So I finally have this working. The source code is for now available in the fon project (ssh://firstname.lastname@example.org/fon.git) in the fon-activemq module.
I spoke with Rob about this and the idea is that we should keep this closed source (for now) as an enterprise feature. This all can be discussed further of course.
As for the functionality of the plugin, it implements both pull and push changes (as I discovered in the process of developing that OpenLdap, which afaik customer is using, does not support "persistent search" option so we need to pull for changes).
Attached you can find 4 files, that represent ldif and broker configuration for both ApacheDS (supports push) and OpenLdap (does not). ApacheDS configuration is used in tests and if you install it on some other port, you should change the connection uri in the xml config (take openldap xml for example). OpenLdap example is done using the server setup according to Susan's description in
You can also notice that there is smaller number of configuration params. You can only set ldap connection stuff and baseDn where ActiveMQ entries should be. I think this is the right approach as it eliminates most of the complexity of configuring the plugin.
One note about ldif format. It is very similar to the one that is used by the current plugin. The only important thing is that '>' character is replaced with '$' for "any descendent" as some LDAP server does not support > in dn.
The main parameter that determines whether we use push or pull for update is "refreshInterval". If it's not set (or set to -1) it means that we will try to use LDAP server "persistent search" feature and will expect changes to be pushed to us. If you try this with the server that doesn't support it, you'll see an exception like "Operation not supported" on broker startup and no changes will be pushed.
If you set "refreshInterval" to some meaningful value (in ms), on every authorization request we will check if we need to update our in-memory cache. This should all work fine as well and not impact performances of the broker.
Also I needed to add one improvement to the broker core in order to pull option work fine, so at the moment you'll need to use either apache 5.6-SNAPSHOT or 5.5-fuse-SNAPSHOT versions of broker for this to work properly. This improvement can be easily merged to any version we need it in.
To test this all out:
It'd be great if you could test this all out and see if it is fitting customer's requirements.