LibraryToggle FramesPrintFeedback

LDAP Authorization Plug-In

Overview

Using the LDAP authorization plug-in, you can configure a broker to retrieve its authorization data from an X.500 directory server.

Configuring the LDAP authorization plug-in

To configure the LDAP authorization plug-in, add the authorizationPlugin element to the list of plug-ins in the broker configuration, as shown in Example 22.

Example 22. LDAP Authorization Plug-In Configuration

<beans ...>
  <broker ...>
    ...
    <plugins>
      ...
      <authorizationPlugin>
        <map>
          <bean id="lDAPAuthorizationMap" class="org.apache.activemq.security.LDAPAuthorizationMap"
                xmlns="http://www.springframework.org/schema/beans">
            <property name="initialContextFactory" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <property name="connectionURL" value="ldap://localhost:10389"/>
            <property name="authentication" value="simple"/>
            <property name="connectionUsername" value="uid=admin,ou=system"/>
            <property name="connectionPassword" value="secret"/>
            <property name="connectionProtocol" value=""/>
            <property name="topicSearchMatchingFormat"
                      value="cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
            <property name="topicSearchSubtreeBool" value="true"/>
            <property name="queueSearchMatchingFormat"
                      value="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=system"/>
            <property name="queueSearchSubtreeBool" value="true"/>
            <property name="advisorySearchBase"
                      value="cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
            <property name="tempSearchBase"
                      value="cn=ActiveMQ.Temp,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
            <property name="adminBase" value="(cn=admin)"/>
            <property name="adminAttribute" value="member"/>
            <property name="readBase" value="(cn=read)"/>
            <property name="readAttribute" value="member"/>
            <property name="writeBase" value="(cn=write)"/>
            <property name="writeAttribute" value="member"/>
          </bean>
        </map>
      </authorizationPlugin>
    </plugins>
    ...
  </broker>
</beans>

LDAP authorization plug-in properties

The LDAP authorization plug-in supports the following properties:

  • initialContextFactory(mandatory) must always be set to com.sun.jndi.ldap.LdapCtxFactory.

  • connectionURL(mandatory) specify the location of the directory server using an ldap URL, ldap://Host:Port. You can optionally qualify this URL, by adding a forward slash, /, followed by the DN of a particular node in the directory tree. For example, ldap://ldapserver:10389/ou=system.

  • authentication(mandatory)specifies the authentication method used when binding to the LDAP server. Can take either of the values, simple (username and password) or none (anonymous).

    [Note]Note

    Simple Authentication and Security Layer (SASL) authentication is currently not supported.

  • connectionUsername(optional)the DN of the user that opens the connection to the directory server. For example, uid=admin,ou=system.

    Directory servers generally require clients to present username/password credentials in order to open a connection.

  • connectionPassword(optional)the password that matches the DN from connectionUsername. In the directory server, in the DIT, the password is normally stored as a userPassword attribute in the corresponding directory entry.

  • connectionProtocol(mandatory)currently, the only supported value is a blank string. In future, this option will allow you to select the Secure Socket Layer (SSL) for the connection to the directory server.

    [Note]Note

    This option must be set explicitly to an empty string, because it has no default value.

  • topicSearchMatchingFormat(optional)specifies the DN of the node whose children provide the permissions for the current topic. Before passing to the LDAP search operation, the string value you provide here is subjected to string substitution, as implemented by the java.text.MessageFormat class. Essentially, this means that the special string, {0}, is substituted by the name of the current topic.

    For example, if this property is set to cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=system and the current topic is TEST.FOO, the DN becomes cn=TEST.FOO,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system.

  • topicSearchSubtreeBool(optional) specify the search depth for permission entries (admin, read or write entries), relative to the node specified by topicSearchMatchingFormat. This option can take boolean values, as follows:

    • false(default) try to match one of the child entries of the topicSearchMatchingFormat node (maps to javax.naming.directory.SearchControls.ONELEVEL_SCOPE).

    • true—try to match any entry belonging to the subtree of the topicSearchMatchingFormat node (maps to javax.naming.directory.SearchControls.SUBTREE_SCOPE).

  • queueSearchMatchingFormat(optional) specifies the DN of the node whose children provide the permissions for the current queue. The special string, {0}, is substituted by the name of the current queue.

    For example, if this property is set to cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=system and the current queue is TEST.FOO, the DN becomes cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system.

  • queueSearchSubtreeBool(optional) specify the search depth for permission entries (admin, read or write entries), relative to the node specified by queueSearchMatchingFormat. This option can take boolean values, as follows:

    • false(default) try to match one of the child entries of the queueSearchMatchingFormat node (maps to javax.naming.directory.SearchControls.ONELEVEL_SCOPE).

    • true—try to match any entry belonging to the subtree of the queueSearchMatchingFormat node (maps to javax.naming.directory.SearchControls.SUBTREE_SCOPE).

  • advisorySearchBase(optional) specifies the DN of the node whose children provide the permissions for all advisory topics. In this case the DN is a literal value (that is, no string substitution is performed on the property value).

    For example, a typical value of this property is cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system.

  • tempSearchBase(optional) specifies the DN of the node whose children provide the permissions for all temporary queues and topics (apart from advisory topics). In this case the DN is a literal value (that is, no string substitution is performed on the property value).

    For example, a typical value of this property is cn=ActiveMQ.Temp,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system.

  • adminBase(optional) specifies an LDAP search filter, which is used when looking up the admin permissions for any kind of queue or topic. The search filter attempts to match one of the children (or descendants, if SUBTREE_SCOPE is enabled) of the queue or topic node.

    For example, if this property is set to (cn=admin), it will match any child whose cn attribute is set to admin.

  • adminAttribute(optional)specifies an attribute of the node matched by adminBase, whose value is the DN of a role/group that has admin permissions.

    For example, consider a cn=admin node that is a child of the node, cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system, as shown:

    The cn=admin node might typically have some attributes, as follows:

    If you now set the adminAttribute property to member, the authorization plug-in grants admin privileges over the TEST.FOO queue to the cn=admins group and the cn=users group.

  • readBase(optional) specifies an LDAP search filter, which is used when looking up the read permissions for any kind of queue or topic. The search filter attempts to match one of the children (or descendants, if SUBTREE_SCOPE is enabled) of the queue or topic node.

    For example, if this property is set to (cn=read), it will match any child whose cn attribute is set to read.

  • readAttribute(optional)specifies an attribute of the node matched by readBase, whose value is the DN of a role/group that has read permissions.

  • writeBase(optional) specifies an LDAP search filter, which is used when looking up the write permissions for any kind of queue or topic. The search filter attempts to match one of the children (or descendants, if SUBTREE_SCOPE is enabled) of the queue or topic node.

    For example, if this property is set to (cn=write), it will match any child whose cn attribute is set to write.

  • writeAttribute(optional)specifies an attribute of the node matched by writeBase, whose value is the DN of a role/group that has write permissions.

Comments powered by Disqus