1 Reply Latest reply on Feb 13, 2012 12:20 PM by ned233

AS7.1 ActiveDirectory security on JMS, problem looking up roles

ned233 Feb 10, 2012 4:48 PM

JBoss distribution: as of 2/10/2012

I have been trying to get Active Directory integrated as a login-module to secure my JMS queues. Here is what I have configured so far:

1. Created a login-module:

<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

<module-option name="java.naming.provider.url" value="ldap://mycompany.com:389/"/>

<module-option name="java.naming.security.authentication" value="simple"/>

<module-option name="allowEmptyPasswords" value="false"/>

<module-option name="baseCtxDN" value="DC=mycompany,DC=com"/>

<module-option name="baseFilter" value="(sAMAccountName={0})"/>

<module-option name="uidAttributeID" value="sAMAccountName"/>

<module-option name="rolesCtxDN" value="DC=mycompany,DC=com"/>

<module-option name="roleAttributeIsDN" value="true"/>

<module-option name="roleAttributeID" value="memberOf"/>

<module-option name="roleNameAttributeID" value="name"/>

</login-module>

2. Secure the queue

<security-setting match="jms.queue.testQueue">

</security-setting>

When I run my test, I create my ConnectionFactory like this:

ConnectionFactory conn = factory.createConnection("testuser@mycompany.com", "password");

I have confirmed that the user actually gets authenticated, because if I pass an invalid password, I get an error back stating that the password is invalid (and the "badPwdCount" goes up by 1). When I enter the correct password, though, I get the following error:

javax.jms.JMSSecurityException: User: testuser@mycompany.com doesn't have permission='SEND' on address jms.queue.testQueue

at org.hornetq.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:286)

at org.hornetq.core.client.impl.ClientProducerImpl.doSend(ClientProducerImpl.java:287)

at org.hornetq.core.client.impl.ClientProducerImpl.send(ClientProducerImpl.java:142)

at org.hornetq.jms.client.HornetQMessageProducer.doSend(HornetQMessageProducer.java:451)

at org.hornetq.jms.client.HornetQMessageProducer.send(HornetQMessageProducer.java:199)

This leads me to believe that I have not configured my login-module correctly, so that it is not finding the user's roles. Here is how things appear in AD:

1. Lookup the user account under DC=mycompany,DC=com

User has a memberOf attribute that consists of several DN's (which is why I set roleAttributeIsDN to "true"). Here is the role that I am going after:

CN=My_Role,OU=Sharepoint,OU=Groups,DC=mycompany,DC=com

2. Lookup this role entry

When I go to this role in my AD Browser utility, I see a "name" attribute belonging to the record and its value is "My_Role" (which is why I set roleNameAttributeID to "name").

Is there something I am missing?

Thanks,

1. Re: AS7.1 ActiveDirectory security on JMS, problem looking up roles

ned233 Feb 13, 2012 12:20 PM (in response to ned233)

I thought I would answer my own question, in case anyone else has this problem. For some reason, it didn't like it when I authenticated like this:

      ConnectionFactory conn = factory.createConnection("testuser@mycompany.com", "password");

So instead, I authenticated like this:

      ConnectionFactory conn = factory.createConnection("testuser", "password");

And then I had to add the following module-option to my login-module:

      <module-option name="principalDNSuffix" value="@mycompany.com"/>

I am not sure why this is necessary, but it worked!
Actions