8.7. Enable LDAP Authorization in the Broker
Overview
This section explains how to enable LDAP authorization in the broker, so that the broker obtains its authorization data from the directory server.
Compatibility with Apache Karaf principals
To avoid unnecessary duplication of user data, this LDAP authorization example reuses the user and role data already created for the Apache Karaf JAAS authentication plug-in (as described in Section 8.3, “Add User Entries to the Directory Server”). This affects the broker's LDAP authorization plug-in configuration, as follows:
- When you create authorization entries in the LDAP server (as described in Section 8.6, “Add Authorization Entries”), you must specify the full DN of the roles that are being authorized. This enables you to specify roles from any location in the LDAP tree (previously, the LDAP authorization plug-in could read roles only from a fixed location under the
ou=ActiveMQ,ou=system
node). - To enable the use of full DNs when specifying roles, you must set the
legacyGroupMapping
property tofalse
in the LDAP authorization plug-in (the default istrue
). - Because the Apache Karaf roles are a different type than the roles natively supported by the LDAP authorization plug-in, you must also specify the type of the Karaf roles, by setting the
groupClass
property.
Enable broker LDAP authorization in a standalone OSGi container
Perform the following steps to enable broker LDAP authorization in a standalone OSGi container:
- Shut down the JBoss A-MQ container, if it is currently running. In the console window, enter the following command:
JBossA-MQ:karaf@root> shutdown -f
- Add the LDAP authorization plug-in to the broker configuration. Open the broker configuration file,
InstallDir/etc/activemq.xml
, with a text editor and add theauthorizationPlugin
element, as follows:<beans ...> <broker ...> ... <plugins> ... <authorizationPlugin> <map> <cachedLDAPAuthorizationMap connectionURL="ldap://localhost:10389" connectionUsername="uid=admin,ou=system" connectionPassword="secret" queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,ou=system" topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,ou=system" tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,ou=system" refreshInterval="300000" legacyGroupMapping="false" groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal" /> </map> </authorizationPlugin> </plugins> ... </broker> </beans>
- Ensure that the X.500 directory server is running. If necessary, manually restart the X.500 directory server—see Section 8.2, “Set-up a Directory Server and Browser”. If the server is not running, all broker connections will fail.
- Restart the JBoss A-MQ container. Open a new command prompt and start the broker by entering the following command:
amq
Enable broker LDAP authorization in a Fabric
Perform the following steps to enable broker LDAP authorization in a fabric:
- Create a new version of the Fabric profile data, by entering the following console command:
JBossFuse:karaf@root> version-create Created version: 1.2 as copy of: 1.1
Where we have assumed that the current version is1.1
.NoteIn effect, this command creates a new branch named1.2
in the Git repository underlying the ZooKeeper registry. - Edit the
broker.xml
resource in version1.2
of themq-base
profile, as follows:JBossFuse:karaf@root> profile-edit --resource broker.xml mq-base 1.2
The built-in profile editor opens automatically, which you can use to edit the contents of thebroker.xml
resource. - Add the LDAP authorization plug-in to the broker configuration,
broker.xml
. Using the editor that opened in the previous step, add theauthorizationPlugin
element, as follows:<beans ...> <broker ...> ... <plugins> ... <authorizationPlugin> <map> <cachedLDAPAuthorizationMap connectionURL="ldap://localhost:10389" connectionUsername="uid=admin,ou=system" connectionPassword="secret" queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,ou=system" topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,ou=system" tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,ou=system" refreshInterval="300000" legacyGroupMapping="false" groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal" /> </map> </authorizationPlugin> </plugins> ... </broker> </beans>
Save and close thebroker.xml
resource by typing Ctrl-S and Ctrl-X. - Ensure that the X.500 directory server is running. If necessary, manually restart the X.500 directory server—see Section 8.2, “Set-up a Directory Server and Browser”. If the server is not running, all broker connections will fail.
- The broker LDAP authorization is not activated, until you upgrade a container to use the new version,
1.2
, of themq-base
profile. For example, to activate broker LDAP authorization on theroot
container, enter the following console command (assuming a broker profile is already deployed on theroot
container):JBossFuse:karaf@root> container-upgrade 1.2 root
Install the Apache ActiveMQ kit
For testing purposes, it is useful to install the Apache ActiveMQ example producer and consumer clients. These example clients are not provided directly in the JBoss A-MQ package. But you can obtain the sample clients by installing the Apache ActiveMQ kit,
apache-activemq-5.9.0.redhat-610379-bin.zip
, provided in the extras/
directory of the JBoss A-MQ installation.
Install the Apache ActiveMQ kit as follows:
- Find the Apache ActiveMQ kit at the following location:
InstallDir/extras/apache-activemq-5.9.0.redhat-610379-bin.zip
- Using a suitable archive utility on your platform, unzip the
apache-activemq-5.9.0.redhat-610379-bin.zip
file and extract it to a convenient location,ActiveMQInstallDir
.
Test the new configuration
To test the new configuration, run the example consumer and producer clients as follows:
- Run the consumer client with the
jdoe
user credentials. Open a new command prompt, change directory toActiveMQInstallDir/examples/openwire/swissarmy
, and enter the following Ant command:ant consumer -Durl=tcp://localhost:61616 -Dmax=100 -Duser=jdoe -Dpassword=secret
- Run the producer client with the
jdoe
user credentials. Open a new command prompt, change directory toActiveMQInstallDir/examples/openwire/swissarmy
, and enter the following Ant command:ant producer -Durl=tcp://localhost:61616 -Dmax=100 -Duser=jdoe -Dpassword=secret
- Run a negative test, to demonstrate that unauthorized users are blocked from accessing the broker queues.Run the consumer client with the
janedoe
user credentials. Open a new command prompt, change directory toActiveMQInstallDir/examples/openwire/swissarmy
, and enter the following Ant command:ant consumer -Durl=tcp://localhost:61616 -Dmax=100 -Duser=janedoe -Dpassword=secret
This time, the consumer client fails, becausejanedoe
does not belong to theadmin
group.