|
»
»
« Return to Thread: Adding users on the fly ACTIVEMQ
Re: Adding users on the fly ACTIVEMQ
by rbramley
::
Rate this Message:
I'm in the middle of an ActiveMQ 5.1 rollout using LDAP configuration for this very reasongreenapple wrote:Say a new application yyy requested to use JMS.
My job as a JMS admin is to create the queues needed (on the fly), add users and groups (on the fly) and grant permissions to certain users and groups to read/write/both/etc (also on the fly).
By on the fly, I mean: without having to restart ActiveMQ. TIBCO EMS for example had some user interface to do this.
(I will be contributing some patches so apologies if the following instructions won't work out of the box)...
There are several components required for an LDAP solution:
1. An LDAP server (there are several Open Source options - we're using OpenLDAP)
2. An LDAP GUI client - you don't want to be editing/importing LDIF files all the time or mucking about with the command line - we've got phpldapadmin.
Once these are installed you need to perform a base set-up on LDAP:
1. Create the structure for ActiveMQ in your LDAP server (sample LDIF file attached)
2. Create a 'bind user' for ActiveMQ to logon to the LDAP server (included in LDIF)
To configure ActiveMQ (assuming you don't need networked brokers):
1. Configure the JAAS LDAPLoginModule and the LDAPAuthorizationMap in activemq.xml:
<plugins>
<!-- use JAAS to authenticate using the login.config file on the classpath to configure JAAS -->
<jaasAuthenticationPlugin configuration="LdapConfiguration" />
<!-- lets configure a destination based role/group authorization mechanism -->
<authorizationPlugin>
<map>
<bean xmlns="http://www.springframework.org/schema/beans" id="lDAPAuthorizationMap" class="org.apache.activemq.security.LDAPAuthorizationMap">
<property name="initialContextFactory" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<property name="connectionURL" value="ldap://ldap.acme.com:389"/>
<property name="authentication" value="simple"/>
<property name="connectionUsername" value="cn=mqbroker,ou=Services,dc=acme,dc=com"/>
<property name="connectionPassword" value="password"/>
<property name="connectionProtocol" value="s"/>
<property name="topicSearchMatching" value="cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=systems,dc=acme,dc=com"/>
<property name="topicSearchSubtreeBool" value="true"/>
<property name="queueSearchMatching" value="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=systems,dc=acme,dc=com"/>
<property name="queueSearchSubtreeBool" value="true"/>
<property name="adminBase" value="(cn=admin)"/>
<property name="adminAttribute" value="member"/>
<property name="adminAttributePrefix" value="cn="/>
<property name="readBase" value="(cn=read)"/>
<property name="readAttribute" value="member"/>
<property name="readAttributePrefix" value="cn="/>
<property name="writeBase" value="(cn=write)"/>
<property name="writeAttribute" value="member"/>
<property name="writeAttributePrefix" value="cn="/>
</bean>
</map>
</authorizationPlugin>
</plugins>
2. Configure the JAAS login.config (I haven't de-duplicated the config yet):
LdapConfiguration {
org.apache.activemq.jaas.LDAPLoginModule required
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://ldap.acme.com:389"
connectionUsername="cn=mqbroker,ou=Services,dc=acme,dc=com"
connectionPassword=password
connectionProtocol=s
authentication=simple
userBase="ou=User,ou=ActiveMQ,ou=systems,dc=acme,dc=com"
userRoleName=dummyUserRoleName
userSearchMatching="(uid={0})"
userSearchSubtree=false
roleBase="ou=Group,ou=ActiveMQ,ou=systems,dc=acme,dc=com"
roleName=cn
roleSearchMatching="(member:=uid={1})"
roleSearchSubtree=true
;
};
3. Fire it up...
You can then perform your runtime tasks using the LDAP admin tool.
Hope this helps,
Robin
sample.ldif
« Return to Thread: Adding users on the fly ACTIVEMQ
| Free embeddable forum powered by Nabble | Forum Help |
