I looked at that tutorial already. And you're right, works fine with Apache Directory, but I have to use Active Directory. I just created a plugin that inherited LDAPAuthorizationMap and changed the one method preventing what was currently there from working.
Chris On Fri, Feb 3, 2012 at 2:48 AM, Torsten Mielke <tors...@fusesource.com>wrote: > > Has anyone been able to use the LDAPAuthorizationMap successfully with > > Active Directory? > > Not with ActiveDirectory but when following the LDAP tutorial of the > ActiveMQ Security Guide from FuseSource, the LDAPAuthorizationMap works > fine against Apache Directory Server. > http://fusesource.com/docs/broker/5.5/security/LDAP.html > > Perhaps this tutorial can help? > > > Torsten Mielke > tors...@fusesource.com > tmie...@blogspot.com > > On Feb 2, 2012, at 10:13 PM, Chris Robison wrote: > > > Has anyone been able to use the LDAPAuthorizationMap successfully with > > Active Directory? In my investigation, I don't think it will ever work in > > its current state. When looking at the code, it is making the assumption > > that the value of the member attribute (or what ever attribute you are > > using) is always going to be in the form "{0}={1}" (a RDN). But, > according > > to the OpenLDAP spec, the member attribute value is a distinguished name. > > That means values are a comma delimited list of RDNs. So, for example I > > have AD groups that represent MQ roles. Here's one I use: > > "CN=MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". The > LDAPAuthorizationMap > > considers the name of the > > role "MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". Is this by design? I > > would be happy to submit a patch to change this behavior. Thoughts? > > > > Chris Robison > > > > >
