4.2. Enabling LDAP Authentication
Overview
Red Hat JBoss A-MQ supplies a JAAS login module that enables it to use LDAP to authenticate users. The JBoss A-MQ JAAS LDAP login module is implemented by the
org.apache.karaf.jaas.modules.ldap.LDAPLoginModule
class. It is preloaded in the container, so you do not need to install it's bundle.
Procedure
To enable JBoss A-MQ to use LDAP for user authentication you need to create a JAAS realm that includes the JBoss A-MQ LDAP login module. As shown in Example 4.6, “Red Hat JBoss A-MQ LDAP JAAS Login Module”, this is done by adding a
jaas:module
element to the realm and setting its className
attribute to org.apache.karaf.jaas.modules.ldap.LDAPLoginModule
.
Example 4.6. Red Hat JBoss A-MQ LDAP JAAS Login Module
<jaas:config ... > <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required"> ... </jaas:module> </jaas:config>
You will also need to provide values for the properties described in Table 4.2, “Properties for the Red Hat JBoss A-MQ LDAP Login Module”.
LDAP properties
Table 4.2, “Properties for the Red Hat JBoss A-MQ LDAP Login Module” describes the properties used to configure the Red Hat JBoss A-MQ JAAS LDAP login module.
All of the properties are mandatory except the SSL properties.
Example
Example 4.7, “Configuring a JAAS Realm that Uses LDAP Authentication” defines a JASS realm that uses the LDAP server located at ldap://localhost:10389.
Example 4.7. Configuring a JAAS Realm that Uses LDAP Authentication
<?xml version="1.0" encoding="UTF-8"?> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"> <jaas:config name="karaf" rank="1"> <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="sufficient"> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=uid=admin,ou=system connection.password=secret connection.protocol= connection.url = ldaps://localhost:10636 user.base.dn = ou=users,ou=system user.filter = (uid=%u) user.search.subtree = true role.base.dn = ou=roles,ou=system,dc=fusesource role.filter = (uid=%u) role.name.attribute = cn role.search.subtree = true authentication = simple ssl.protocol=TLSv1 ssl.truststore=truststore ssl.algorithm=PKIX </jaas:module> ... </jaas:config> </blueprint>
Important
You must set
ssl.protocol
to TLSv1
, in order to protect against the Poodle vulnerability (CVE-2014-3566)