I am at a customer who needs this to be added as a feature... They do not want to have individual queue/topic entries for authorization which is very inconvenient.
In any case, I am still trying to get past MB-851 & DEV-3028
Instead of modifying the existing LDAP authorization plugin we should create a new one that will basically work the same as a default authorization module work at the moment. It will load all information from the LDAP at startup and refresh those data in timely intervals (configurable). In this way we would have best of both worlds:
We could call the new module "cachedLDAPAuthorizationMap" or something similar.
I spoke with Rob about this and the idea is that we should keep this closed source (for now) as an enterprise feature. This all can be discussed further of course.
As for the functionality of the plugin, it implements both pull and push changes (as I discovered in the process of developing that OpenLdap, which afaik customer is using, does not support "persistent search" option so we need to pull for changes).
Attached you can find 4 files, that represent ldif and broker configuration for both ApacheDS (supports push) and OpenLdap (does not). ApacheDS configuration is used in tests and if you install it on some other port, you should change the connection uri in the xml config (take openldap xml for example). OpenLdap example is done using the server setup according to Susan's description in MB-851.
You can also notice that there is smaller number of configuration params. You can only set ldap connection stuff and baseDn where ActiveMQ entries should be. I think this is the right approach as it eliminates most of the complexity of configuring the plugin.
One note about ldif format. It is very similar to the one that is used by the current plugin. The only important thing is that '>' character is replaced with '$' for "any descendent" as some LDAP server does not support > in dn.
The main parameter that determines whether we use push or pull for update is "refreshInterval". If it's not set (or set to -1) it means that we will try to use LDAP server "persistent search" feature and will expect changes to be pushed to us. If you try this with the server that doesn't support it, you'll see an exception like "Operation not supported" on broker startup and no changes will be pushed.
If you set "refreshInterval" to some meaningful value (in ms), on every authorization request we will check if we need to update our in-memory cache. This should all work fine as well and not impact performances of the broker.
Also I needed to add one improvement to the broker core in order to pull option work fine, so at the moment you'll need to use either apache 5.6-SNAPSHOT or 5.5-fuse-SNAPSHOT versions of broker for this to work properly. This improvement can be easily merged to any version we need it in.
To test this all out:
It'd be great if you could test this all out and see if it is fitting customer's requirements.
Documentation is now available at http://activemq.apache.org/cached-ldap-authorization-module.html