Question

努力使ActiveMQ Web控制台使用LDAP并针对Active Directory进行身份验证。启动MQ时没有错误，出现用户名/密码登录框提示，但在插入正确的凭据时不会继续。

版本 5.15.6

login.config

amqLdapLoginModule {
   org.eclipse.jetty.jaas.spi.LdapLoginModule required
   debug="true"
   contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
   hostname="ad-server1.domain.com"
   port="389"
   bindDn="CN=readonly-user,OU=Accounts,DC=domain,DC=com"
   bindPassword="readonly-user-password"
   authenticationMethod="simple"
   forceBindingLogin="false"
   userBaseDn="CN=users,DC=domain,DC=com"
   userRdnAttribute="uid"
   userIdAttribute="uid"
   userPasswordAttribute="userPassword"
   userObjectClass="inetOrgPerson"
   roleBaseDn="CN=groups,DC=domain,dc=com"
   roleNameAttribute="cn"
   roleMemberAttribute="uniqueMember"
   roleObjectClass="groupOfUniqueNames";
   };

jetty.xml

    <bean id="ldapLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
        <property name="name" value="LdapRealm" />
        <property name="loginModuleName" value="amqLdapLoginModule" />
        <property name="roleClassNames" value="org.eclipse.jetty.jaas.JAASRole" />
        <property name="identityService" ref="identityService" />
    </bean>
    <bean id="identityService" class="org.eclipse.jetty.security.DefaultIdentityService"/>

    <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
        <property name="name" value="BASIC" />
        <property name="roles" value="admins-group" />
        <!-- set authenticate=false to disable login -->
        <property name="authenticate" value="true" />
    </bean>
    <bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
        <property name="name" value="BASIC" />
        <property name="roles" value="admins-group" />
         <!-- set authenticate=false to disable login -->
        <property name="authenticate" value="true" />
    </bean>


    <bean id="securityHandlerLdap" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
        <property name="loginService" ref="ldapLoginService" />
        <property name="identityService" ref="identityService" />
        <property name="realmName" value="LdapRealm" />
        <property name="authenticator">
            <bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
        </property>
        <property name="constraintMappings">
            <list>
                <ref bean="adminSecurityConstraintMapping" />
                <ref bean="securityConstraintMapping" />
            </list>
        </property>
        <property name="handler" ref="secHandlerCollection" />
    </bean>

    <bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
    </bean>

Answer 1

按照http://bacedifo.blogspot.com/2013/06/securing-activemq-580-web-console-using.html中的指南进行操作，并使用ldaptive ldap java库，并对配置进行了一些调整，我设法使其在我们的AD环境中正常工作。

将ldaptive- {版本号} .jar和jetty-jass- {版本号} .jar复制到/ activemq / lib目录。

login.conf

activemq {
    org.ldaptive.jaas.LdapLoginModule required
        debug=true
        storePass="true"
        ldapUrl="ldap://ldap-server1.domainname.com:389 ldap://ldap-server2.domainname.com:389"
        connectionStrategy="ACTIVE_PASSIVE"
        bindDn="CN=ldap-readaccount,OU=Read Accounts,DC=domainname,DC=com"
        baseDn="OU=accounts,DC=domainname,DC=com"
        bindCredential="ldapuser-password"
        useStartTLS="false"
        userFilter="(sAMAccountName={user})";

    org.ldaptive.jaas.LdapRoleAuthorizationModule required
        useFirstPass="true"
        ldapUrl="ldap://ldap-server1.domainname.com:389 ldap://ldap-server2.domainname.com:389"
        connectionStrategy="ACTIVE_PASSIVE"
        bindDn="CN=ldap-readaccount,OU=Read Accounts,DC=domainname,DC=com"
        baseDn="OU=groups,DC=domainname,DC=com"
        bindCredential="ldapuser-password"
        roleFilter="(&(cn=webconsoleadmins)(member={user}))"
        useStartTLS="false"
        defaultRole="admins"
        roleAttribute="cn";

};

jetty.xml

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

<bean id="securityLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
    <property name="name" value="LdapRealm" />
    <property name="loginModuleName" value="activemq" />
    <property name="roleClassNames" value="org.ldaptive.jaas.LdapRole" />
    <property name="identityService" ref="identityService" />
</bean>
<bean id="identityService" class="org.eclipse.jetty.security.DefaultIdentityService"/>


<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
    <property name="name" value="BASIC" />
    <property name="roles" value="admins,webconsoleadmins" />
    <!-- set authenticate=false to disable login -->
    <property name="authenticate" value="true" />
</bean>
<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
    <property name="name" value="BASIC" />
    <property name="roles" value="admins,webconsoleadmins" />
     <!-- set authenticate=false to disable login -->
    <property name="authenticate" value="true" />
</bean>

...

<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
    <property name="loginService" ref="securityLoginService" />
    <property name="identityService" ref="identityService" />
    <property name="authenticator">
        <bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
    </property>
    <property name="constraintMappings">
        <list>
            <ref bean="adminSecurityConstraintMapping" />
            <ref bean="securityConstraintMapping" />
        </list>
    </property>
    <property name="handler" ref="secHandlerCollection" />
</bean>

使用LDAP Active Directory身份验证的ActiveMQ Web控制台

1 个答案: