8.3. LDAP Authorization Plug-In


Overview

Using the LDAP authorization plug-in, you can configure a broker to retrieve its authorization data from an X.500 directory server. This plug-in does not support caching and contacts the LDAP server every time an authorization needs to be checked.

Configuring the LDAP authorization plug-in

To configure the LDAP authorization plug-in, add the authorizationPlugin element to the list of plug-ins in the broker configuration and configure it to use the LDAPAuthorizationMap authorization map, as shown in Example 8.4, “LDAP Authorization Plug-In Configuration”.

Example 8.4. LDAP Authorization Plug-In Configuration

<beans ... >
  <broker ... >
    ...
    <plugins>
      ...
      <authorizationPlugin>
        <map>
          <bean id="lDAPAuthorizationMap" class="org.apache.activemq.security.LDAPAuthorizationMap"
                xmlns="http://www.springframework.org/schema/beans">
            <property name="initialContextFactory" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <property name="connectionURL" value="ldap://localhost:10389"/>
            <property name="authentication" value="simple"/>
            <property name="connectionUsername" value="uid=admin,ou=system"/>
            <property name="connectionPassword" value="secret"/>
            <property name="connectionProtocol" value=""/>
            <property name="topicSearchMatchingFormat"
                      value="cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
            <property name="topicSearchSubtreeBool" value="true"/>
            <property name="queueSearchMatchingFormat"
                      value="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=system"/>
            <property name="queueSearchSubtreeBool" value="true"/>
            <property name="advisorySearchBase"
                      value="cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
            <property name="tempSearchBase"
                      value="cn=ActiveMQ.Temp,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
            <property name="adminBase" value="(cn=admin)"/>
            <property name="adminAttribute" value="member"/>
            <property name="readBase" value="(cn=read)"/>
            <property name="readAttribute" value="member"/>
            <property name="writeBase" value="(cn=write)"/>
            <property name="writeAttribute" value="member"/>
          </bean>
        </map>
      </authorizationPlugin>
    </plugins>
    ...
  </broker>
</beans>

LDAP authorization plug-in properties

The LDAP authorization plug-in supports the following properties:
initialContextFactory
Must always be set to com.sun.jndi.ldap.LdapCtxFactory.
connectionURL
Specify the location of the directory server using an ldap URL, ldap://Host:Port. You can optionally qualify this URL, by adding a forward slash, /, followed by the DN of a particular node in the directory tree. For example, ldap://ldapserver:10389/ou=system.
authentication
Specifies the authentication method used when binding to the LDAP server. Can take either of the values, simple (username and password) or none (anonymous).
Note
Simple Authentication and Security Layer (SASL) authentication is currently not supported.
connectionUsername
The DN of the user that opens the connection to the directory server. For example, uid=admin,ou=system.
connectionPassword
The password that matches the DN from connectionUsername. In the directory server, in the DIT, the password is normally stored as a userPassword attribute in the corresponding directory entry.
connectionProtocol
Currently, the only supported value is a blank string. In future, this option will allow you to select the Secure Socket Layer (SSL) for the connection to the directory server.
Note
This option must be set explicitly to an empty string, because it has no default value.
topicSearchMatchingFormat
Specifies the DN of the node whose children provide the permissions for the current topic. Before passing to the LDAP search operation, the string value you provide here is subjected to string substitution, as implemented by the java.text.MessageFormat class. Essentially, this means that the special string, {0}, is substituted by the name of the current topic.
For example, if this property is set to cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=system and the current topic is TEST.FOO, the DN becomes cn=TEST.FOO,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system.
topicSearchSubtreeBool
Specify the search depth for permission entries (admin, read or write entries), relative to the node specified by topicSearchMatchingFormat. This option can take boolean values, as follows:
  • false(default) try to match one of the child entries of the topicSearchMatchingFormat node (maps to javax.naming.directory.SearchControls.ONELEVEL_SCOPE).
  • true—try to match any entry belonging to the subtree of the topicSearchMatchingFormat node (maps to javax.naming.directory.SearchControls.SUBTREE_SCOPE).
queueSearchMatchingFormat
Specifies the DN of the node whose children provide the permissions for the current queue. The special string, {0}, is substituted by the name of the current queue.
For example, if this property is set to cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=system and the current queue is TEST.FOO, the DN becomes cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system.
queueSearchSubtreeBool
Specify the search depth for permission entries (admin, read or write entries), relative to the node specified by topicSearchMatchingFormat. This option can take boolean values, as follows:
  • false(default) try to match one of the child entries of the topicSearchMatchingFormat node (maps to javax.naming.directory.SearchControls.ONELEVEL_SCOPE).
  • true—try to match any entry belonging to the subtree of the topicSearchMatchingFormat node (maps to javax.naming.directory.SearchControls.SUBTREE_SCOPE).
advisorySearchBase
Specifies the DN of the node whose children provide the permissions for all advisory topics. In this case the DN is a literal value (that is, no string substitution is performed on the property value).
For example, a typical value of this property is cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system.
tempSearchBase
Specifies the DN of the node whose children provide the permissions for all temporary queues and topics (apart from advisory topics). In this case the DN is a literal value (that is, no string substitution is performed on the property value).
For example, a typical value of this property is cn=ActiveMQ.Temp,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system.
adminBase
Specifies an LDAP search filter, which is used when looking up the admin permissions for any kind of queue or topic. The search filter attempts to match one of the children (or descendants, if SUBTREE_SCOPE is enabled) of the queue or topic node.
For example, if this property is set to (cn=admin), it will match any child whose cn attribute is set to admin.
adminAttribute
Specifies an attribute of the node matched by adminBase, whose value is the DN of a role/group that has admin permissions.
For example, consider a cn=admin node that is a child of the node, cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system, as shown:
The cn=admin node might typically have some attributes, as follows:
If you now set the adminAttribute property to member, the authorization plug-in grants admin privileges over the TEST.FOO queue to the cn=admins group and the cn=users group.
readBase
Specifies an LDAP search filter, which is used when looking up the read permissions for any kind of queue or topic. The search filter attempts to match one of the children (or descendants, if SUBTREE_SCOPE is enabled) of the queue or topic node.
For example, if this property is set to (cn=read), it will match any child whose cn attribute is set to read.
readAttribute
Specifies an attribute of the node matched by readBase, whose value is the DN of a role/group that has read permissions.
writeBase
Specifies an LDAP search filter, which is used when looking up the write permissions for any kind of queue or topic. The search filter attempts to match one of the children (or descendants, if SUBTREE_SCOPE is enabled) of the queue or topic node.
For example, if this property is set to (cn=write), it will match any child whose cn attribute is set to write.
writeAttribute
Specifies an attribute of the node matched by writeBase, whose value is the DN of a role/group that has write permissions.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.