ActiveMQ Artemis JAAS LDAP - logged-in user has no access to anything
I'm trying to add LDAP sign in feature to ActiveMQ Artemis instance
I've set my login.config like this:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule sufficient
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://office.company.com:389"
connectionUsername="cn=ldap.user,ou=technical,ou=city,dc=office,dc=company,dc=com"
connectionPassword="password"
connectionProtocol=s
connectionTimeout="5000"
authentication=simple
userBase="ou=department,ou=city,dc=office,dc=company,dc=com"
userSearchMatching="(sAMAccountName={0})"
userSearchSubtree=true
readTimeout="5000"
roleBase="ou=department,ou=city,dc=office,dc=company,dc=com"
roleName="cn"
roleSearchMatching="(&(objectClass=group)(cn=R&D-Dev)(member:1.2.840.113556.1.4.1941:=cn={0}))"
roleSearchSubtree=true;
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule optional
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
};
Then I changed default value in artemis.profile from HAWTIO_ROLE='amq' to HAWTIO_ROLE='\*'.
This configuration allows me to log in with the LDAP account but wherever I check I'm receiving an error like this:
ERROR: User not authorized to access attribute: AddressLimitPercent (class java.lang.SecurityException)
My LDAP tree looks like this
dc=com
└── dc=company
└── dc=office
├── ou=city
│ ├── ou=technical
│ │ └── cn=ldap.user
│ └── ou=department
│ ├── sAMAccountName=name.lastname
│ └── cn=R&D-Dev
I've tried mapping my LDAP role to internal amq role in artemis-roles.properties:
amq = R&D-Dev
My management.xml file looks like this
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one or more
~ contributor license agreements. See the NOTICE file distributed with
~ this work for additional information regarding copyright ownership.
~ The ASF licenses this file to You under the Apache License, Version 2.0
~ (the "License"); you may not use this file except in compliance with
~ the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<management-context xmlns="http://activemq.apache.org/schema">
<!--<connector connector-port="1099"/>-->
<authorisation>
<allowlist>
<entry domain="hawtio"/>
</allowlist>
<default-access>
<!--
The "default-access" settings apply to every MBean not explicitly configured
in the "allowlist" or "role-access" sections
-->
<!-- allow read-only access by default -->
<access method="list*" roles="*"/>
<access method="get*" roles="*"/>
<access method="is*" roles="*"/>
<access method="set*" roles="*"/>
<access method="*" roles="*"/>
<access method="browse*" roles="*"/>
<access method="count*" roles="*"/>
<!-- don't allow write or other operations by default -->
<!--access method="set*" roles="amq"/-->
<!--access method="*" roles="amq"/-->
</default-access>
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="*"/>
<access method="get*" roles="*"/>
<access method="is*" roles="*"/>
<access method="set*" roles="*"/>
<!-- Note count and browse are need to access the browse tab in the console -->
<access method="browse*" roles="*"/>
<access method="count*" roles="*"/>
<access method="*" roles="*"/>
</match>
<!--example of how to configure a specific object -->
<!--
<match domain="org.apache.activemq.artemis" key="subcomponent=queues">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>
-->
</role-access>
</authorisation>
</management-context>
I also checked connection to REST API with this command
curl -k -H "Origin: https://activemq.dev.company.com" -u test:password https://activemq.dev.company.com/console/jolokia/read/org.apache.activemq.artemis:broker=\"0.0.0.0\"/Active
Result for default account:
{"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"value":true,"timestamp":1724063227,"status":200}
Result for LDAP account:
{"request":{"mbean":"org.apache.activemq.artemis:broker=\"0.0.0.0\"","attribute":"Active","type":"read"},"error_type":"java.lang.Exception","error":"java.lang.Exception : User not authorized to access attribute: Active","status":403}
I also tried to map my LDAP role to internal amp role in broker.xml but it does not seem to work at all:
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="*"/>
<permission type="deleteNonDurableQueue" roles="*"/>
<permission type="createDurableQueue" roles="*"/>
<permission type="deleteDurableQueue" roles="*"/>
<permission type="createAddress" roles="*"/>
<permission type="deleteAddress" roles="*"/>
<permission type="consume" roles="*"/>
<permission type="browse" roles="*"/>
<permission type="send" roles="*"/>
<!-- we need this otherwise ./artemis data imp wouldn't work -->
<permission type="manage" roles="*"/>
</security-setting>
<role-mapping from="cn=R&D-Dev,ou=department,ou=city,dc=office,dc=company,dc=com" to="amq"/>
</security-settings>
Performed double check then enabled DEBUG mode via 'log4j2.properties'. It turned out that user is receiving his role from LDAP service as expected
2024-08-19 09:42:48,432 DEBUG [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule] Roles [R&D-Dev] for user name.lastname
How may I grant access to my LDAP user?
Solution
I realised that in management.xml roles provided in <access method/> are supposed to be provided WIHTOUT space and escaped for xml format.
Such example resolved my issue
<access method="list*" roles="amq,r&d-dev"/>
- Using LexikJWTAuthenticationBundle with an LDAP Provider
- Mapping Ldap groups to role of the application in tomcat
- LDAP: `ldapadd` Works but `ldapdelete` Does Not
- Why is my Spring LDAP search failing to return a user
- LDAP authentication using Spring security 2.0.3
- Custom UserProvider config symfony 4
- ActiveMQ Artemis JAAS LDAP - logged-in user has no access to anything
- GitLab LDAP Authentication Issues (SSL_connect, user auth)
- active directory filter with objectGUID encoded as specified in rfc2254 doesn't work
- Adding users temporarily to Active Directory groups using PHP
- Rails Devise LDAP - Signed Connection Question
- How to resolve [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1 ]
- .NET 8 Ldap Authenticate Empty LdapException.ServerErrorMessage on Linux
- C# How to connect to LDAP (AD DC) server using SSL or TLS from Linux Ubuntu 22.04
- Spring Boot: Merging LDAP and Local Authentication with Conditional Form Login
- ApacheDS error in spring boot tests to simulate a LDAP connection
- Could not authenticate you from Ldapmain because "Invalid credentials for user.name"
- Active Directory: Search for only user objects
- How to get more search results than the server's sizelimit with Python LDAP?
- Parse LDAP-URL to the hostname and Base-DN
- Can't use Python ldap3 to get recursive users of an LDAP group
- How to connect to Active Directory via LDAPS in C#?
- ArgoCD LDAP : RBAC using LDAP is not working (Not assigning the policies)
- How to make an existing structural objectClass auxiliary?
- How do I restrict Apache/SVN access to specific users (LDAP/file-based authentication)?
- LDAP- adding new attribute schema using ldapmodify
- Cannot retrive objectName from searchEntry when I update ldapjs to v3
- Why am I getting 'System.__ComObject' from my LDAP property?
- C# Cannot connect to AD using LDAPS
- ldap_mod_replace returns true but password does not change