LibraryToggle FramesPrintFeedback

Tutorial: Add Authorization Entries

Overview

Before enabling LDAP authorization in the broker, you need to create a suitable tree of entries in the directory server to represent permissions. You need to create the following kinds of entry:

Queue entries

For each queue in your application, you need to create an entry that specifies the admin, read, and write permissions.

Topic entries

For each topic in your application, you need to create an entry that specifies the admin, read, and write permissions.

Advisory topics entry

A single advisory topics entry contains the admin, read, and write permissions that apply to all advisory topics.

Temporary queues entry

A single temporary queues entry contains the admin, read, and write permissions that apply to all temporary queues.

Alternative approach

As an alternative to creating the authorization entries manually, as described here, you could create the entries by importing an LDIF file—for details, see Appendix B.

Steps to add authorization entries

Perform the following steps to add authorization entries to the directory server:

  1. The next few steps describe how to create the ou=Destination, ou=Queue, and ou=Topic nodes.

    Right-click on the ou=ActiveMQ node and select New|New Entry. The New Entry wizard appears.

  2. In the Entry Creation Method pane, select the Create entry from scratch radiobutton. Click Next.

  3. In the Object Classes pane, select organisationalUnit from the list of Available object classes on the left and then click Add to populate the list of Selected object classes. Click Next.

  4. In the Distinguished Name pane, complete the RDN field, putting ou in front and Destination after the equals sign. Click Next and then click Finish.

  5. In a similar manner as described in steps 14, by right-clicking on the ou=Destination node and invoking the New Entry wizard, create the following organisationalUnit nodes as children of the ou=Destination node:

    ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
    ou=Topic,ou=Destination,ou=ActiveMQ,ou=system

    In the LDAP Browser window, you should now see the following tree:

    Figure 15. DIT after Creating Destination, Queue, and Topic Nodes

    DIT after Creating Destination, Queue, and Topic Nodes

  6. The next few steps describe how to create the cn=TEST.FOO,ou=Queue,ou=Destination, cn=ActiveMQ.Advisory,ou=Topic,ou=Destination, and cn=ActiveMQ.Temp,ou=Topic,ou=Destination nodes.

    Right-click on the ou=Queue node and select New|New Entry. The New Entry wizard appears.

  7. In the Entry Creation Method pane, select the Create entry from scratch radiobutton. Click Next.

  8. In the Object Classes pane, select applicationProcess from the list of Available object classes on the left and then click Add to populate the list of Selected object classes. Click Next.

  9. In the Distinguished Name pane, complete the RDN field, putting cn in front and TEST.FOO after the equals sign. Click Next and then click Finish.

  10. In a similar manner as described in steps 69, by right-clicking on the ou=Topic node and invoking the New Entry wizard, create the following applicationProcess nodes as children of the ou=Topic node:

    cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
    cn=ActiveMQ.Temp,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system

    In the LDAP Browser window, you should now see the following tree:

    Figure 16. DIT after Creating Children of Queue and Topic Nodes

    DIT after Creating Children of Queue and Topic Nodes

  11. The next few steps describe how to create nodes that represent admin, read, and write permissions for the queues and topics.

    Right-click on the cn=TEST.FOO node and select New|New Entry. The New Entry wizard appears.

  12. In the Entry Creation Method pane, select the Create entry from scratch radiobutton. Click Next.

  13. In the Object Classes pane, select groupOfNames from the list of Available object classes on the left and then click Add to populate the list of Selected object classes. Click Next.

  14. In the Distinguished Name pane, complete the RDN field, putting cn in front and admin after the equals sign. Click Next.

  15. You are now prompted to provide a value for the mandatory member attribute, through the DN Editor dialog. In the text field, enter the last part of the DN for the admins group, cn=admins. Click Ok.

  16. Add another member attribute in the Attributes pane. Right-click inside the list of attributes and select New Attribute. The New Attribute wizard appears.

  17. In the Attribute type field, enter member (if you want to use the drop-down list, you must first uncheck the Hide existing attributes option). Click Finish.

  18. The DN Editor dialog opens. In the text field, enter the last part of the DN for the users group, cn=users. Click Ok.

    Figure 17. Attributes of the cn=admin Permission Node

    Attributes of the cn=admin Permission Node

  19. Click Finish, to close the New Entry wizard.

  20. In a similar manner as described in steps 1119, by right-clicking on the cn=TEST.FOO node and invoking the New Entry wizard, create the following groupOfNames nodes as children of the cn=TEST.FOO node:

    cn=read,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
    cn=write,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system

    The new cn=read node and the new cn=write node should include both of the members, cn=admins and cn=users.

  21. Copy the cn=admin, cn=read, and cn=write permission nodes and paste them as children of the cn=ActiveMQ.Advisory node, as follows.

    Using a combination of mouse and keyboard, select the three nodes, cn=admin, cn=read, and cn=write, and type Ctrl-C to copy them. Select the cn=ActiveMQ.Advisory node and type Ctrl-V to paste the copied nodes as children.

  22. Similarly, copy the cn=admin, cn=read, and cn=write permission nodes and paste them as children of the cn=ActiveMQ.Temp node.

  23. In the LDAP Browser window, you should now see the following tree:

    Figure 18. DIT after Creating Children of Queue and Topic Nodes

    DIT after Creating Children of Queue and Topic Nodes

Comments powered by Disqus