Hi Jason-
I think you may have a logical problem with your desired setup.
How do you plan to provide a list of groups or roles for users to map for
authorization if you do not want to use the out-of-the-box LDAP for
authorization?
Usually, the out-of-the-box ActiveMQ LDAP config supplies groups that map to
roles in order to use authorizationMap. Otherwise, you would need some sort of
custom JAAS LoginModule or setup.
You could try to use a UserPrincipal class as the groupClass to
authorizationPlugin and specify usernames instead of groups or roles, but you’d
need to test that on your own as that is not a standard configuration.
<authorizationMap groupClass=“org.apache.activemq.jaas.UserPrincipal">
Matt Pavlovich
> On Sep 26, 2024, at 11:17 AM, Jason Jackson
> <jason.jack...@itechag.com.INVALID> wrote:
>
> I read through the link and several other Apache ideas and none of these
> appear to address the issue.
>
> I am using JAAS LDAP Authentication and that works, once the user is
> authenticated using the JAAS Plug in their authorizations are then
> set/provided via the following:
>
> <plugins>
> <jaasAuthenticationPlugin configuration="ldap"/>
> <runtimeConfigurationPlugin checkPeriod="10000"/>
> <statisticsBrokerPlugin/>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry queue="queue_1"
> read="ldap_user" write="ldap_user" admin="ActiveMQ_Admins"/>
> </authorizationEntries>
> </authorizationMap>
> </map
> </authorizationPlugin>
> </plugins>
>
> I do not want to use LDAP for my authorizations, just my authentication. I
> am not able to find anything in the links that discussed JAAS Authentication
> LDAP caching or adjusting objectClass=* option.
>
>
> Jason
>
>
>
> ________________________________
> From: Matt Pavlovich <mattr...@gmail.com>
> Sent: Wednesday, September 25, 2024 6:06 PM
> To: users@activemq.apache.org <users@activemq.apache.org>
> Subject: Re: ActiveMQ LDAP Query objectClass Issue
>
> CAUTION: This email originated from outside of the organization. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
>
> Also— this document shows how to limit the queries and get rid of
> objectClass=* style queries:
>
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcomponents%2Fclassic%2Fdocumentation%2Fsecurity&data=05%7C02%7Cjason.jackson%40itechag.com%7C855c9eb82fd946a0ad3808dcddae6114%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638628988620551604%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=mWOLflny8MfMxssqqmszmP8tyco458dlrAWdjmXDypM%3D&reserved=0<https://activemq.apache.org/components/classic/documentation/security>
>
> Thanks,
> Matt Pavlovich
>
>> On Sep 25, 2024, at 5:01 PM, Matt Pavlovich <mattr...@gmail.com> wrote:
>>
>> Hi Jason-
>>
>> Sounds like you have some misconfiguration — either clients are connecting
>> and sending one-message-per-connection, and/or you should add LDAP
>> Connection Pooling settings.
>>
>> Thanks,
>> Matt Pavlovich
>>
>>> On Sep 25, 2024, at 3:45 PM, Jason Jackson
>>> <jason.jack...@itechag.com.INVALID> wrote:
>>>
>>> I have ActiveMQ classic configured to use LDAP for permissions and
>>> authorizations.
>>>
>>> Our LDAP server is being flooded with numerous LDAP queries and it is
>>> consuming all of the resources.
>>>
>>> I have added the following entries to my login.config file and none of
>>> these appear to have helped
>>>
>>> storePass="true"
>>> tryFirstPass="true"
>>> cachDurationMillis="1000000"
>>>
>>> userObjectClass="inetOrgPerson"
>>> roleObjectClass="groupOfUniqueNames"
>>>
>>> With all of the entries/settings our LDAP logs are showing a ton of entries
>>> with the following search string
>>>
>>> objectClass=*
>>>
>>> Does anyone have any suggestions of a setting that should be implemented to
>>> prevent the numerous calls being made to LDAP?
>>>
>>>
>>> Jason
>>>
>>>
>>>
>>
>
