Need Help With LDAP Group Configuration
Now, I successfully configurated LDAP user authentication.
But however i tried, the group configuration always failed.
I watched administrated document over and over again, and tried many many ways, it still doesn't work, so i post it for helping.
Successful User Config File :
imq.instanceconfig.version=300
imq.user_repository.ldap.password=secret
imq.user_repository.ldap.uidattr=cn
imq.user_repository.ldap.base=ou\=imqusers,o\=IMQ,dc\=unimas,dc\=com
imq.service.activelist=jms,admin,httpjms
imq.user_repository.ldap.principal=cn\=Manager,dc\=unimas,dc\=com
imq.authentication.basic.user_repository=ldap
imq.user_repository.ldap.gidattr=cn
imq.user_repository.ldap.server=192.168.0.68\:389
imq.authentication.type=basic
What i add for group :
imq.user_repository.ldap.grpsearch=true
imq.user_repository.ldap.memattr=member
imq.user_repository.ldap.grpbase=cn\=group1,ou\=imqgroups,o\=Groups,dc\=unimas, dc\=com
imq.user_repository.ldap.gidattr=cn
Result :
If the config.properties combine the user attributes and group attributes, the connection can be set up, but it seems only check for users. (the user out of group can login too.)
When i deleted the user attributes, i can't get any connection.
So. may somebody could help me, thanks
[1389 byte] By [
JSmarter] at [2007-11-25 20:36:59]
# 1
Hi,
Curious - which LDAP server are you using ? Which version
of MQ are you using ?
Did you create new group names or did you stick to group
names that MQ already used (in the default file based
user repository) - 'admin' and 'user' ? This would be the groups
you created under:
cn\=group1,ou\=imqgroups,o\=Groups, dc\=unimas,dc\=com
Also, since you created new groups , you might want to read
up on how to modify the accesscontrol.properties file:
http://docs.sun.com/source/819-0066/security.html#wp47944
Of interest is this entry from the above page:
-
The default ACL properties file gives all users access
to NORMAL connection services and gives users in the
group admin access to ADMIN connection services:
connection.NORMAL.allow.user=*
connection.ADMIN.allow.group=admin
If you are using a file-based user repository, the default
group admin is created by imqusermgr. If you are using
an LDAP user repository, you can do one of the following
to use the default ACL properties file:
* Define a group called admin in the LDAP directory.
* Replace the name admin in the ACL properties file with
the names of one or more groups that are defined in
the LDAP directory.
-
The default entries in the accesscontrol.properties file
basically allow any user in the repository to log in,
but only users in group 'admin' to do admin stuff.
If you created a group called 'mygroup', you might want to
create the following entry (or modify existing entries) to
restrict only users in 'mygroup' to create normal JMS (ie not
admin) connections:
connection.NORMAL.allow.group=mygroup
hope this helps,
-isa
http://www.sun.com/software/products/message_queue/index.xml
