We use an administrator user who belongs to the admin group to "import" messages. This admin group:

CN=amq,ou=Groups,dc=cloud,dc=mycompany,dc=ie

is part of all the other groups present in LDAP, and these same groups are used to manage queue permissions.

We noticed that our admin user:

uid=socsec_rwa,ou=People,dc=cloud,dc=mycompany,dc=ie

does not have the required permissions when performing the "import". The admin user must be explicitly listed in the queue permissions. A group inside another group (group nesting) does not work with the AMQ import tool, even though it works correctly through the Hawtio console.

This means there is a group nesting issue, which was not present in 7.12.2.

For instance:

dn:  cn=admin,cn=socsec.$,ou=Queue,oc=Destination,oc=ActiveMQ
uniqueMember: cn=R-socsec-a,ou=Groups,dc=cloud,dc=mycompany,dc=ie
cn: admin
objectClass: top
objectClass: groupOfUniqueNames
...

dn: cn=R-socsec-a,ou=Groups,dc=cloud,dc=mycompany,dc=ie
uniqueMember: CN=amq,ou=Groups,dc=cloud,dc=mycompany,dc=ie
uniqueMember: uid=socsec_rwa,ou=People,dc=cloud,dc=mycompany,dc=ie
cn: R-socsec-a
objectClass: top
objectClass: groupOfUniqueNames
...

The queue starting with "socsec." has given "admin" permission to the group "R-socsec-a". And the group "R-socsec-a" has a nested group "amq" as a member.

In theory, a user belongs to the "amq" group should have "admin" permission on the destination "socsec.$", for instance "socsec.001", since it is a group nesting because the group "amq" is a member of another group "R-socsec-a".

However, this group nesting does not work anymore from 7.12.5.

In order to make it to work, the administrator user has to be explicitly added to the "R-socsec-a" group individually. Please see above sample uniqueMember of "uid=socsec_rwa,ou=People,dc=cloud,dc=mycompany,dc=ie".