https://issues.apache.org/jira/browse/AMQ-3791 - CachedLDAPAuthorizationMap improvements

git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@1347580 13f79535-47bb-0310-9956-ffa450edef68

activemq-core/src/test/java/org/apache/activemq/security/AbstractCachedLDAPAuthorizationMapLegacyTest.java

@@ -0,0 +1,358 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.command.ActiveMQQueue;
+import org.apache.activemq.command.ActiveMQTopic;
+import org.apache.activemq.jaas.GroupPrincipal;
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.shared.ldap.model.ldif.LdifEntry;
+import org.apache.directory.shared.ldap.model.ldif.LdifReader;
+import org.apache.directory.shared.ldap.model.message.ModifyRequest;
+import org.apache.directory.shared.ldap.model.message.ModifyRequestImpl;
+import org.apache.directory.shared.ldap.model.name.Dn;
+import org.apache.directory.shared.ldap.model.name.Rdn;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Set;
+
+import javax.naming.Context;
+import javax.naming.NameClassPair;
+import javax.naming.NamingEnumeration;
+import javax.naming.directory.DirContext;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+public abstract class AbstractCachedLDAPAuthorizationMapLegacyTest extends AbstractLdapTestUnit {
+
+    static final GroupPrincipal GUESTS = new GroupPrincipal("guests");
+    static final GroupPrincipal USERS = new GroupPrincipal("users");
+    static final GroupPrincipal ADMINS = new GroupPrincipal("admins");
+    
+    protected LdapConnection connection;
+    protected CachedLDAPAuthorizationMap map;
+    
+    @Before
+    public void setup() throws Exception {
+        connection = getLdapConnection();
+        map = createMap();
+    }
+    
+    @After
+    public void cleanup() throws Exception {
+        if (connection != null) {
+            try {
+                connection.close();
+            } catch (IOException e) {
+                // Ignore
+            }
+        }
+        
+        if (map != null) {
+            map.destroy();
+        }
+    }
+
+    @Test
+    public void testQuery() throws Exception {
+        map.query();
+        Set<?> readACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + readACLs, 2, readACLs.size());
+        assertTrue("Contains admin group", readACLs.contains(ADMINS));
+        assertTrue("Contains users group", readACLs.contains(USERS));
+
+        Set<?> failedACLs = map.getReadACLs(new ActiveMQQueue("FAILED"));
+        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
+    }
+    
+    @Test
+    public void testSynchronousUpdate() throws Exception {
+        map.setRefreshInterval(1);
+        map.query();
+        Set<?> readACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + readACLs, 2, readACLs.size());
+        assertTrue("Contains admin group", readACLs.contains(ADMINS));
+        assertTrue("Contains users group", readACLs.contains(USERS));
+
+        Set<?> failedACLs = map.getReadACLs(new ActiveMQQueue("FAILED"));
+        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
+        
+        LdifReader reader = new LdifReader(getRemoveLdif());
+
+        for (LdifEntry entry : reader) {
+            connection.delete(entry.getDn());
+        }
+        
+        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
+        
+        assertNull(map.getTempDestinationReadACLs());
+        assertNull(map.getTempDestinationWriteACLs());
+        assertNull(map.getTempDestinationAdminACLs());
+    }
+
+    @Test
+    public void testWildcards() throws Exception {
+        map.query();
+        Set<?> fooACLs = map.getReadACLs(new ActiveMQQueue("FOO.1"));
+        assertEquals("set size: " + fooACLs, 2, fooACLs.size());
+        assertTrue("Contains admin group", fooACLs.contains(ADMINS));
+        assertTrue("Contains users group", fooACLs.contains(USERS));
+
+        Set<?> barACLs = map.getReadACLs(new ActiveMQQueue("BAR.2"));
+        assertEquals("set size: " + barACLs, 2, barACLs.size());
+        assertTrue("Contains admin group", barACLs.contains(ADMINS));
+        assertTrue("Contains users group", barACLs.contains(USERS));
+    }
+
+    @Test
+    public void testAdvisory() throws Exception {
+        map.query();
+        Set<?> readACLs = map.getReadACLs(new ActiveMQTopic("ActiveMQ.Advisory.Connection"));
+        assertEquals("set size: " + readACLs, 2, readACLs.size());
+        assertTrue("Contains admin group", readACLs.contains(ADMINS));
+        assertTrue("Contains users group", readACLs.contains(USERS));
+    }
+
+    @Test
+    public void testTemporary() throws Exception {
+        map.query();
+        
+        Thread.sleep(1000);
+        Set<?> readACLs = map.getTempDestinationReadACLs();
+        assertEquals("set size: " + readACLs, 2, readACLs.size());
+        assertTrue("Contains admin group", readACLs.contains(ADMINS));
+        assertTrue("Contains users group", readACLs.contains(USERS));
+    }
+
+    @Test
+    public void testAdd() throws Exception {
+        map.query();
+
+        Set<?> failedACLs = map.getReadACLs(new ActiveMQQueue("FAILED"));
+        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
+
+        LdifReader reader = new LdifReader(getAddLdif());
+
+        for (LdifEntry entry : reader) {
+            connection.add(entry.getEntry());
+        }
+
+        Thread.sleep(2000);
+
+        failedACLs = map.getReadACLs(new ActiveMQQueue("FAILED"));
+        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
+    }
+
+    @Test
+    public void testRemove() throws Exception {
+        map.query();
+
+        Set<?> failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
+
+        LdifReader reader = new LdifReader(getRemoveLdif());
+
+        for (LdifEntry entry : reader) {
+            connection.delete(entry.getDn());
+        }
+
+        Thread.sleep(2000);
+
+        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
+        
+        assertTrue(map.getTempDestinationReadACLs() == null || map.getTempDestinationReadACLs().isEmpty());
+        assertTrue(map.getTempDestinationWriteACLs() == null || map.getTempDestinationWriteACLs().isEmpty());
+        assertTrue(map.getTempDestinationAdminACLs() == null || map.getTempDestinationAdminACLs().isEmpty());
+    }
+    
+    @Test
+    public void testRenameDestination() throws Exception {
+        map.query();
+
+        // Test for a destination rename
+        Set<?> failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
+
+        connection.rename(new Dn("cn=TEST.FOO," + getQueueBaseDn()),
+                new Rdn("cn=TEST.BAR"));
+
+        Thread.sleep(2000);
+
+        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
+
+
+        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.BAR"));
+        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
+    }
+    
+    @Test
+    public void testRenamePermission() throws Exception {
+        map.query();
+        
+        // Test for a permission rename
+        connection.delete(new Dn("cn=Read,cn=TEST.FOO," + getQueueBaseDn()));
+        
+        Thread.sleep(2000);
+        
+        Set<?> failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
+        
+        failedACLs = map.getWriteACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
+        
+        connection.rename(new Dn("cn=Write,cn=TEST.FOO," + getQueueBaseDn()),
+                new Rdn("cn=Read"));
+        
+        Thread.sleep(2000);
+        
+        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
+        
+        failedACLs = map.getWriteACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
+    }
+
+    @Test
+    public void testChange() throws Exception {
+        map.query();
+
+        // Change permission entry
+        Set<?> failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
+
+        Dn dn = new Dn("cn=read,cn=TEST.FOO," + getQueueBaseDn());
+
+        ModifyRequest request = new ModifyRequestImpl();
+        request.setName(dn);
+        setupModifyRequest(request);
+
+        connection.modify(request);
+
+        Thread.sleep(2000);
+
+        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 1, failedACLs.size());
+        
+        // Change destination entry
+        request = new ModifyRequestImpl();
+        request.setName(new Dn("cn=TEST.FOO," + getQueueBaseDn()));
+        request.add("description", "This is a description!  In fact, it is a very good description.");
+        
+        connection.modify(request);
+
+        Thread.sleep(2000);
+        
+        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 1, failedACLs.size());
+    }
+    
+    protected CachedLDAPAuthorizationMap createMap() {
+        return new CachedLDAPAuthorizationMap();
+    }
+    
+    protected abstract InputStream getAddLdif();
+    
+    protected abstract InputStream getRemoveLdif();
+    
+    protected void setupModifyRequest(ModifyRequest request) {
+        request.remove("member", "cn=users");
+    }
+    
+    protected abstract String getQueueBaseDn();
+    
+    protected abstract LdapConnection getLdapConnection() throws Exception;
+    
+    public static void cleanAndLoad(String deleteFromDn, String ldifResourcePath,
+            String ldapHost, int ldapPort, String ldapUser, String ldapPass,
+            DirContext context) throws Exception {
+        // Cleanup everything used for testing.
+        List<String> dns = new LinkedList<String>();
+        dns.add(deleteFromDn);
+        
+        while (!dns.isEmpty()) {
+            String name = dns.get(dns.size() - 1);
+            Context currentContext = (Context) context.lookup(name);
+            NamingEnumeration<NameClassPair> namingEnum = currentContext.list("");
+            
+            if (namingEnum.hasMore()) {
+                while (namingEnum.hasMore()) {
+                    dns.add(namingEnum.next().getNameInNamespace());
+                }
+            } else {
+                context.unbind(name);
+                dns.remove(dns.size() - 1);
+            }
+        }
+        
+        // A bit of a hacked approach to loading an LDIF into OpenLDAP since there isn't an easy way to do it
+        // otherwise.  This approach invokes the command line tool programmatically but has
+        // to short-circuit the call to System.exit that the command line tool makes when it finishes.
+        // We are assuming that there isn't already a security manager in place.
+        final SecurityManager securityManager = new SecurityManager() {
+
+            public void checkPermission(java.security.Permission permission) {
+                if (permission.getName().contains("exitVM")) {
+                    throw new SecurityException("System.exit calls disabled for the moment.");
+                }
+            }
+        };
+
+        System.setSecurityManager(securityManager);
+
+        
+        File file = new File(AbstractCachedLDAPAuthorizationMapLegacyTest.class.getClassLoader().getResource(
+                ldifResourcePath).toURI());
+        
+        Class<?> clazz = Class.forName("LDAPModify");
+        Method mainMethod = clazz.getMethod("main", String[].class);
+        
+        try {
+            mainMethod.invoke(null, new Object[] {
+                    new String[] {
+                            "-v",
+                            "-h", ldapHost,
+                            "-p", String.valueOf(ldapPort),
+                            "-D", ldapUser,
+                            "-w", ldapPass,
+                            "-a",
+                            "-f", file.toString()}});
+        } catch (InvocationTargetException e) {
+            if (!(e.getTargetException() instanceof SecurityException)) {
+                throw e;
+            }
+        }
+
+        System.setSecurityManager(null);
+    }
+}
+
+

activemq-core/src/test/java/org/apache/activemq/security/AbstractCachedLDAPAuthorizationModuleTest.java

@@ -0,0 +1,63 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.command.ActiveMQQueue;
+import org.apache.activemq.jaas.UserPrincipal;
+import org.apache.directory.shared.ldap.model.message.ModifyRequest;
+import org.junit.Test;
+
+import java.util.Set;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+public abstract class AbstractCachedLDAPAuthorizationModuleTest 
+    extends AbstractCachedLDAPAuthorizationMapLegacyTest {
+
+    static final UserPrincipal JDOE = new UserPrincipal("jdoe");
+
+    @Test
+    public void testQuery() throws Exception {
+        map.query();
+        Set<?> readACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOOBAR"));
+        assertEquals("set size: " + readACLs, 3, readACLs.size());
+        assertTrue("Contains admin group", readACLs.contains(ADMINS));
+        assertTrue("Contains users group", readACLs.contains(USERS));
+        assertTrue("Contains jdoe user", readACLs.contains(JDOE));
+
+        Set<?> failedACLs = map.getReadACLs(new ActiveMQQueue("FAILED"));
+        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
+        
+        super.testQuery();
+    }
+
+    @Override
+    protected final void setupModifyRequest(ModifyRequest request) {
+        request.remove("member", getMemberAttributeValueForModifyRequest());
+    }
+    
+    protected abstract String getMemberAttributeValueForModifyRequest();
+
+    @Override
+    protected CachedLDAPAuthorizationMap createMap() {
+        CachedLDAPAuthorizationMap map = super.createMap();
+        map.setLegacyGroupMapping(false);
+        return map;
+    }
+}
+

activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPAuthorizationModuleLegacyOpenLDAPTest.java

@@ -0,0 +1,97 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.LdapNetworkConnection;
+import org.apache.directory.shared.ldap.model.exception.LdapException;
+import org.apache.directory.shared.ldap.model.name.Dn;
+import org.junit.Before;
+import org.junit.Ignore;
+import org.junit.Test;
+
+/**
+ * Test of the {@link CachedLDAPAuthorizationMap} that tests against a basic OpenLDAP instance.
+ * Disabled by default because it requires external setup to provide the OpenLDAP instance.
+ * 
+ * To enable, you need an OpenLDAP with a minimum of the following in the slapd.conf file: 
+ * 
+ * suffix   "dc=apache,dc=org"
+ * rootdn   "cn=Manager,dc=apache,dc=org"
+ * rootpw   {SSHA}+Rx8kj98q3FlK5rUkT2hAtMP5v2ImQ82
+ * 
+ * If you wish to use different settings or don't use the default port, change the constants 
+ * below for your environment.
+ */
+@Ignore
+public class CachedLDAPAuthorizationModuleLegacyOpenLDAPTest extends
+        AbstractCachedLDAPAuthorizationMapLegacyTest {
+    
+    protected static final String LDAP_USER = "cn=Manager,dc=apache,dc=org";
+    protected static final String LDAP_PASS = "password";
+    protected static final String LDAP_HOST = "localhost";
+    protected static final int LDAP_PORT = 389;
+    
+    @Before
+    @Override
+    public void setup() throws Exception {
+        
+        super.setup();
+        
+        cleanAndLoad("dc=apache,dc=org", "org/apache/activemq/security/activemq-openldap-legacy.ldif",
+                LDAP_HOST, LDAP_PORT, LDAP_USER, LDAP_PASS, map.open());
+    }
+    
+    @Test
+    public void testRenameDestination() throws Exception {
+        // Subtree rename not implemented by OpenLDAP.
+    }
+    
+    protected CachedLDAPAuthorizationMap createMap() {
+        CachedLDAPAuthorizationMap newMap = super.createMap();
+        newMap.setConnectionURL("ldap://" + LDAP_HOST + ":" + String.valueOf(LDAP_PORT));
+        newMap.setConnectionUsername(LDAP_USER);
+        newMap.setConnectionPassword(LDAP_PASS);
+        // Persistent search is not supported in OpenLDAP
+        newMap.setRefreshInterval(10);
+        newMap.setQueueSearchBase("ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org");
+        newMap.setTopicSearchBase("ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org");
+        newMap.setTempSearchBase("ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org");
+        return newMap;
+    }
+    
+    protected InputStream getAddLdif() {
+        return getClass().getClassLoader().getResourceAsStream("org/apache/activemq/security/activemq-openldap-legacy-add.ldif");
+    }
+    
+    protected InputStream getRemoveLdif() {
+        return getClass().getClassLoader().getResourceAsStream("org/apache/activemq/security/activemq-openldap-legacy-delete.ldif");
+    }
+    
+    protected String getQueueBaseDn() {
+        return "ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org";
+    }
+    
+    protected LdapConnection getLdapConnection() throws LdapException, IOException {
+        LdapConnection connection = new LdapNetworkConnection(LDAP_HOST, LDAP_PORT);
+        connection.bind(new Dn(LDAP_USER), LDAP_PASS);
+        return connection;
+    }
+}

activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPAuthorizationModuleLegacyTest.java

@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.LdapNetworkConnection;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifFiles;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.shared.ldap.model.exception.LdapException;
+import org.apache.directory.shared.ldap.model.name.Dn;
+import org.junit.runner.RunWith;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+
+@RunWith( FrameworkRunner.class )
+@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP")})
+@ApplyLdifFiles(
+        "org/apache/activemq/security/activemq-apacheds-legacy.ldif"
+)
+public class CachedLDAPAuthorizationModuleLegacyTest extends AbstractCachedLDAPAuthorizationMapLegacyTest {
+
+    @Override
+    protected CachedLDAPAuthorizationMap createMap() {
+        CachedLDAPAuthorizationMap map = super.createMap();
+        map.setConnectionURL("ldap://localhost:" + getLdapServer().getPort());
+        return map;
+    }
+    
+    protected InputStream getAddLdif() {
+        return getClass().getClassLoader().getResourceAsStream("org/apache/activemq/security/activemq-apacheds-legacy-add.ldif");
+    }
+    
+    protected InputStream getRemoveLdif() {
+        return getClass().getClassLoader().getResourceAsStream("org/apache/activemq/security/activemq-apacheds-legacy-delete.ldif");
+    }
+    
+    protected String getQueueBaseDn() {
+        return "ou=Queue,ou=Destination,ou=ActiveMQ,ou=system";
+    }
+    
+    protected LdapConnection getLdapConnection() throws LdapException, IOException {
+        LdapConnection connection = new LdapNetworkConnection("localhost", getLdapServer().getPort());
+        connection.bind(new Dn("uid=admin,ou=system"), "secret");
+        return connection;
+    }
+}
+

activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPAuthorizationModuleOpenLDAPTest.java

@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.LdapNetworkConnection;
+import org.apache.directory.shared.ldap.model.exception.LdapException;
+import org.apache.directory.shared.ldap.model.name.Dn;
+import org.junit.Before;
+import org.junit.Ignore;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+/**
+ * Test of the {@link CachedLDAPAuthorizationMap} that tests against a basic OpenLDAP instance.
+ * Disabled by default because it requires external setup to provide the OpenLDAP instance.
+ * 
+ * To enable, you need an OpenLDAP with a minimum of the following in the slapd.conf file: 
+ * 
+ * suffix   "dc=apache,dc=org"
+ * rootdn   "cn=Manager,dc=apache,dc=org"
+ * rootpw   {SSHA}+Rx8kj98q3FlK5rUkT2hAtMP5v2ImQ82
+ * 
+ * If you wish to use different settings or don't use the default port, change the constants 
+ * below for your environment.
+ */
+@Ignore
+public class CachedLDAPAuthorizationModuleOpenLDAPTest extends AbstractCachedLDAPAuthorizationModuleTest {
+
+    protected static final String LDAP_USER = "cn=Manager,dc=apache,dc=org";
+    protected static final String LDAP_PASS = "password";
+    protected static final String LDAP_HOST = "localhost";
+    protected static final int LDAP_PORT = 389;
+    
+    @Before
+    @Override
+    public void setup() throws Exception {
+        
+        super.setup();
+        
+        cleanAndLoad("dc=apache,dc=org", "org/apache/activemq/security/activemq-openldap.ldif",
+                LDAP_HOST, LDAP_PORT, LDAP_USER, LDAP_PASS, map.open());
+    }
+    
+    @Test
+    public void testRenameDestination() throws Exception {
+        // Subtree rename not implemented by OpenLDAP.
+    }
+    
+    @Override
+    protected CachedLDAPAuthorizationMap createMap() {
+        CachedLDAPAuthorizationMap newMap = super.createMap();
+        newMap.setConnectionURL("ldap://" + LDAP_HOST + ":" + String.valueOf(LDAP_PORT));
+        newMap.setConnectionUsername(LDAP_USER);
+        newMap.setConnectionPassword(LDAP_PASS);
+        // Persistent search is not supported in OpenLDAP
+        newMap.setRefreshInterval(10);
+        newMap.setQueueSearchBase("ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org");
+        newMap.setTopicSearchBase("ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org");
+        newMap.setTempSearchBase("ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org");
+        return newMap;
+    }
+    
+    @Override
+    protected InputStream getAddLdif() {
+        return getClass().getClassLoader().getResourceAsStream("org/apache/activemq/security/activemq-openldap-add.ldif");
+    }
+    
+    @Override
+    protected InputStream getRemoveLdif() {
+        return getClass().getClassLoader().getResourceAsStream("org/apache/activemq/security/activemq-openldap-delete.ldif");
+    }
+    
+    @Override
+    protected String getMemberAttributeValueForModifyRequest() {
+        return "cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org";
+    }
+    
+    @Override
+    protected String getQueueBaseDn() {
+        return "ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org";
+    }
+    
+    @Override
+    protected LdapConnection getLdapConnection() throws LdapException, IOException {
+        LdapConnection connection = new LdapNetworkConnection(LDAP_HOST, LDAP_PORT);
+        connection.bind(new Dn(LDAP_USER), LDAP_PASS);
+        return connection;
+    }
+}

activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPAuthorizationModuleTest.java

@@ -16,34 +16,16 @@
  */
 package org.apache.activemq.security;
 
-import org.apache.activemq.command.ActiveMQQueue;
-import org.apache.activemq.command.ActiveMQTopic;
-import org.apache.activemq.jaas.GroupPrincipal;
 import org.apache.directory.ldap.client.api.LdapConnection;
-import org.apache.directory.ldap.client.api.message.BindResponse;
-import org.apache.directory.ldap.client.api.message.ModifyDnResponse;
-import org.apache.directory.ldap.client.api.message.ModifyRequest;
+import org.apache.directory.ldap.client.api.LdapNetworkConnection;
 import org.apache.directory.server.annotations.CreateLdapServer;
 import org.apache.directory.server.annotations.CreateTransport;
 import org.apache.directory.server.core.annotations.ApplyLdifFiles;
-import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
 import org.apache.directory.server.core.integ.FrameworkRunner;
-import org.apache.directory.shared.ldap.ldif.LdifEntry;
-import org.apache.directory.shared.ldap.ldif.LdifReader;
-import org.apache.directory.shared.ldap.message.ResultCodeEnum;
-import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.name.RDN;
-import org.junit.Test;
+import org.apache.directory.shared.ldap.model.name.Dn;
 import org.junit.runner.RunWith;
 
-import java.util.List;
-import java.util.Set;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.assertNotNull;
-
-
+import java.io.InputStream;
 
 
 @RunWith( FrameworkRunner.class )
@@ -51,184 +33,39 @@ import static org.junit.Assert.assertNotNull;
 @ApplyLdifFiles(
         "org/apache/activemq/security/activemq-apacheds.ldif"
 )
-public class CachedLDAPAuthorizationModuleTest extends AbstractLdapTestUnit {
+public class CachedLDAPAuthorizationModuleTest extends AbstractCachedLDAPAuthorizationModuleTest {
 
-    static final GroupPrincipal GUESTS = new GroupPrincipal("guests");
-    static final GroupPrincipal USERS = new GroupPrincipal("users");
-    static final GroupPrincipal ADMINS = new GroupPrincipal("admins");
-
-    @Test
-    public void testQuery() throws Exception {
-        CachedLDAPAuthorizationMap map = new CachedLDAPAuthorizationMap();
-        map.query();
-        Set readACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
-        assertEquals("set size: " + readACLs, 2, readACLs.size());
-        assertTrue("Contains admin group", readACLs.contains(ADMINS));
-        assertTrue("Contains users group", readACLs.contains(USERS));
-
-        Set failedACLs = map.getReadACLs(new ActiveMQQueue("FAILED"));
-        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
+    @Override
+    protected CachedLDAPAuthorizationMap createMap() {
+        CachedLDAPAuthorizationMap map = super.createMap();
+        map.setConnectionURL("ldap://localhost:" + getLdapServer().getPort());
+        return map;
     }
     
-
-    @Test
-    public void testWildcards() throws Exception {
-        CachedLDAPAuthorizationMap map1 = new CachedLDAPAuthorizationMap();
-        map1.query();
-        Set fooACLs = map1.getReadACLs(new ActiveMQQueue("FOO.1"));
-        assertEquals("set size: " + fooACLs, 2, fooACLs.size());
-        assertTrue("Contains admin group", fooACLs.contains(ADMINS));
-        assertTrue("Contains users group", fooACLs.contains(USERS));
-
-        CachedLDAPAuthorizationMap map2 = new CachedLDAPAuthorizationMap();
-        map2.query();
-        Set barACLs = map2.getReadACLs(new ActiveMQQueue("BAR.2"));
-        assertEquals("set size: " + barACLs, 2, barACLs.size());
-        assertTrue("Contains admin group", barACLs.contains(ADMINS));
-        assertTrue("Contains users group", barACLs.contains(USERS));
+    @Override
+    protected InputStream getAddLdif() {
+        return getClass().getClassLoader().getResourceAsStream("org/apache/activemq/security/activemq-apacheds-add.ldif");
     }
 
-    @Test
-    public void testAdvisory() throws Exception {
-        CachedLDAPAuthorizationMap map = new CachedLDAPAuthorizationMap();
-        map.query();
-        Set readACLs = map.getReadACLs(new ActiveMQTopic("ActiveMQ.Advisory.Connection"));
-        assertEquals("set size: " + readACLs, 2, readACLs.size());
-        assertTrue("Contains admin group", readACLs.contains(ADMINS));
-        assertTrue("Contains users group", readACLs.contains(USERS));
+    @Override
+    protected InputStream getRemoveLdif() {
+        return getClass().getClassLoader().getResourceAsStream("org/apache/activemq/security/activemq-apacheds-delete.ldif");
     }
 
-    @Test
-    public void testTemporary() throws Exception {
-        CachedLDAPAuthorizationMap map = new CachedLDAPAuthorizationMap();
-        map.query();
-        Thread.sleep(1000);
-        Set readACLs = map.getTempDestinationReadACLs();
-        assertEquals("set size: " + readACLs, 2, readACLs.size());
-        assertTrue("Contains admin group", readACLs.contains(ADMINS));
-        assertTrue("Contains users group", readACLs.contains(USERS));
+    @Override
+    protected String getMemberAttributeValueForModifyRequest() {
+        return "cn=users,ou=Group,ou=ActiveMQ,ou=system";
     }
 
-    @Test
-    public void testAdd() throws Exception {
-        CachedLDAPAuthorizationMap map = new CachedLDAPAuthorizationMap();
-        map.query();
-
-        Set failedACLs = map.getReadACLs(new ActiveMQQueue("FAILED"));
-        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
-
-        LdapConnection connection = new LdapConnection( "localhost", 1024 );
-        BindResponse bindResponse = connection.bind("uid=admin,ou=system", "secret");
-        assertNotNull(bindResponse);
-        assertEquals(ResultCodeEnum.SUCCESS, bindResponse.getLdapResult().getResultCode());
-        assertTrue(connection.isAuthenticated());
-
-
-        LdifReader reader = new LdifReader(getClass().getClassLoader().getResourceAsStream("org/apache/activemq/security/add.ldif"));
-
-        List<LdifEntry> entries = service.getTestEntries();
-        for (LdifEntry entry : reader) {
-            connection.add(entry.getEntry());
-
-        }
-
-        Thread.sleep(2000);
-
-        failedACLs = map.getReadACLs(new ActiveMQQueue("FAILED"));
-        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
-
-        connection.close();
-
-
-    }
-
-    @Test
-    public void testRemove() throws Exception {
-        CachedLDAPAuthorizationMap map = new CachedLDAPAuthorizationMap();
-        map.query();
-
-        Set failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
-        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
-
-        LdapConnection connection = new LdapConnection( "localhost", 1024 );
-        BindResponse bindResponse = connection.bind("uid=admin,ou=system", "secret");
-        assertNotNull(bindResponse);
-        assertEquals(ResultCodeEnum.SUCCESS, bindResponse.getLdapResult().getResultCode());
-        assertTrue(connection.isAuthenticated());
-
-
-        LdifReader reader = new LdifReader(getClass().getClassLoader().getResourceAsStream("org/apache/activemq/security/delete.ldif"));
-
-        List<LdifEntry> entries = service.getTestEntries();
-        for (LdifEntry entry : reader) {
-            connection.delete(entry.getDn());
-        }
-
-        Thread.sleep(2000);
-
-        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
-        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
-
-        connection.close();
-    }
-
-    @Test
-    public void testRename() throws Exception {
-        CachedLDAPAuthorizationMap map = new CachedLDAPAuthorizationMap();
-        map.query();
-
-        Set failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
-        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
-
-        LdapConnection connection = new LdapConnection( "localhost", 1024 );
-        BindResponse bindResponse = connection.bind("uid=admin,ou=system", "secret");
-        assertNotNull(bindResponse);
-        assertEquals(ResultCodeEnum.SUCCESS, bindResponse.getLdapResult().getResultCode());
-        assertTrue(connection.isAuthenticated());
-
-        ModifyDnResponse resp = connection.rename(new DN("cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system"),
-                new RDN("cn=TEST.BAR"));
-
-        Thread.sleep(2000);
-
-        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
-        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
-
-
-        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.BAR"));
-        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
-
-        connection.close();
-    }
-
-    @Test
-    public void testChange() throws Exception {
-        CachedLDAPAuthorizationMap map = new CachedLDAPAuthorizationMap();
-        map.query();
-
-        Set failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
-        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
-
-        LdapConnection connection = new LdapConnection( "localhost", 1024 );
-        BindResponse bindResponse = connection.bind("uid=admin,ou=system", "secret");
-        assertNotNull(bindResponse);
-        assertEquals(ResultCodeEnum.SUCCESS, bindResponse.getLdapResult().getResultCode());
-        assertTrue(connection.isAuthenticated());
-
-        DN dn = new DN("cn=read,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system");
-
-        ModifyRequest request = new ModifyRequest(dn);
-        request.remove("member", "cn=users");
-
-        connection.modify(request);
-
-        Thread.sleep(2000);
-
-        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
-        assertEquals("set size: " + failedACLs, 1, failedACLs.size());
-
-        connection.close();
+    protected String getQueueBaseDn() {
+        return "ou=Queue,ou=Destination,ou=ActiveMQ,ou=system";
     }
 
+    @Override
+    protected LdapConnection getLdapConnection() throws Exception {
+        LdapConnection connection = new LdapNetworkConnection("localhost", getLdapServer().getPort());
+        connection.bind(new Dn("uid=admin,ou=system"), "secret");
+        return connection;
+    }    
 }
 

activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPSecurityLegacyTest.java

@@ -0,0 +1,131 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.ActiveMQConnectionFactory;
+import org.apache.activemq.broker.BrokerFactory;
+import org.apache.activemq.broker.BrokerService;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifFiles;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.server.ldap.LdapServer;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import javax.jms.*;
+
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.fail;
+
+
+@RunWith( FrameworkRunner.class )
+@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP")})
+@ApplyLdifFiles(
+        "org/apache/activemq/security/activemq-apacheds-legacy.ldif"
+)
+public class CachedLDAPSecurityLegacyTest extends AbstractLdapTestUnit {
+
+    public BrokerService broker;
+
+    public static LdapServer ldapServer;
+
+    @Before
+    public void setup() throws Exception {
+        System.setProperty("ldapPort", String.valueOf(getLdapServer().getPort()));
+        
+        broker = BrokerFactory.createBroker("xbean:org/apache/activemq/security/activemq-apacheds-legacy.xml");
+        broker.start();
+        broker.waitUntilStarted();
+    }
+
+    @After
+    public void shutdown() throws Exception {
+        broker.stop();
+        broker.waitUntilStopped();
+    }
+
+    @Test
+    public void testSendReceive() throws Exception {
+        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("vm://localhost");
+        Connection conn = factory.createQueueConnection("jdoe", "sunflower");
+        Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+        conn.start();
+        Queue queue = sess.createQueue("TEST.FOO");
+
+        MessageProducer producer = sess.createProducer(queue);
+        MessageConsumer consumer = sess.createConsumer(queue);
+
+        producer.send(sess.createTextMessage("test"));
+        Message msg = consumer.receive(1000);
+        assertNotNull(msg);
+    }
+
+    @Test
+    public void testSendDenied() throws Exception {
+        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("vm://localhost");
+        Connection conn = factory.createQueueConnection("jdoe", "sunflower");
+        Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+        conn.start();
+        Queue queue = sess.createQueue("ADMIN.FOO");
+
+        MessageProducer producer = sess.createProducer(queue);
+        try {
+            producer.send(sess.createTextMessage("test"));
+            fail("expect auth exception");
+        } catch (JMSException expected) {
+        }
+    }
+
+    @Test
+    public void testCompositeSendDenied() throws Exception {
+        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("vm://localhost");
+        Connection conn = factory.createQueueConnection("jdoe", "sunflower");
+        Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+        conn.start();
+        Queue queue = sess.createQueue("TEST.FOO,ADMIN.FOO");
+
+        MessageProducer producer = sess.createProducer(queue);
+        try {
+            producer.send(sess.createTextMessage("test"));
+            fail("expect auth exception");
+        } catch (JMSException expected) {
+        }
+    }
+
+    @Test
+    public void testTempDestinations() throws Exception {
+        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("vm://localhost");
+        Connection conn = factory.createQueueConnection("jdoe", "sunflower");
+        Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+        conn.start();
+        Queue queue = sess.createTemporaryQueue();
+
+        MessageProducer producer = sess.createProducer(queue);
+        MessageConsumer consumer = sess.createConsumer(queue);
+
+        producer.send(sess.createTextMessage("test"));
+        Message msg = consumer.receive(1000);
+        assertNotNull(msg);
+    }
+
+}
+
+

activemq-core/src/test/java/org/apache/activemq/security/CachedLDAPSecurityTest.java

@@ -16,115 +16,30 @@
  */
 package org.apache.activemq.security;
 
-import org.apache.activemq.ActiveMQConnectionFactory;
 import org.apache.activemq.broker.BrokerFactory;
-import org.apache.activemq.broker.BrokerService;
 import org.apache.directory.server.annotations.CreateLdapServer;
 import org.apache.directory.server.annotations.CreateTransport;
 import org.apache.directory.server.core.annotations.ApplyLdifFiles;
-import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
 import org.apache.directory.server.core.integ.FrameworkRunner;
-import org.apache.directory.server.ldap.LdapServer;
-import org.junit.After;
 import org.junit.Before;
-import org.junit.Test;
 import org.junit.runner.RunWith;
 
-import javax.jms.*;
-
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.fail;
-
-
 @RunWith( FrameworkRunner.class )
 @CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP")})
 @ApplyLdifFiles(
         "org/apache/activemq/security/activemq-apacheds.ldif"
 )
-public class CachedLDAPSecurityTest extends AbstractLdapTestUnit {
-
-    public BrokerService broker;
-
-    public static LdapServer ldapServer;
+public class CachedLDAPSecurityTest extends CachedLDAPSecurityLegacyTest {
 
     @Before
+    @Override
     public void setup() throws Exception {
+        System.setProperty("ldapPort", String.valueOf(getLdapServer().getPort()));
+        
         broker = BrokerFactory.createBroker("xbean:org/apache/activemq/security/activemq-apacheds.xml");
         broker.start();
         broker.waitUntilStarted();
-       //System.in.read();
-    }
-
-    @After
-    public void shutdown() throws Exception {
-        broker.stop();
-        broker.waitUntilStopped();
-    }
-
-    @Test
-    public void testSendReceive() throws Exception {
-        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
-        Connection conn = factory.createQueueConnection("jdoe", "sunflower");
-        Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
-        conn.start();
-        Queue queue = sess.createQueue("TEST.FOO");
-
-        MessageProducer producer = sess.createProducer(queue);
-        MessageConsumer consumer = sess.createConsumer(queue);
-
-        producer.send(sess.createTextMessage("test"));
-        Message msg = consumer.receive(1000);
-        assertNotNull(msg);
-    }
-
-    @Test
-    public void testSendDenied() throws Exception {
-        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
-        Connection conn = factory.createQueueConnection("jdoe", "sunflower");
-        Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
-        conn.start();
-        Queue queue = sess.createQueue("ADMIN.FOO");
-
-        MessageProducer producer = sess.createProducer(queue);
-        try {
-            producer.send(sess.createTextMessage("test"));
-            fail("expect auth exception");
-        } catch (JMSException expected) {
     }
 }
 
-    @Test
-    public void testCompositeSendDenied() throws Exception {
-        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
-        Connection conn = factory.createQueueConnection("jdoe", "sunflower");
-        Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
-        conn.start();
-        Queue queue = sess.createQueue("TEST.FOO,ADMIN.FOO");
-
-        MessageProducer producer = sess.createProducer(queue);
-        try {
-            producer.send(sess.createTextMessage("test"));
-            fail("expect auth exception");
-        } catch (JMSException expected) {
-        }
-    }
-
-    @Test
-    public void testTempDestinations() throws Exception {
-        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
-        Connection conn = factory.createQueueConnection("jdoe", "sunflower");
-        Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
-        conn.start();
-        Queue queue = sess.createTemporaryQueue();
-
-        MessageProducer producer = sess.createProducer(queue);
-        MessageConsumer consumer = sess.createConsumer(queue);
-
-        producer.send(sess.createTextMessage("test"));
-        Message msg = consumer.receive(1000);
-        assertNotNull(msg);
-    }
-
-}
-
 

activemq-core/src/test/java/org/apache/activemq/security/LDAPAuthorizationMapTest.java

@@ -65,7 +65,7 @@ public class LDAPAuthorizationMapTest extends AbstractLdapTestUnit {
     @Before
     public void setup() throws Exception {
         authMap = new LDAPAuthorizationMap();
-        authMap.setConnectionURL("ldap://localhost:1024");
+        authMap.setConnectionURL("ldap://localhost:" + getLdapServer().getPort());
         authMap.setTopicSearchMatchingFormat(new MessageFormat("uid={0},ou=topics,ou=destinations,o=ActiveMQ,ou=system"));
         authMap.setQueueSearchMatchingFormat(new MessageFormat("uid={0},ou=queues,ou=destinations,o=ActiveMQ,ou=system"));
         authMap.setAdvisorySearchBase("uid=ActiveMQ.Advisory,ou=topics,ou=destinations,o=ActiveMQ,ou=system");

activemq-core/src/test/java/org/apache/activemq/security/LDAPSecurityTest.java

@@ -50,6 +50,8 @@ public class LDAPSecurityTest extends AbstractLdapTestUnit {
 
     @Before
     public void setup() throws Exception {
+        System.setProperty("ldapPort", String.valueOf(getLdapServer().getPort()));
+        
         broker = BrokerFactory.createBroker("xbean:org/apache/activemq/security/activemq-ldap.xml");
         broker.start();
         broker.waitUntilStarted();

activemq-core/src/test/resources/org/apache/activemq/security/activemq-apacheds-add.ldif

@@ -0,0 +1,47 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+
+## FAILED
+
+dn: cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: FAILED
+description: New queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: cn=admin,cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=read,cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system

activemq-core/src/test/resources/org/apache/activemq/security/activemq-apacheds-delete.ldif

@@ -0,0 +1,40 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+dn: cn=admin,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+ 
+
+dn: cn=read,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+dn: cn=write,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+dn: cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+dn: cn=read,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+dn: cn=write,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+dn: cn=admin,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+

activemq-core/src/test/resources/org/apache/activemq/security/activemq-apacheds-legacy-delete.ldif

@@ -15,9 +15,6 @@
 ## limitations under the License.
 ## ---------------------------------------------------------------------------
 
-dn: cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
-changetype: delete
-
 dn: cn=admin,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
 changetype: delete
 
@@ -26,3 +23,16 @@ changetype: delete
 
 dn: cn=write,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
 changetype: delete
+
+dn: cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+dn: cn=read,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+dn: cn=write,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+dn: cn=admin,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+

activemq-core/src/test/resources/org/apache/activemq/security/activemq-apacheds-legacy.ldif

@@ -0,0 +1,264 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+
+##########################
+## Define basic objects ##
+##########################
+
+dn: ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: ActiveMQ
+
+dn: ou=Services,ou=system
+ou: Services
+objectClass: organizationalUnit
+objectClass: top
+
+dn: cn=mqbroker,ou=Services,ou=system
+cn: mqbroker
+objectClass: organizationalRole
+objectClass: top
+objectClass: simpleSecurityObject
+userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
+description: Bind user for MQ broker
+
+
+###################
+## Define groups ##
+###################
+
+
+dn: ou=Group,ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: Group
+
+dn: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+cn: admins
+member: uid=admin
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=users,ou=Group,ou=ActiveMQ,ou=system
+cn: users
+member: uid=jdoe
+objectClass: groupOfNames
+objectClass: top
+
+
+##################
+## Define users ##
+##################
+
+
+dn: ou=User,ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: User
+
+dn: uid=admin,ou=User,ou=ActiveMQ,ou=system
+uid: admin
+userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
+objectClass: account
+objectClass: simpleSecurityObject
+objectClass: top
+
+
+dn: uid=jdoe,ou=User,ou=ActiveMQ,ou=system
+uid: jdoe
+userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
+objectclass: inetOrgPerson
+objectclass: organizationalPerson
+objectclass: person
+objectclass: top
+cn: Jane Doe
+sn: Doe
+
+
+#########################
+## Define destinations ##
+#########################
+
+dn: ou=Destination,ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: Destination
+
+dn: ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: Topic
+
+dn: ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: Queue
+
+## TEST.FOO
+
+dn: cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: TEST.FOO
+description: A queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: cn=admin,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=read,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=users
+member: cn=admins
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users
+member: cn=admins
+
+
+## FOO.>
+
+dn: cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: FOO.$
+description: A queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: cn=admin,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=read,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=users
+member: cn=admins
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users
+member: cn=admins
+
+
+## BAR.*
+
+dn: cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: BAR.*
+description: A queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: cn=admin,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=read,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=users
+member: cn=admins
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users
+member: cn=admins
+
+#######################
+## Define advisories ##
+#######################
+
+dn: cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
+cn: ActiveMQ.Advisory.$
+objectClass: applicationProcess
+objectClass: top
+description: Advisory topics
+
+dn: cn=read,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=admin,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+######################
+## Define temporary ##
+######################
+
+dn: ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: Temp
+
+dn: cn=read,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=admin,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top

activemq-core/src/test/resources/org/apache/activemq/security/activemq-apacheds-legacy.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<!-- START SNIPPET: xbean -->
+<beans
+  xmlns="http://www.springframework.org/schema/beans"
+  xmlns:amq="http://activemq.apache.org/schema/core"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
+
+  <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+  <broker useJmx="false"  xmlns="http://activemq.apache.org/schema/core" persistent="false">
+
+      <plugins>
+		<simpleAuthenticationPlugin>
+			<users>
+				<authenticationUser username="jdoe" password="sunflower"
+					groups="users"/>
+				<authenticationUser username="admin" password="sunflower"
+					groups="admin"/>
+			</users>
+		</simpleAuthenticationPlugin>
+
+          <authorizationPlugin>
+              <map>
+                <cachedLDAPAuthorizationMap connectionURL="ldap://localhost:${ldapPort}"/>
+              </map>
+          </authorizationPlugin>
+      </plugins>
+  </broker>
+
+</beans>
+<!-- END SNIPPET: xbean -->

activemq-core/src/test/resources/org/apache/activemq/security/activemq-apacheds.ldif

@@ -20,12 +20,6 @@
 ## Define basic objects ##
 ##########################
 
-# Uncomment if adding to open ldap
-# dn: ou=system
-# objectclass: organizationalUnit
-# objectclass: top
-# ou: system
-
 dn: ou=ActiveMQ,ou=system
 objectClass: organizationalUnit
 objectClass: top
@@ -57,13 +51,13 @@ ou: Group
 
 dn: cn=admins,ou=Group,ou=ActiveMQ,ou=system
 cn: admins
-member: uid=admin
+member: uid=admin,ou=User,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=users,ou=Group,ou=ActiveMQ,ou=system
 cn: users
-member: uid=jdoe
+member: uid=jdoe,ou=User,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top
 
@@ -127,15 +121,15 @@ objectClass: top
 dn: cn=admin,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
 cn: admin
 description: Admin privilege group, members are roles
-member: cn=admins
-member: cn=users
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=read,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
 cn: read
-member: cn=users
-member: cn=admins
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top
 
@@ -143,9 +137,41 @@ dn: cn=write,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
 cn: write
 objectClass: groupOfNames
 objectClass: top
-member: cn=users
-member: cn=admins
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
 
+## TEST.FOOBAR
+
+dn: cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: TEST.BAR
+description: A queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: cn=admin,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=read,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: uid=jdoe,ou=User,ou=ActiveMQ,ou=system
+member: cn=notthere,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: uid=jdoe,ou=User,ou=ActiveMQ,ou=system
 
 ## FOO.>
 
@@ -158,15 +184,15 @@ objectClass: top
 dn: cn=admin,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
 cn: admin
 description: Admin privilege group, members are roles
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=read,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
 cn: read
-member: cn=users
-member: cn=admins
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top
 
@@ -174,9 +200,8 @@ dn: cn=write,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
 cn: write
 objectClass: groupOfNames
 objectClass: top
-member: cn=users
-member: cn=admins
-
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
 
 ## BAR.*
 
@@ -189,15 +214,15 @@ objectClass: top
 dn: cn=admin,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
 cn: admin
 description: Admin privilege group, members are roles
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=read,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
 cn: read
-member: cn=users
-member: cn=admins
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top
 
@@ -205,8 +230,8 @@ dn: cn=write,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
 cn: write
 objectClass: groupOfNames
 objectClass: top
-member: cn=users
-member: cn=admins
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
 
 #######################
 ## Define advisories ##
@@ -220,22 +245,22 @@ description: Advisory topics
 
 dn: cn=read,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
 cn: read
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=write,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
 cn: write
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=admin,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
 cn: admin
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top
 
@@ -250,21 +275,21 @@ ou: Temp
 
 dn: cn=read,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
 cn: read
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=write,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
 cn: write
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=admin,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
 cn: admin
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
 objectClass: groupOfNames
 objectClass: top

activemq-core/src/test/resources/org/apache/activemq/security/activemq-apacheds.xml

@@ -39,16 +39,10 @@
 
           <authorizationPlugin>
               <map>
-                    <cachedLDAPAuthorizationMap/>
+                <cachedLDAPAuthorizationMap legacyGroupMapping="false" connectionURL="ldap://localhost:${ldapPort}"/>
               </map>
           </authorizationPlugin>
       </plugins>
-
-
-    <transportConnectors>
-      <transportConnector uri="tcp://localhost:61616"/>
-    </transportConnectors>
-
   </broker>
 
 </beans>

activemq-core/src/test/resources/org/apache/activemq/security/activemq-ldap.xml

@@ -46,7 +46,7 @@
                   <bean id="lDAPAuthorizationMap" class="org.apache.activemq.security.LDAPAuthorizationMap"
                         xmlns="http://www.springframework.org/schema/beans">
                       <property name="initialContextFactory" value="com.sun.jndi.ldap.LdapCtxFactory"/>
-                      <property name="connectionURL" value="ldap://localhost:1024"/>
+                      <property name="connectionURL" value="ldap://localhost:${ldapPort}"/>
                       <property name="authentication" value="simple"/>
                       <property name="connectionUsername" value="uid=admin,ou=system"/>
                       <property name="connectionPassword" value="secret"/>

activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap-add.ldif

@@ -0,0 +1,47 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+
+## FAILED
+
+dn: cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: FAILED
+description: New queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: cn=admin,cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=read,cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: read
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org

activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap-delete.ldif

@@ -0,0 +1,38 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+dn: cn=admin,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+
+dn: cn=read,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+
+dn: cn=write,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+
+dn: cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+
+dn: cn=read,ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+
+dn: cn=write,ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+
+dn: cn=admin,ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+

activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap-legacy-add.ldif

@@ -0,0 +1,47 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+
+## FAILED
+
+dn: cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: FAILED
+description: New queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: cn=admin,cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=read,cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: read
+member: cn=users
+member: cn=admins
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users
+member: cn=admins

activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap-legacy-delete.ldif

@@ -0,0 +1,38 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+dn: cn=admin,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+
+dn: cn=read,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+
+dn: cn=write,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+
+dn: cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+
+dn: cn=read,ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+
+dn: cn=write,ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+
+dn: cn=admin,ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+changetype: delete
+

activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap-legacy.ldif

@@ -0,0 +1,281 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+
+##########################
+## Define basic objects ##
+##########################
+
+dn: dc=apache,dc=org
+objectClass: dcObject
+objectClass: organization
+dc: apache
+o: Apache
+
+dn: dc=activemq,dc=apache,dc=org
+objectClass: dcObject
+objectClass: container
+objectClass: top
+cn: activemq
+dc: activemq
+
+dn: ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+objectClass: organizationalUnit
+objectClass: top
+ou: ActiveMQ
+
+dn: ou=Services,dc=activemq,dc=apache,dc=org
+ou: Services
+objectClass: organizationalUnit
+objectClass: top
+
+dn: cn=mqbroker,ou=Services,dc=activemq,dc=apache,dc=org
+cn: mqbroker
+objectClass: organizationalRole
+objectClass: top
+objectClass: simpleSecurityObject
+userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
+description: Bind user for MQ broker
+
+
+###################
+## Define groups ##
+###################
+
+
+dn: ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+objectClass: organizationalUnit
+objectClass: top
+ou: Group
+
+dn: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: admins
+member: uid=admin
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: users
+member: uid=jdoe
+objectClass: groupOfNames
+objectClass: top
+
+
+##################
+## Define users ##
+##################
+
+
+dn: ou=User,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+objectClass: organizationalUnit
+objectClass: top
+ou: User
+
+dn: uid=admin,ou=User,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+uid: admin
+userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
+objectclass: uidObject
+objectclass: organizationalPerson
+objectclass: person
+objectclass: top
+cn: Admin
+sn: Admin
+
+
+dn: uid=jdoe,ou=User,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+uid: jdoe
+userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
+objectclass: uidObject
+objectclass: organizationalPerson
+objectclass: person
+objectclass: top
+cn: Jane Doe
+sn: Doe
+
+
+#########################
+## Define destinations ##
+#########################
+
+dn: ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+objectClass: organizationalUnit
+objectClass: top
+ou: Destination
+
+dn: ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+objectClass: organizationalUnit
+objectClass: top
+ou: Topic
+
+dn: ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+objectClass: organizationalUnit
+objectClass: top
+ou: Queue
+
+## TEST.FOO
+
+dn: cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: TEST.FOO
+description: A queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: cn=admin,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=read,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: read
+member: cn=users
+member: cn=admins
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users
+member: cn=admins
+
+
+## FOO.>
+
+dn: cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: FOO.$
+description: A queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: cn=admin,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=read,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: read
+member: cn=users
+member: cn=admins
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users
+member: cn=admins
+
+
+## BAR.*
+
+dn: cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: BAR.*
+description: A queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: cn=admin,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=read,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: read
+member: cn=users
+member: cn=admins
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users
+member: cn=admins
+
+#######################
+## Define advisories ##
+#######################
+
+dn: cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: ActiveMQ.Advisory.$
+objectClass: applicationProcess
+objectClass: top
+description: Advisory topics
+
+dn: cn=read,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: read
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: write
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=admin,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: admin
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+######################
+## Define temporary ##
+######################
+
+dn: ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+objectClass: organizationalUnit
+objectClass: top
+ou: Temp
+
+dn: cn=read,ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: read
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: write
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=admin,ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: admin
+member: cn=admins
+member: cn=users
+objectClass: groupOfNames
+objectClass: top
+

activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap.ldif

@@ -20,11 +20,18 @@
 ## Define basic objects ##
 ##########################
 
-# Uncomment if adding to open ldap
+dn: dc=apache,dc=org
+objectClass: dcObject
+objectClass: organization
+dc: apache
+o: Apache
+
 dn: dc=activemq,dc=apache,dc=org
-dc: activemq
-objectClass: domain
+objectClass: dcObject
+objectClass: container
 objectClass: top
+cn: activemq
+dc: activemq
 
 dn: ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 objectClass: organizationalUnit
@@ -81,15 +88,18 @@ ou: User
 dn: uid=admin,ou=User,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 uid: admin
 userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
-objectClass: account
-objectClass: simpleSecurityObject
-objectClass: top
+objectclass: uidObject
+objectclass: organizationalPerson
+objectclass: person
+objectclass: top
+cn: Admin
+sn: Admin
 
 
 dn: uid=jdoe,ou=User,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 uid: jdoe
 userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
-objectclass: inetOrgPerson
+objectclass: uidObject
 objectclass: organizationalPerson
 objectclass: person
 objectclass: top
@@ -127,15 +137,15 @@ objectClass: top
 dn: cn=admin,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 cn: admin
 description: Admin privilege group, members are roles
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=read,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 cn: read
-member: cn=users
-member: cn=admins
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 objectClass: groupOfNames
 objectClass: top
 
@@ -143,9 +153,41 @@ dn: cn=write,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apac
 cn: write
 objectClass: groupOfNames
 objectClass: top
-member: cn=users
-member: cn=admins
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 
+## TEST.FOOBAR
+
+dn: cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: TEST.BAR
+description: A queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: cn=admin,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=read,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: read
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: uid=jdoe,ou=User,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=notthere,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=write,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: uid=jdoe,ou=User,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 
 ## FOO.>
 
@@ -158,15 +200,15 @@ objectClass: top
 dn: cn=admin,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 cn: admin
 description: Admin privilege group, members are roles
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=read,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 cn: read
-member: cn=users
-member: cn=admins
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 objectClass: groupOfNames
 objectClass: top
 
@@ -174,9 +216,8 @@ dn: cn=write,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,
 cn: write
 objectClass: groupOfNames
 objectClass: top
-member: cn=users
-member: cn=admins
-
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 
 ## BAR.*
 
@@ -189,15 +230,15 @@ objectClass: top
 dn: cn=admin,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 cn: admin
 description: Admin privilege group, members are roles
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=read,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 cn: read
-member: cn=users
-member: cn=admins
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 objectClass: groupOfNames
 objectClass: top
 
@@ -205,8 +246,8 @@ dn: cn=write,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,
 cn: write
 objectClass: groupOfNames
 objectClass: top
-member: cn=users
-member: cn=admins
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 
 #######################
 ## Define advisories ##
@@ -220,22 +261,22 @@ description: Advisory topics
 
 dn: cn=read,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 cn: read
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=write,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 cn: write
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=admin,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 cn: admin
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 objectClass: groupOfNames
 objectClass: top
 
@@ -250,21 +291,22 @@ ou: Temp
 
 dn: cn=read,ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 cn: read
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=write,ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 cn: write
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 objectClass: groupOfNames
 objectClass: top
 
 dn: cn=admin,ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 cn: admin
-member: cn=admins
-member: cn=users
+member: cn=admins,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
+member: cn=users,ou=Group,ou=ActiveMQ,dc=activemq,dc=apache,dc=org
 objectClass: groupOfNames
 objectClass: top
+

activemq-core/src/test/resources/org/apache/activemq/security/activemq-openldap.xml

@@ -41,11 +41,10 @@
               <map>
                   <cachedLDAPAuthorizationMap
                       connectionURL="ldap://localhost:389"
-                      connectionUsername="cn=admin,dc=activemq,dc=apache,dc=org"
+                      connectionUsername="cn=mqbroker,ou=Services,dc=activemq,dc=apache,dc=org"
                       connectionPassword="sunflower"
                       baseDn="dc=activemq,dc=apache,dc=org"
-                      refreshInterval="300000"
-                   />
+                      refreshInterval="300000" />
               </map>
           </authorizationPlugin>
       </plugins>

pom.xml

@@ -60,7 +60,7 @@
     <commons-pool-version>1.5.6</commons-pool-version>
     <commons-primitives-version>1.0</commons-primitives-version>
     <commons-net-version>2.2</commons-net-version>
-    <directory-version>1.5.7</directory-version>
+    <directory-version>2.0.0-M6</directory-version>
     <fusemq-leveldb-version>1.2</fusemq-leveldb-version>
     <geronimo-version>1.0</geronimo-version>
     <howl-version>0.1.8</howl-version>