetOrgPerson
      objectClass: simpleSecurityObject
      objectClass: organizationalPerson
      cn: Joe Guest
      description: The JMS guest account
      mail: guest@mycompany.com
      sn: Guest
      title: No Title Specified
      uid: guest
      userPassword: CE4DQ6BIb/BVMN9scFyLtA==

      If I get an exception in my MDB, I get the error when trying to connect to the DLQ:

      2005-05-23 13:37:49,054 WARN [org.jboss.ejb.plugins.jms.DLQHandler] Message resent too many times; sending it to DLQ; message id=DUDE-11168698631352
      2005-05-23 13:37:49,094 ERROR [org.jboss.ejb.plugins.jms.DLQHandler] Could not send message to Dead Letter Queue
      javax.jms.JMSSecurityException: Connection not authorized to addMessages to destination: DLQ
       at org.jboss.mq.security.ServerSecurityInterceptor.addMessage(ServerSecurityInterceptor.java:152)
       at org.jboss.mq.server.TracingInterceptor.addMessage(TracingInterceptor.java:270)
       at org.jboss.mq.server.JMSServerInvoker.addMessage(JMSServerInvoker.java:136)
       at org.jboss.mq.il.uil2.ServerSocketManagerHandler.handleMsg(ServerSocketManagerHandler.java:86)
       at org.jboss.mq.il.uil2.SocketManager$ReadTask.handleMsg(SocketManager.java:358)
       at org.jboss.mq.il.uil2.msgs.BaseMsg.run(BaseMsg.java:377)
       at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:748)
       at java.lang.Thread.run(Thread.java:534)
      


      Here's my login-conf.xml file:

      <policy>
       <application-policy name="other">
       <authentication>
       <login-module flag="requisite"
       code="org.jboss.security.auth.spi.LdapLoginModule">
       <!-- Standard LDAP Options -->
       <module-option name="java.naming.factory.initial">
       com.sun.jndi.ldap.LdapCtxFactory
       </module-option>
       <module-option name="java.naming.provider.url">
       ldap://${ldap.host}:${ldap.port}/
       </module-option>
       <module-option name="java.naming.security.authentication">
       simple
       </module-option>
       <!-- JBoss's LDAP Options -->
       <module-option name="principalDNPrefix">uid=</module-option>
       <module-option name="principalDNSuffix">
       ,ou=People,o=myorg,dc=mycompany,dc=com
       </module-option>
       <module-option name="rolesCtxDN">
       ou=Roles,o=myorg,dc=mycompany,dc=com
       </module-option>
       <module-option name="uidAttributeID">uniqueMember</module-option>
       <module-option name="roleAttributeID">cn</module-option>
       <module-option name="matchOnUserDN">true</module-option>
       <module-option name="allowEmptyPasswords">false</module-option>
       <module-option name="hashAlgorithm">MD5</module-option>
       <module-option name="hashEncoding">base64</module-option>
       <module-option name="unauthenticatedIdentity">
       guest
       </module-option>
       </login-module>
       </authentication>
       </application-policy>
      </policy>
      


      Here's my SecurityManager mbean (the default one supplied by JBoss) which defines the role required to connect to the DLQ:

       <mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager">
       <attribute name="DefaultSecurityConfig">
       <security>
       <role name="guest" read="true" write="true" create="true"/>
       </security>
       </attribute>
       <attribute name="SecurityDomain">java:/jaas/jbossmq</attribute>
       <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
       </mbean>
      


      It should be connecting to the DLQ as the unauthenticatedIdentity (which should be guest) but its failing. Does anybody have any ideas?

      Authorization for all my durable topics have no problem connecting to my LDAP db and authenticating.

      Thanks!

        • 1. Re: Cannot connect to DLQ when users/roles are defined in an
          osganian

          Turning tracing on and switching the unauthenticatedIdentity from guest to another user in the system I see this:

          ...
          2005-05-23 15:27:21,467 TRACE [org.jboss.mq.security.SecurityManager] Checking authorize on subjectInfo: SubjectInfo {subject=Subject:
           Principal: myuser
           Principal: Roles(members:MySubscriber,MyDLQ,guest)
          ;principal=myuser;roles=Roles(members:MySubscriber,MyDLQ,guest) for rolePrincipals [MyPublisher, MySubscriber]
          2005-05-23 15:27:21,467 WARN [org.jboss.ejb.plugins.jms.DLQHandler] Message resent too many times; sending it to DLQ; message id=DUDE-11168764331452
          2005-05-23 15:27:21,477 TRACE [org.jboss.mq.security.SecurityManager] Checking authorize on subjectInfo: SubjectInfo {subject=Subject:
           Principal: myuser
           Principal: Roles(members)
          ;principal=null;roles=Roles(members) for rolePrincipals [guest]
          2005-05-23 15:27:21,497 ERROR [org.jboss.ejb.plugins.jms.DLQHandler] Could not send message to Dead Letter Queue
          javax.jms.JMSSecurityException: Connection not authorized to addMessages to destination: DLQ
           at org.jboss.mq.security.ServerSecurityInterceptor.addMessage(ServerSecurityInterceptor.java:152)
           at org.jboss.mq.server.TracingInterceptor.addMessage(TracingInterceptor.java:270)
           at org.jboss.mq.server.JMSServerInvoker.addMessage(JMSServerInvoker.java:136)
           at org.jboss.mq.il.uil2.ServerSocketManagerHandler.handleMsg(ServerSocketManagerHandler.java:86)
           at org.jboss.mq.il.uil2.SocketManager$ReadTask.handleMsg(SocketManager.java:358)
           at org.jboss.mq.il.uil2.msgs.BaseMsg.run(BaseMsg.java:377)
           at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:748)
           at java.lang.Thread.run(Thread.java:534)
          ...
          


          So you can see that JBoss calls the SecurityManager twice for the myuser, the first time it says that myuser is a member of 3 roles (MySubscriber,MyDLQ,guest) the second time (10 ms later) myuser is a member of no roles (?) and then it fails with the above error.

          What is going on here??? I'm sure there has to be a JBoss expert out there that might know whats going on here.

          Thanks for any help.