0 Replies Latest reply on Dec 17, 2010 6:11 AM by Nikos Massios

    Switching messaging to ldap

    Nikos Massios Novice
      Hello,

      We are trying to switch jboss messaging to use ldap as a user source on a JBoss 5.1 GA.

      in the file

      \server\nodeX\deploy\messaging\messaging-jboss-beans.xml

      There is a part that defines the application-policy and the default is to take the users from the data base


      <application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging">
           <authentication>
                <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                     <module-option name="unauthenticatedIdentity">guest</module-option>
                     <module-option name="dsJndiName">java:/DefaultDS</module-option>
                     <module-option name="principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option>
                     <module-option name="rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option>
                </login-module>
           </authentication>
      </application-policy>
      
      

       

      We have tried switching this part of the xml to take the users from the ldap like in here.

       

       

      <application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging">
              <authentication>
                  <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
                                flag="required">
                <module-option name="unauthenticatedIdentity">guest</module-option>
                      <module-option name="java.naming.factory.initial"> 
                          com.sun.jndi.ldap.LdapCtxFactory
                          </module-option>
                      <module-option name="java.naming.provider.url">
                          ldap://OUR_LDAP_SERVER_NAME/
                      </module-option>
                      <module-option name="java.naming.security.authentication">
                          simple
                      </module-option>
                      <!-- Rebind as a user with search priviledges for the role queries cn=Root,dc=jboss,dc=org-->
                      <module-option name="java.naming.security.principal">CN=OUR_LDAP_BIND_NAME,CN=Users,DC=OUR_LDAP_SERVER_NAME,DC=local</module-option>                    
                      <module-option name="java.naming.security.credentials">OUR_LDAP_BIND_PASSWORD</module-option>                    
                   <!-- was uid= but we are using CN= -->
                      <module-option name="principalDNPrefix">CN=</module-option>                    
                      <module-option name="principalDNSuffix">,OU=jbossUsers,DC=OUR_LDAP_SERVER_NAME,DC=local</module-option>
                      <module-option name="rolesCtxDN">OU=jbossRoles,DC=OUR_LDAP_SERVER_NAME,DC=local</module-option>
                      <module-option name="uidAttributeID">member</module-option>
                      <module-option name="matchOnUserDN">true</module-option>
                      <module-option name="roleAttributeID">cn</module-option>
                      <module-option name="roleAttributeIsDN">false</module-option>
                      <module-option name="searchTimeLimit">5000</module-option>
                      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
                  </login-module>
              </authentication>
      </application-policy>
      
      

       

       

      The ldap configuration we are trying works for other appliction-policies we have defined in the login_config.xml of the server so we think that the ldap config is ok. We had to define an unauthenticated identity for the messaging, that we do not normally define, with user name guest, otherwise all sort of things fail when the server boots.

       

      Question number 1.

      - Why do we need the unauthenticated identity?

      Question number 2.

      - The user guest is already defined on our ldap (windows active directory) with a different password. It is not username guest password guest.

         Could this be a source of problems?

      Question number 3.

      - In the default database that comes with jboss messaging there is a bunch of users and roles defined on the tables JBM_USER, JBM_ROLE.

        Which of these users and roles are necessary for jboss messaging to work?

      Question number 4

      - After making this change on the xml, and defining our users on the active directory / ldap the messaging seems not to be working. Saying that

      "ouruser is not authenticated". Has anyone tried to switch from database to ldap jboss messaging?

       

      Thanks in advance,

       

      Nikos