ActiveMQ
  1. ActiveMQ
  2. AMQ-3770

Generalize LDAP group processing / LDAP group expansion

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1
    • Fix Version/s: 5.7.0
    • Component/s: Broker
    • Labels:
      None
    • Patch Info:
      Patch Available

      Description

      One of the issues with the way that LDAP integration is implemented in ActiveMQ is that it is making some serious assumptions based on how the examples are for Apache Directory. These assumptions prevent other LDAP implementations from functioning correctly (e.g., Active Directory). I've gone in and replaced all of the String.split stuff with LdapName. LdapName is Java's implementation of RFC 2253 for names in LDAP. All current test cases still work, while allowing other LDAP implementations to work.

      I've also implemented group expansion for the LDAPLoginModule. For example, group A is a member of groups B and C. User X is a member of group A, which should mean user X is also a member of groups B and C by virtue of being in group A. This allows for a hierarchy of roles making role management much easier in my opinion.

      1. LDAPUpdatesAndTest1.patch
        36 kB
        Chris Robison
      2. LDAPAuthorizationMap.java
        18 kB
        Chris Robison

        Issue Links

          Activity

          Chris Robison created issue -
          Hide
          Chris Robison added a comment -
          • Patching including updates to LDAP integration everywhere except LDAPAuthorizationMap. Also includes group expansion with test case.
          • Updated LDAPAuthorizationMap to generalize LDAP name processing
          Show
          Chris Robison added a comment - Patching including updates to LDAP integration everywhere except LDAPAuthorizationMap. Also includes group expansion with test case. Updated LDAPAuthorizationMap to generalize LDAP name processing
          Chris Robison made changes -
          Field Original Value New Value
          Attachment LDAPUpdatesAndTest1.patch [ 12518389 ]
          Attachment LDAPAuthorizationMap.java [ 12518390 ]
          David Valeri made changes -
          Link This issue is related to AMQ-3791 [ AMQ-3791 ]
          Dejan Bosanac made changes -
          Assignee Dejan Bosanac [ dejanb ]
          Hide
          Dejan Bosanac added a comment -

          group expansion is committed with svn revision 1347649. I believe that String split problem was addressed with AMQ-3791. Please test it out and reopen if I missed anything.

          Show
          Dejan Bosanac added a comment - group expansion is committed with svn revision 1347649. I believe that String split problem was addressed with AMQ-3791 . Please test it out and reopen if I missed anything.
          Dejan Bosanac made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Fix Version/s 5.7.0 [ 12321258 ]
          Resolution Fixed [ 1 ]

            People

            • Assignee:
              Dejan Bosanac
              Reporter:
              Chris Robison
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development