13 Replies Latest reply on Aug 30, 2017 11:05 AM by John Smith

    AMQ 7.0.1 with LDAP for authentication and authorization.

    John Smith Newbie

      Hello,

      I am working with AMQ 7 to configure with LDAP for

      According to AMQ 7 document I have set "security-setting" in broker.xml and updated the "login.config" with proper LDAP properties.

      For authorization I have to add "security-setting-plugin".

      But, I am not sure in which configuration file, I have to add.

       

      Thanks,

      John

        • 1. Re: AMQ 7.0.1 with LDAP for authentication and authorization.
          Justin Bertram Master

          The <security-setting-plugin> element is defined in <security-settings> in broker.xml.

          • 2. Re: AMQ 7.0.1 with LDAP for authentication and authorization.
            John Smith Newbie

            Thanks for your response, Justin.

            I have tried following block inside <security-settings> as well as inside <security-setting>. But got error(Invalid configuration) from in start of instance in both case and start failed.

            <security-setting-plugin class-name="org.apache.activemq.artemis.core.server.impl.LegacyLDAPSecuritySettingPlugin">

                             <setting name="initialContextFactory" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                             <setting name="connectionURL" value="ldap://198.198.1.3:636"/>

                             <setting name="connectionUsername" value="uid=admin,ou=fun,ou=quality,o=orange,c=us"/>

                             <setting name="connectionPassword" value="******"/>

                             <setting name="connectionProtocol" value="s"/>

                             <setting name="authentication" value="simple"/>

            </security-setting-plugin>

             

            Thanks,

            John

            • 3. Re: AMQ 7.0.1 with LDAP for authentication and authorization.
              Justin Bertram Master

              Can you provide the log where you saw the failure?

              • 4. Re: AMQ 7.0.1 with LDAP for authentication and authorization.
                John Smith Newbie

                I got the error from a custom log.

                I have altered in bin/artemis-service script at "${ARTEMIS_INSTANCE}/bin/artemis" and forwarded error and output to a text file.

                In that file, i got this error.

                • 5. Re: AMQ 7.0.1 with LDAP for authentication and authorization.
                  John Smith Newbie

                  Here is more detail log.

                  16:39:36,375 ERROR [org.apache.activemq.artemis.core.client] AMQ214019: Invalid configuration: org.xml.sax.SAXParseException; cvc-complex-type.2.4.a: Invalid content was found starting with element 'security-setting-plugin'. One of '{"urn:activemq:core":security-setting}' is expected.

                          at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203) [rt.jar:1.8.0_91]

                          at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:134) [rt.jar:1.8.0_91]

                          at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:396) [rt.jar:1.8.0_91]

                          at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:327) [rt.jar:1.8.0_91]

                          at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:284) [rt.jar:1.8.0_91]

                          at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(XMLSchemaValidator.java:452) [rt.jar:1.8.0_91]

                          at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(XMLSchemaValidator.java:3230) [rt.jar:1.8.0_91]

                          at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:1790) [rt.jar:1.8.0_91]

                          at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:740) [rt.jar:1.8.0_91]

                          at com.sun.org.apache.xerces.internal.jaxp.validation.DOMValidatorHelper.beginNode(DOMValidatorHelper.java:277) [rt.jar:1.8.0_91]

                          at com.sun.org.apache.xerces.internal.jaxp.validation.DOMValidatorHelper.validate(DOMValidatorHelper.java:244) [rt.jar:1.8.0_91]

                          at com.sun.org.apache.xerces.internal.jaxp.validation.DOMValidatorHelper.validate(DOMValidatorHelper.java:190) [rt.jar:1.8.0_91]

                          at com.sun.org.apache.xerces.internal.jaxp.validation.ValidatorImpl.validate(ValidatorImpl.java:109) [rt.jar:1.8.0_91]

                          at javax.xml.validation.Validator.validate(Validator.java:124) [rt.jar:1.8.0_91]

                          at org.apache.activemq.artemis.utils.XMLUtil.validate(XMLUtil.java:330) [artemis-core-client-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]

                          at org.apache.activemq.artemis.core.config.FileDeploymentManager.readConfiguration(FileDeploymentManager.java:85) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]

                          at org.apache.activemq.artemis.cli.commands.Configurable.getFileConfiguration(Configurable.java:93) [artemis-cli-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]

                          at org.apache.activemq.artemis.cli.commands.Run.execute(Run.java:64) [artemis-cli-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]

                          at org.apache.activemq.artemis.cli.Artemis.internalExecute(Artemis.java:148) [artemis-cli-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]

                          at org.apache.activemq.artemis.cli.Artemis.execute(Artemis.java:95) [artemis-cli-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]

                          at org.apache.activemq.artemis.cli.Artemis.execute(Artemis.java:122) [artemis-cli-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]

                          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_91]

                          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_91]

                          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_91]

                          at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_91]

                          at org.apache.activemq.artemis.boot.Artemis.execute(Artemis.java:129) [artemis-boot.jar:2.0.0.amq-700008-redhat-2]

                          at org.apache.activemq.artemis.boot.Artemis.main(Artemis.java:49) [artemis-boot.jar:2.0.0.amq-700008-redhat-2]

                  • 6. Re: AMQ 7.0.1 with LDAP for authentication and authorization.
                    Justin Bertram Master

                    My guess is that you're attempting to define both <security-setting> elements along with your <security-setting-plugin> element inside <security-settings> which isn't allowed.  You can either have 1 or more <security-setting> elements or a single <security-setting-plugin>.

                    • 7. Re: AMQ 7.0.1 with LDAP for authentication and authorization.
                      John Smith Newbie

                      Justin,

                      You are correct. I kept both "<security-setting>" and  "<security-setting-plugin>" inside "<security-settings>".

                      I have followed this doc : Using AMQ Broker - Red Hat Customer Portal

                      There are two sections  in LDAP part.

                      10.2.1. Using LDAP for Authentication

                      10.2.2. Configure LDAP Authorization

                       

                      My confusion is, whether I need to follow either one or both for LDAP authentication and authorization?

                       

                      Thanks,

                      John

                      • 8. Re: AMQ 7.0.1 with LDAP for authentication and authorization.
                        Justin Bertram Master

                        My confusion is, whether I need to follow either one or both for LDAP authentication and authorization?

                        What you follow depends what you want.  What you want isn't clear to me so I'll explain the purpose of both.

                         

                        Sections 10.2.1 and 10.2.2 have slightly misleading titles.

                         

                        Section 10.2.1 is titled "Using LDAP for Authentication" but in reality the configuration there is used for both credential validation (i.e. authentication) and user role retrieval/mapping (which is part of authorization) via LDAP.  Using the configuration from 10.2.1, once the user is authenticated (by looking up the credentials in LDAP) and attempts to perform a particular action (e.g. send a message to an address) that user's role information will be retrieved (also from LDAP).  Then the broker will look at the user's role information and compare it to the settings in <security-settings> to determine whether or not the user has permission to perform the action.

                         

                        Section 10.2.2 is titled "Configure LDAP Authorization" and it can be used essentially to load <security-setting> values from LDAP.  If you don't have this information in LDAP then you can just configure the settings in the XML (as they are by default).

                         

                        Does that make sense?

                        • 9. Re: AMQ 7.0.1 with LDAP for authentication and authorization.
                          John Smith Newbie

                          Sorry, for this late reply.

                          Justin, your clarification is crystal clear to me now.

                          For my case, "<security-setting>" parameter are not stored in LDAP, so, I am ignoring the section 10.2.2 and I have added my security settings manually.

                          I am trying to login to AMQ web-based console using my LDAP credential. I am getting "Failed to login, Forbidden"

                          After checking log, I get role is being fetched properly from LDAP server, but not able to login.

                           

                          I have followed section 4.2.1 and set following.

                          In broker.xml

                          <security-setting match="#">

                                  <permission type="createDurableQueue" roles="EMP-Cloud-Admin"/>

                                  <permission type="deleteDurableQueue" roles="EMP-Cloud-Admin"/>

                                  <permission type="createNonDurableQueue" roles="EMP-Cloud-Admin"/>

                                  <permission type="deleteNonDurableQueue" roles="EMP-Cloud-Admin"/>

                                  <permission type="send" roles="EMP-Cloud-Admin"/>

                                  <permission type="consume" roles="EMP-Cloud-Admin"/>

                                  <permission type="browse" roles="EMP-Cloud-Admin"/>

                                  <permission type="manage" roles="EMP-Cloud-Admin"/>

                                  <permission type="createAddress" roles="EMP-Cloud-Admin"/>

                                  <permission type="deleteAddress" roles="EMP-Cloud-Admin"/>

                          </security-setting>

                           

                          In login.config

                          activemq {

                            org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required

                               debug=true

                               initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory

                               connectionURL="ldap://xyz.net:389"

                               connectionUsername="uid=pcloud_uid,ou=userids,ou=applications,o=xyz,c=us"

                               connectionPassword=*********

                               connectionProtocol=s

                               authentication=simple

                               userBase="ou=internal,o=xyz,c=us"

                               userSearchMatching="(uid={0})"

                               userSearchSubtree=true

                               roleBase="cn=EMP-Cloud-Admin,ou=groups,o=xyz,c=us"

                               roleName=cn

                               roleSearchMatching="(uniqueMember={0})"

                               roleSearchSubtree=true

                               ;

                          };

                           

                          In artemis-roles.properties

                          EMP-Cloud-Admin = admin

                           

                          In artemis.log

                          Following are the log I got after trying to login admin console(http://host:8161/hawtio/login)

                           

                          09:55:47,259 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Create the LDAP initial context.

                          09:55:47,293 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Get the user DN.

                          09:55:47,294 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Looking for the user in LDAP with

                          09:55:47,294 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]   base DN: ou=internal,o=xyz,c=us

                          09:55:47,294 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]   filter: (uid=jsxxxx)

                          09:55:47,306 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] LDAP returned a relative name: ritsid=*******

                          09:55:47,306 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Using DN [ritsid=*******,ou=internal,o=xyz,c=us] for binding.

                          09:55:47,306 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Binding the user.

                          09:55:47,341 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] User ritsid=xxxxxxx,ou=internal,o=xyz,c=us successfully bound.

                          09:55:47,341 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Get user roles.

                          09:55:47,342 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Looking for the user roles in LDAP with

                          09:55:47,342 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]   base DN: cn=EMP-Cloud-Admin,ou=groups,o=xyz,c=us

                          09:55:47,342 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]   filter: (uniqueMember=ritsid=xxxxxx,ou=internal,o=xyz,c=us)

                          09:55:47,359 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Roles [EMP-Cloud-Admin] for user jsxxxx

                           

                          Thanks.

                          John

                          • 10. Re: AMQ 7.0.1 with LDAP for authentication and authorization.
                            Justin Bertram Master

                            The stuff defined in <security-settings> (whether is individual <security-setting> elements or a <security-setting-plugin>) applies to what messaging clients can do on the broker.  The AMQ web console is not really a messaging client, per se.  It's a different animal. 

                             

                            Security for the web console is configured in <AMQ7_INSTANCE>/etc/artemis.profile.  The configuration you specifically care about is the "hawtio.role" system property that's passed to the broker when it starts.  By default this is "amq" which means that only users in the amq role are allowed to log in to the web console.  If you want users in the "EMP-Cloud-Admin" role to be able to log into the web console then you should change the "hawtio.role" accordingly.

                             

                            One other thing...You mentioned your configuration of artemis-roles.properties.  Since your login.config is configured exclusively for LDAP then this file isn't actually used for anything.  You can safely delete it.  The artemis-roles.properties file is typically used when the PropertiesLoginModule is configured.

                            • 11. Re: AMQ 7.0.1 with LDAP for authentication and authorization.
                              John Smith Newbie

                              Thanks, Justin.

                              I am able to login after changing role in artemis.profile.

                              You helped me a lot about the AMQ LDAP configuration.

                              I am very close with LDAP configuration, because I have to make it SSL enabled.

                              I have checked the AMQ document, but I did not find anything detail about it. Only one hint "connectionProtocol=s" is there. But for SSL, what I should set for "connectionProtocol=" and how, I can pass the public cert, key and CA chain?

                               

                              Thanks,

                              John

                              • 12. Re: AMQ 7.0.1 with LDAP for authentication and authorization.
                                Justin Bertram Master

                                You should set the "connectionProtocol" on the LDAPLoginModule to "ssl".  It's converted to the javax.naming.Context#SECURITY_PROTOCOL property on the InitialContext.  See http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html for more details.

                                • 13. Re: AMQ 7.0.1 with LDAP for authentication and authorization.
                                  John Smith Newbie

                                  Thanks, Justin.

                                  I have successfully configured LDAP over SSL.

                                   

                                  Thanks,

                                  John