3 Replies Latest reply on Apr 29, 2005 10:30 AM by osganian

    Problems getting JMS to authenicate using the LDAPLoginModul

    osganian

      Want to move from using the DatabaseServerLoginModule to query the JMS_USERS and JMS_ROLES tables to using the LDAPLoginModule with all the JMS users and roles defined in my LDAP server. Here is the error I get on startup:

      2005-04-27 10:10:38,443 ERROR [org.jboss.ejb.plugins.jms.DLQHandler] Initialization failed DLQHandler
      javax.jms.JMSSecurityException: User: null is NOT authenticated
       at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:215)
       at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.java:51)
       at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:781)
       at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:287)
       at org.jboss.mq.il.jvm.JVMServerIL.authenticate(JVMServerIL.java:301)
       at org.jboss.mq.Connection.authenticate(Connection.java:1160)
       at org.jboss.mq.Connection.<init>(Connection.java:255)
       at org.jboss.mq.Connection.<init>(Connection.java:332)
       at org.jboss.mq.SpyConnection.<init>(SpyConnection.java:66)
       at org.jboss.mq.SpyConnectionFactory.createConnection(SpyConnectionFactory.java:87)
       at org.jboss.mq.SpyConnectionFactory.createQueueConnection(SpyConnectionFactory.java:124)
       at org.jboss.ejb.plugins.jms.DLQHandler.createService(DLQHandler.java:157)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalCreate(ServiceMBeanSupport.java:237)
       at org.jboss.system.ServiceMBeanSupport.create(ServiceMBeanSupport.java:164)
       at org.jboss.ejb.plugins.jms.JMSContainerInvoker.innerCreate(JMSContainerInvoker.java:542)
       at org.jboss.ejb.plugins.jms.JMSContainerInvoker.startService(JMSContainerInvoker.java:764)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:271)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:221)
      


      I didn't touch my SecurityManager mbean definition:

       <mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager">
       <attribute name="DefaultSecurityConfig">
       <security>
       <role name="guest" read="true" write="true" create="true"/>
       </security>
       </attribute>
       <attribute name="SecurityDomain">java:/jaas/jbossmq</attribute>
       <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
       </mbean>
      


      And in my login-config.xml file looks like:

       <application-policy name="other">
       <authentication>
       <login-module flag="requisite"
       code="org.jboss.security.auth.spi.LdapLoginModule">
       <!-- Standard LDAP Options -->
       <module-option name="java.naming.factory.initial">
       com.sun.jndi.ldap.LdapCtxFactory
       </module-option>
       <module-option name="java.naming.provider.url">
       ldap://${ldap.host}:${ldap.port}/
       </module-option>
       <module-option name="java.naming.security.authentication">
       simple
       </module-option>
      ...
       </login-module>
       </authentication>
       </application-policy>
      


      In my LDAP server I have a guest user in the guest role defined (among other users and roles).

      Does anybody have any clue what I am doing wrong? All over services are authenicating fine against the LDAP server (JMX Admin, different web site users, etc)

      Thanks for any help.
      Mike

        • 1. Re: Problems getting JMS to authenicate using the LDAPLoginM
          osganian

          Does anybody know if this can be done?

          I'm looking around and it looks like I would need a LDAPStateManager that would know how to retrieve the information contained in the JMS_USERS, JMS_ROLES, and JMS_SUBSCRIPTIONS tables (when comparing to the JDBCStateManager).

          Is that true? It would be nice to have all users/roles/passwords in one location (LDAP makes sense for this) and not scattered all around (LDAP, JMS DB tables, jbossmq-state.xml, etc).

          Thanks for any help.

          • 2. Re: Problems getting JMS to authenicate using the LDAPLoginM
            osganian

            Ok, I've gotten further but not quite far enough. I was populating users in an LDIF and I didn't have the format correct for specifying encrypted & base64 encoded passwords. Changed it to:

            userPassword: blahblahblah
            


            Where "blahblahblah" is an encrypted & base64 encoded password. All documentation I saw always specified it as:

            userPassword: {MD5}blahblahblah
            


            Anyway, now it looks like my users are being authenticated correctly against the LDAP server but now I get this error:

            2005-04-29 09:07:27,508 WARN [org.jboss.ejb.plugins.jms.JMSContainerInvoker] JMS provider failure detected:
            javax.jms.JMSSecurityException: Connection not authorized to do durable subscription on topic: myTopic
             at org.jboss.mq.security.ServerSecurityInterceptor.subscribe(ServerSecurityInterceptor.java:135)
             at org.jboss.mq.server.TracingInterceptor.subscribe(TracingInterceptor.java:816)
             at org.jboss.mq.server.JMSServerInvoker.subscribe(JMSServerInvoker.java:297)
             at org.jboss.mq.il.jvm.JVMServerIL.subscribe(JVMServerIL.java:314)
             at org.jboss.mq.Connection.addConsumer(Connection.java:863)
             at org.jboss.mq.SpyConnectionConsumer.<init>(SpyConnectionConsumer.java:95)
             at org.jboss.mq.SpyConnection.createDurableConnectionConsumer(SpyConnection.java:154)
             at org.jboss.ejb.plugins.jms.JMSContainerInvoker.innerCreate(JMSContainerInvoker.java:672)
             at org.jboss.ejb.plugins.jms.JMSContainerInvoker.startService(JMSContainerInvoker.java:764)
             at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:271)
             at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:221)
            


            Since my JMS user is in my LDAP server where do I specify JMS subscription information? Currently there are only 2 StateManagers (JDBCStateManager and a DynamicStateManager). Both state managers handle logins, passwords, client ids, subscriptions. I don't want to specify user logins/passwords/client ids in 2 places, just in LDAP. Currently I still have my StateManager MBean (which the SecurityManager, DestinationManager, etc depends on) pointed to a JDBCStateManager which has queries that hit up against a JMS_USERS (empty since info is in LDAP), JMS_ROLES (empty since info is in LDAP), and JMS_SUBSCRIPTIONS tables.

            Anyone run across this and have any ideas? There's got to be a way to do this...

            Thanks.

            • 3. Re: Problems getting JMS to authenicate using the LDAPLoginM
              osganian

              Seems like I'm picking this apart. Ok, got it to start up without any errors. Had a misprint in a jboss-service.xml file. However still there is a problem. Since I'm using the JDBCStateManager when i try to actually use the topic, I get the following error:

              Cannot get a client ID; - nested throwable: (org.jboss.mq.SpyJMSException: Error retrieving preconfigured user dataloader; - nested throwable: (java.sql.SQLException: Table 'mydata.jms_users' doesn't exist))
              
              org.jboss.mq.SpyJMSException: Cannot get a client ID; - nested throwable: (org.jboss.mq.SpyJMSException: Error retrieving preconfigured user dataloader; - nested throwable: (java.sql.SQLException: Table 'mydata.jms_users' doesn't exist)) at org.jboss.mq.Connection.askForAnID(Connection.java:1143) at org.jboss.mq.Connection.<init>(Connection.java:258) at org.jboss.mq.SpyConnection.<init>(SpyConnection.java:55) at org.jboss.mq.SpyConnectionFactory.createConnection(SpyConnectionFactory.java:108) at org.jboss.mq.SpyConnectionFactory.createTopicConnection(SpyConnectionFactory.java:141) at com.bunkersys.exchange.load.DataLoaderTest.setUp(DataLoaderTest.java:63)
              
              Caused by: org.jboss.mq.SpyJMSException: Error retrieving preconfigured user myuser; - nested throwable: (java.sql.SQLException: Table 'mydata.jms_users' doesn't exist) at org.jboss.mq.sm.jdbc.JDBCStateManager.getPreconfClientId(JDBCStateManager.java:365) at org.jboss.mq.sm.AbstractStateManager.checkUser(AbstractStateManager.java:234) at org.jboss.mq.server.JMSDestinationManager.checkUser(JMSDestinationManager.java:758) at org.jboss.mq.server.JMSServerInterceptorSupport.checkUser(JMSServerInterceptorSupport.java:274) at org.jboss.mq.server.TracingInterceptor.checkUser(TracingInterceptor.java:741) at org.jboss.mq.server.JMSServerInvoker.checkUser(JMSServerInvoker.java:274) at org.jboss.mq.il.uil2.ServerSocketManagerHandler.handleMsg(ServerSocketManagerHandler.java:182) at org.jboss.mq.il.uil2.SocketManager$ReadTask.handleMsg(SocketManager.java:358) at org.jboss.mq.il.uil2.msgs.BaseMsg.run(BaseMsg.java:377) at
              


              This makes sense since I don't want to duplicate my user and role information in the database since I already have it in LDAP. So this begs the question, should there be an LDAPStateManager? All documentation I read says you can do this, see JBoss document from Chapter 6 - Security Manager below:

              "You may be uncomfortable having to maintain your authentication and authorization information in an XML file. You can use any standard security store such as a database or LDAP server by simply updating the JAAS login-config.xml to provide the same username to password and user to role mappings as the DynamicStateManager . For example, to use a JDBC database, the following sample database tables and login-config.xml entry would work."

              Or do I just need to create a JMS_USERS and JMS_ROLES table with nothing in it?

              Thanks,
              Mike