Affects Version/s: 4.3.1-fuse-01-09
Fix Version/s: 4.3.1-fuse-xx-00
I've run into an additional issue when testing the fix for
MB-851. MB-851 corrected some several issues with activemq and LDAP authorization. Once this patch was made available, I tried to set it up as an embedded broker in Servicemix, 4.3.1-09 with the following results:
Once the work-around for
ESB-1434 was applied to use the Felix framework instead of Equinox, I was able to successfully authorize a request through a "Spring" configured broker. Unfortunately, when using a blueprint configured broker, my request fails with "User jdoe is not authorized to create: topic://ActiveMQ.Advisory.Connection". This was the exact issue that MB-851 was to fix. Upon further analysis, I can see that the spring configured broker has additional requests in the LDAP log:
The configurations are identical and they both reference a jaas configuration from ./deploy. There's a bug somewhere.
- Updating the ./etc/activemq-broker.xml to use LDAP authorization (see attached blueprint_activemq_broker.xml) results in an authorization error on an ActiveMQ topic
- Creating a new spring based configuration using activemq-create and then adding same LDAP configurations, works. (with workaround for
1. Open LDAP comes pre-installed on MAC:
A. As root user copy, /private/var/db/openldap/openldap-data/DB_CONFIG.example to /private/var/db/openldap/openldap-data/DB_CONFIG. I didn't make any changes.
B. Put attached slapd.conf based on slapd.conf.default in /private/etc/openldap
C. Start the server: nohup /usr/libexec/slapd -d 255 &
D. Add entries: ldapadd -x -D"cn=admin,dc=fusesource,dc=com" -W -f patched.ldif (attached)
The password is "sunflower"
Initial Servicemix Set-up
1. Update Servicemix 4.3.1-09 to use the patched version of activemq (
A. Edit the system/org/apache/servicemix/apache-servicemix/4.3.1-fuse-01-09/apache-servicemix-4.3.1-fuse-01-09-activemq-features.xml :
2. Change Framework to felix in ./etc/config.properties (per
B. Start Servicemix, make sure activemq core file is correct and there is only one
[ 45] [Active ] [Created ] [ ] [ 60] activemq-core (5.4.2.fuse-03-00-SNAPSHOT)
Blueprint Use Case
1. Deploy jaas configuration, attached ldap_amq_module.xml
2. Stop current, default activemq-broker.xml.
3. Replace the existing ./etc/activemq-broker.xml with the attached blueprint_activemq-broker.xml. The only change here is to remove connection pooling stuff and add the authentication and authorization. I removed the first part as the log fills up with the authorization errors based on the connection. It's easier to see it once with a producer (in my opinion).
4. Update and restart the broker.
5. Using the ProducerTool shipped with activemq, run run the demo "ant producer -Durl=tcp://0.0.0.0:61616 -Dmax=1"
Spring Use case
1. Install activemq-spring if need be
2. copy the attached LdapSpringBroker-broker.xml to ./deploy directory
3. Using the ProducerTool shipped with activemq, run run the demo:
"ant producer -Durl=tcp://0.0.0.0:61617 -Dmax=1"
(Note slight IP change at end, 7 instead of 6).
Message successfully put on queue.
I do have problems with my blueprint broker going into a GracePeriod:
To get around this I have to shutdown and/or blow away the data directory. I haven't been able to nail this down although various experiments in an non-patched version without LDAP seem to be fine.
I think I have everything. I unzipped a fresh install of servicemix while I was doing this. If there any problems setting it up, please let me know.