ActiveMQ Artemis JAAS LDAP - logged-in user has no access to anything
I'm trying to add LDAP sign in feature to ActiveMQ Artemis instance
I've set my login.config like this:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule sufficient
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://office.company.com:389"
connectionUsername="cn=ldap.user,ou=technical,ou=city,dc=office,dc=company,dc=com"
connectionPassword="password"
connectionProtocol=s
connectionTimeout="5000"
authentication=simple
userBase="ou=department,ou=city,dc=office,dc=company,dc=com"
userSearchMatching="(sAMAccountName={0})"
userSearchSubtree=true
readTimeout="5000"
roleBase="ou=department,ou=city,dc=office,dc=company,dc=com"
roleName="cn"
roleSearchMatching="(&(objectClass=group)(cn=R&D-Dev)(member:1.2.840.113556.1.4.1941:=cn={0}))"
roleSearchSubtree=true;
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule optional
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
};
Then I changed default value in artemis.profile from HAWTIO_ROLE='amq' to HAWTIO_ROLE='\*'.
This configuration allows me to log in with the LDAP account but wherever I check I'm receiving an error like this:
ERROR: User not authorized to access attribute: AddressLimitPercent (class java.lang.SecurityException)
My LDAP tree looks like this
dc=com
└── dc=company
└── dc=office
├── ou=city
│ ├── ou=technical
│ │ └── cn=ldap.user
│ └── ou=department
│ ├── sAMAccountName=name.lastname
│ └── cn=R&D-Dev
I've tried mapping my LDAP role to internal amq role in artemis-roles.properties:
amq = R&D-Dev
My management.xml file looks like this
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one or more
~ contributor license agreements. See the NOTICE file distributed with
~ this work for additional information regarding copyright ownership.
~ The ASF licenses this file to You under the Apache License, Version 2.0
~ (the "License"); you may not use this file except in compliance with
~ the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<management-context xmlns="http://activemq.apache.org/schema">
<!--<connector connector-port="1099"/>-->
<authorisation>
<allowlist>
<entry domain="hawtio"/>
</allowlist>
<default-access>
<!--
The "default-access" settings apply to every MBean not explicitly configured
in the "allowlist" or "role-access" sections
-->
<!-- allow read-only access by default -->
<access method="list*" roles="*"/>
<access method="get*" roles="*"/>
<access method="is*" roles="*"/>
<access method="set*" roles="*"/>
<access method="*" roles="*"/>
<access method="browse*" roles="*"/>
<access method="count*" roles="*"/>
<!-- don't allow write or other operations by default -->
<!--access method="set*" roles="amq"/-->
<!--access method="*" roles="amq"/-->
</default-access>
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="*"/>
<access method="get*" roles="*"/>
<access method="is*" roles="*"/>
<access method="set*" roles="*"/>
<!-- Note count and browse are need to access the browse tab in the console -->
<access method="browse*" roles="*"/>
<access method="count*" roles="*"/>
<access method="*" roles="*"/>
</match>
<!--example of how to configure a specific object -->
<!--
<match domain="org.apache.activemq.artemis" key="subcomponent=queues">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>
-->
</role-access>
</authorisation>
</management-context>
I also checked connection to REST API with this command
curl -k -H "Origin: https://activemq.dev.company.com" -u test:password https://activemq.dev.company.com/console/jolokia/read/org.apache.activemq.artemis:broker=\"0.0.0.0\"/Active
Result for default account:
{"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1724063227,"status":200}
Result for LDAP account:
{"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception : User not authorized to access attribute: Active","status":403}
I also tried to map my LDAP role to internal amp role in broker.xml but it does not seem to work at all:
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="*"/>
<permission type="deleteNonDurableQueue" roles="*"/>
<permission type="createDurableQueue" roles="*"/>
<permission type="deleteDurableQueue" roles="*"/>
<permission type="createAddress" roles="*"/>
<permission type="deleteAddress" roles="*"/>
<permission type="consume" roles="*"/>
<permission type="browse" roles="*"/>
<permission type="send" roles="*"/>
<!-- we need this otherwise ./artemis data imp wouldn't work -->
<permission type="manage" roles="*"/>
</security-setting>
<role-mapping from="cn=R&D-Dev,ou=department,ou=city,dc=office,dc=company,dc=com" to="amq"/>
</security-settings>
Performed double check then enabled DEBUG mode via 'log4j2.properties'. It turned out that user is receiving his role from LDAP service as expected
2024-08-19 09:42:48,432 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Roles [R&D-Dev] for user name.lastname
How may I grant access to my LDAP user?
Solution
I realised that in management.xml roles provided in <access method/> are supposed to be provided WIHTOUT space and escaped for xml format.
Such example resolved my issue
<access method="list*" roles="amq,r&d-dev"/>
- How do I clone an OpenLDAP database
- Why does LDAP requires a two step "login" (connect and then bind)
- "é" become "ã©" while using ldap_modify_batch() in php
- How to check a username/password combination?
- How do I modify a Boolean LDAP Active Directory attribute using Net::LDAP?
- How do I unblock LDAP users in GitLab-CE
- How can I make sure this is a secure LDAP connection and write AD's unicodePwd attribute?
- Environment variables not defined in SSH AuthorizedKeysCommand (Docker)
- How can I cause ldap_simple_bind_s to timeout?
- Unknown Error (0x80005000) with LDAPS Connection
- Connect to Active Directory using LdapConnection class on remote server
- How to search for users in Active Directory from ASP.NET Core
- LDAP attribute to encode the language of human users mother tongue?
- How to remove multiple entries by a single ldap request in unboundid?
- ldap_add: No such object (32) when adding the root entry (initial ldif)
- Working with DirectoryServices in ASP.NET Core
- Automate joining Active Directory (AD) using Kerberos keytab?
- LdapCtxFactory because module java.naming does not export com.sun.jndi.ldap to unnamed module
- Springboot LDAP integration
- Can't Get Users' Active Directory Enabled Status in C#
- ldapsearch - truncating the result
- While trying to resolve a cross-store reference, the SID of the target principal could not be resolved. The error code is 1332
- Using LexikJWTAuthenticationBundle with an LDAP Provider
- Mapping Ldap groups to role of the application in tomcat
- LDAP: `ldapadd` Works but `ldapdelete` Does Not
- Why is my Spring LDAP search failing to return a user
- LDAP authentication using Spring security 2.0.3
- Custom UserProvider config symfony 4
- ActiveMQ Artemis JAAS LDAP - logged-in user has no access to anything
- GitLab LDAP Authentication Issues (SSL_connect, user auth)