<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="http://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
Switching messaging to ldap
</h3>
<span style="margin-bottom: 10px;">
created by <a href="http://community.jboss.org/people/massios">Nikos Massios</a> in <i>JBoss Messaging</i> - <a href="http://community.jboss.org/message/576600#576600">View the full discussion</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><pre><span style="font-family: arial,helvetica,sans-serif;">Hello,<br/><br/>We are trying to switch jboss messaging to use ldap as a user source on a JBoss 5.1 GA.<br/><br/>in the file</span><br/>\server\nodeX\deploy\messaging\messaging-jboss-beans.xml<br/><span style="font-family: arial,helvetica,sans-serif;"><br/>There is a part that defines the application-policy and the default is to take the users from the data base</span><br/><br/></pre><pre class="jive-pre"><code class="jive-code jive-xml"><span class="jive-xml-tag"><application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging"></span>
     <span class="jive-xml-tag"><authentication></span>
          <span class="jive-xml-tag"><login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"></span>
               <span class="jive-xml-tag"><module-option name="unauthenticatedIdentity"></span>guest<span class="jive-xml-tag"></module-option></span>
               <span class="jive-xml-tag"><module-option name="dsJndiName"></span>java:/DefaultDS<span class="jive-xml-tag"></module-option></span>
               <span class="jive-xml-tag"><module-option name="principalsQuery"></span>SELECT PASSWD FROM JBM_USER WHERE USER_ID=?<span class="jive-xml-tag"></module-option></span>
               <span class="jive-xml-tag"><module-option name="rolesQuery"></span>SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?<span class="jive-xml-tag"></module-option></span>
          <span class="jive-xml-tag"></login-module></span>
     <span class="jive-xml-tag"></authentication></span>
<span class="jive-xml-tag"></application-policy></span>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>We have tried switching this part of the xml to take the users from the ldap like in here.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-xml"><span class="jive-xml-tag"><application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging"></span>
        <span class="jive-xml-tag"><authentication></span>
            <span class="jive-xml-tag"><login-module code="org.jboss.security.auth.spi.LdapLoginModule"
                          flag="required"></span>
          <span class="jive-xml-tag"><module-option name="unauthenticatedIdentity"></span>guest<span class="jive-xml-tag"></module-option></span>
                <span class="jive-xml-tag"><module-option name="java.naming.factory.initial"></span>
                    com.sun.jndi.ldap.LdapCtxFactory
                    <span class="jive-xml-tag"></module-option></span>
                <span class="jive-xml-tag"><module-option name="java.naming.provider.url"></span>
                    ldap://OUR_LDAP_SERVER_NAME/
                <span class="jive-xml-tag"></module-option></span>
                <span class="jive-xml-tag"><module-option name="java.naming.security.authentication"></span>
                    simple
                <span class="jive-xml-tag"></module-option></span>
                <span class="jive-xml-comment"><!-- Rebind as a user with search priviledges for the role queries cn=Root,dc=jboss,dc=org-->
                <span class="jive-xml-tag"><module-option name="java.naming.security.principal"></span>CN=OUR_LDAP_BIND_NAME,CN=Users,DC=OUR_LDAP_SERVER_NAME,DC=local<span class="jive-xml-tag"></module-option></span>                   
                <span class="jive-xml-tag"><module-option name="java.naming.security.credentials"></span>OUR_LDAP_BIND_PASSWORD<span class="jive-xml-tag"></module-option></span>                   
             <!-- was uid= but we are using CN= --></span>
                <span class="jive-xml-tag"><module-option name="principalDNPrefix"></span>CN=<span class="jive-xml-tag"></module-option></span>                   
                <span class="jive-xml-tag"><module-option name="principalDNSuffix"></span>,OU=jbossUsers,DC=OUR_LDAP_SERVER_NAME,DC=local<span class="jive-xml-tag"></module-option></span>
                <span class="jive-xml-tag"><module-option name="rolesCtxDN"></span>OU=jbossRoles,DC=OUR_LDAP_SERVER_NAME,DC=local<span class="jive-xml-tag"></module-option></span>
                <span class="jive-xml-tag"><module-option name="uidAttributeID"></span>member<span class="jive-xml-tag"></module-option></span>
                <span class="jive-xml-tag"><module-option name="matchOnUserDN"></span>true<span class="jive-xml-tag"></module-option></span>
                <span class="jive-xml-tag"><module-option name="roleAttributeID"></span>cn<span class="jive-xml-tag"></module-option></span>
                <span class="jive-xml-tag"><module-option name="roleAttributeIsDN"></span>false<span class="jive-xml-tag"></module-option></span>
                <span class="jive-xml-tag"><module-option name="searchTimeLimit"></span>5000<span class="jive-xml-tag"></module-option></span>
                <span class="jive-xml-tag"><module-option name="searchScope"></span>ONELEVEL_SCOPE<span class="jive-xml-tag"></module-option></span>
            <span class="jive-xml-tag"></login-module></span>
        <span class="jive-xml-tag"></authentication></span>
<span class="jive-xml-tag"></application-policy></span>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The ldap configuration we are trying works for other appliction-policies we have defined in the login_config.xml of the server so we think that the ldap config is ok. We had to define an unauthenticated identity for the messaging, that we do not normally define, with user name guest, otherwise all sort of things fail when the server boots.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Question number 1.</p><p>- Why do we need the unauthenticated identity?</p><p>Question number 2.</p><p>- The user guest is already defined on our ldap (windows active directory) with a different password. It is not username guest password guest.</p><p>   Could this be a source of problems?</p><p>Question number 3.</p><p>- In the default database that comes with jboss messaging there is a bunch of users and roles defined on the tables JBM_USER, JBM_ROLE.</p><p>  Which of these users and roles are necessary for jboss messaging to work?</p><p>Question number 4</p><p> - After making this change on the xml, and defining our users on the active directory / ldap the messaging seems not to be working. Saying that</p><p>"ouruser is not authenticated". Has anyone tried to switch from database to ldap jboss messaging?</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Thanks in advance,</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Nikos</p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a href="http://community.jboss.org/message/576600#576600">going to Community</a></p>
<p style="margin: 0;">Start a new discussion in JBoss Messaging at <a href="http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2042">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>