[jboss-user] [JBoss Messaging] - Switching messaging to ldap

Nikos Massios do-not-reply at jboss.com
Fri Dec 17 06:12:18 EST 2010 

Nikos Massios [http://community.jboss.org/people/massios] created the discussion

"Switching messaging to ldap"

To view the discussion, visit: http://community.jboss.org/message/576600#576600

--------------------------------------------------------------
Hello,

We are trying to switch jboss messaging to use ldap as a user source on a JBoss 5.1 GA.

in the file
\server\nodeX\deploy\messaging\messaging-jboss-beans.xml

There is a part that defines the application-policy and the default is to take the users from the data base


<application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging">
     <authentication>
          <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
               <module-option name="unauthenticatedIdentity">guest</module-option>
               <module-option name="dsJndiName">java:/DefaultDS</module-option>
               <module-option name="principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option>
               <module-option name="rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option>
          </login-module>
     </authentication>
</application-policy>




We have tried switching this part of the xml to take the users from the ldap like in here.


<application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
                          flag="required">
          <module-option name="unauthenticatedIdentity">guest</module-option>
                <module-option name="java.naming.factory.initial"> 
                    com.sun.jndi.ldap.LdapCtxFactory
                    </module-option>
                <module-option name="java.naming.provider.url">
                    ldap://OUR_LDAP_SERVER_NAME/
                </module-option>
                <module-option name="java.naming.security.authentication">
                    simple
                </module-option>
                <!-- Rebind as a user with search priviledges for the role queries cn=Root,dc=jboss,dc=org-->
                <module-option name="java.naming.security.principal">CN=OUR_LDAP_BIND_NAME,CN=Users,DC=OUR_LDAP_SERVER_NAME,DC=local</module-option>                    
                <module-option name="java.naming.security.credentials">OUR_LDAP_BIND_PASSWORD</module-option>                    
             <!-- was uid= but we are using CN= -->
                <module-option name="principalDNPrefix">CN=</module-option>                    
                <module-option name="principalDNSuffix">,OU=jbossUsers,DC=OUR_LDAP_SERVER_NAME,DC=local</module-option>
                <module-option name="rolesCtxDN">OU=jbossRoles,DC=OUR_LDAP_SERVER_NAME,DC=local</module-option>
                <module-option name="uidAttributeID">member</module-option>
                <module-option name="matchOnUserDN">true</module-option>
                <module-option name="roleAttributeID">cn</module-option>
                <module-option name="roleAttributeIsDN">false</module-option>
                <module-option name="searchTimeLimit">5000</module-option>
                <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
            </login-module>
        </authentication>
</application-policy>





The ldap configuration we are trying works for other appliction-policies we have defined in the login_config.xml of the server so we think that the ldap config is ok. We had to define an unauthenticated identity for the messaging, that we do not normally define, with user name guest, otherwise all sort of things fail when the server boots.

Question number 1.
- Why do we need the unauthenticated identity?
Question number 2.
- The user guest is already defined on our ldap (windows active directory) with a different password. It is not username guest password guest.
   Could this be a source of problems?
Question number 3.
- In the default database that comes with jboss messaging there is a bunch of users and roles defined on the tables JBM_USER, JBM_ROLE.
  Which of these users and roles are necessary for jboss messaging to work?
Question number 4
 - After making this change on the xml, and defining our users on the active directory / ldap the messaging seems not to be working. Saying that
"ouruser is not authenticated". Has anyone tried to switch from database to ldap jboss messaging?

Thanks in advance,

Nikos
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/576600#576600]

Start a new discussion in JBoss Messaging at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2042]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20101217/85b650da/attachment-0001.html

More information about the jboss-user mailing list