Nikos Massios [
http://community.jboss.org/people/massios] created the discussion
"Switching messaging to ldap"
To view the discussion, visit:
http://community.jboss.org/message/576600#576600
--------------------------------------------------------------
Hello,
We are trying to switch jboss messaging to use ldap as a user source on a JBoss 5.1 GA.
in the file
\server\nodeX\deploy\messaging\messaging-jboss-beans.xml
There is a part that defines the application-policy and the default is to take the users
from the data base
<application-policy xmlns="urn:jboss:security-beans:1.0"
name="messaging">
<authentication>
<login-module
code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required">
<module-option
name="unauthenticatedIdentity">guest</module-option>
<module-option
name="dsJndiName">java:/DefaultDS</module-option>
<module-option name="principalsQuery">SELECT PASSWD FROM
JBM_USER WHERE USER_ID=?</module-option>
<module-option name="rolesQuery">SELECT ROLE_ID,
'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option>
</login-module>
</authentication>
</application-policy>
We have tried switching this part of the xml to take the users from the ldap like in
here.
<application-policy xmlns="urn:jboss:security-beans:1.0"
name="messaging">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule"
flag="required">
<module-option
name="unauthenticatedIdentity">guest</module-option>
<module-option name="java.naming.factory.initial">
com.sun.jndi.ldap.LdapCtxFactory
</module-option>
<module-option name="java.naming.provider.url">
ldap://OUR_LDAP_SERVER_NAME/
</module-option>
<module-option
name="java.naming.security.authentication">
simple
</module-option>
<!-- Rebind as a user with search priviledges for the role queries
cn=Root,dc=jboss,dc=org-->
<module-option
name="java.naming.security.principal">CN=OUR_LDAP_BIND_NAME,CN=Users,DC=OUR_LDAP_SERVER_NAME,DC=local</module-option>
<module-option
name="java.naming.security.credentials">OUR_LDAP_BIND_PASSWORD</module-option>
<!-- was uid= but we are using CN= -->
<module-option
name="principalDNPrefix">CN=</module-option>
<module-option
name="principalDNSuffix">,OU=jbossUsers,DC=OUR_LDAP_SERVER_NAME,DC=local</module-option>
<module-option
name="rolesCtxDN">OU=jbossRoles,DC=OUR_LDAP_SERVER_NAME,DC=local</module-option>
<module-option
name="uidAttributeID">member</module-option>
<module-option
name="matchOnUserDN">true</module-option>
<module-option
name="roleAttributeID">cn</module-option>
<module-option
name="roleAttributeIsDN">false</module-option>
<module-option
name="searchTimeLimit">5000</module-option>
<module-option
name="searchScope">ONELEVEL_SCOPE</module-option>
</login-module>
</authentication>
</application-policy>
The ldap configuration we are trying works for other appliction-policies we have defined
in the login_config.xml of the server so we think that the ldap config is ok. We had to
define an unauthenticated identity for the messaging, that we do not normally define, with
user name guest, otherwise all sort of things fail when the server boots.
Question number 1.
- Why do we need the unauthenticated identity?
Question number 2.
- The user guest is already defined on our ldap (windows active directory) with a
different password. It is not username guest password guest.
Could this be a source of problems?
Question number 3.
- In the default database that comes with jboss messaging there is a bunch of users and
roles defined on the tables JBM_USER, JBM_ROLE.
Which of these users and roles are necessary for jboss messaging to work?
Question number 4
- After making this change on the xml, and defining our users on the active directory /
ldap the messaging seems not to be working. Saying that
"ouruser is not authenticated". Has anyone tried to switch from database to ldap
jboss messaging?
Thanks in advance,
Nikos
--------------------------------------------------------------
Reply to this message by going to Community
[
http://community.jboss.org/message/576600#576600]
Start a new discussion in JBoss Messaging at Community
[
http://community.jboss.org/choose-container!input.jspa?contentType=1&...]