8.3. LDAP Authorization Plug-In
Overview
Using the LDAP authorization plug-in, you can configure a broker to retrieve its authorization data from an X.500 directory server. This plug-in does not support caching and contacts the LDAP server every time an authorization needs to be checked.
Configuring the LDAP authorization plug-in
To configure the LDAP authorization plug-in, add the
authorizationPlugin element to the list of plug-ins in the broker configuration and configure it to use the LDAPAuthorizationMap authorization map, as shown in Example 8.4, “LDAP Authorization Plug-In Configuration”.
Example 8.4. LDAP Authorization Plug-In Configuration
<beans ... >
<broker ... >
...
<plugins>
...
<authorizationPlugin>
<map>
<bean id="lDAPAuthorizationMap" class="org.apache.activemq.security.LDAPAuthorizationMap"
xmlns="http://www.springframework.org/schema/beans">
<property name="initialContextFactory" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<property name="connectionURL" value="ldap://localhost:10389"/>
<property name="authentication" value="simple"/>
<property name="connectionUsername" value="uid=admin,ou=system"/>
<property name="connectionPassword" value="secret"/>
<property name="connectionProtocol" value=""/>
<property name="topicSearchMatchingFormat"
value="cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
<property name="topicSearchSubtreeBool" value="true"/>
<property name="queueSearchMatchingFormat"
value="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=system"/>
<property name="queueSearchSubtreeBool" value="true"/>
<property name="advisorySearchBase"
value="cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
<property name="tempSearchBase"
value="cn=ActiveMQ.Temp,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
<property name="adminBase" value="(cn=admin)"/>
<property name="adminAttribute" value="member"/>
<property name="readBase" value="(cn=read)"/>
<property name="readAttribute" value="member"/>
<property name="writeBase" value="(cn=write)"/>
<property name="writeAttribute" value="member"/>
</bean>
</map>
</authorizationPlugin>
</plugins>
...
</broker>
</beans>LDAP authorization plug-in properties
The LDAP authorization plug-in supports the following properties:
initialContextFactory- Must always be set to
com.sun.jndi.ldap.LdapCtxFactory. connectionURL- Specify the location of the directory server using an ldap URL,
ldap://Host:Port. You can optionally qualify this URL, by adding a forward slash,/, followed by the DN of a particular node in the directory tree. For example,ldap://ldapserver:10389/ou=system. authentication- Specifies the authentication method used when binding to the LDAP server. Can take either of the values,
simple(username and password) ornone(anonymous).NoteSimple Authentication and Security Layer (SASL) authentication is currently not supported. connectionUsername- The DN of the user that opens the connection to the directory server. For example,
uid=admin,ou=system. connectionPassword- The password that matches the DN from
connectionUsername. In the directory server, in the DIT, the password is normally stored as auserPasswordattribute in the corresponding directory entry. connectionProtocol- Currently, the only supported value is a blank string. In future, this option will allow you to select the Secure Socket Layer (SSL) for the connection to the directory server.NoteThis option must be set explicitly to an empty string, because it has no default value.
topicSearchMatchingFormat- Specifies the DN of the node whose children provide the permissions for the current topic. Before passing to the LDAP search operation, the string value you provide here is subjected to string substitution, as implemented by the
java.text.MessageFormatclass. Essentially, this means that the special string,{0}, is substituted by the name of the current topic.For example, if this property is set tocn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=systemand the current topic isTEST.FOO, the DN becomescn=TEST.FOO,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system. topicSearchSubtreeBool- Specify the search depth for permission entries (admin, read or write entries), relative to the node specified by
topicSearchMatchingFormat. This option can take boolean values, as follows:false—(default) try to match one of the child entries of thetopicSearchMatchingFormatnode (maps tojavax.naming.directory.SearchControls.ONELEVEL_SCOPE).true—try to match any entry belonging to the subtree of thetopicSearchMatchingFormatnode (maps tojavax.naming.directory.SearchControls.SUBTREE_SCOPE).
queueSearchMatchingFormat- Specifies the DN of the node whose children provide the permissions for the current queue. The special string,
{0}, is substituted by the name of the current queue.For example, if this property is set tocn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=systemand the current queue isTEST.FOO, the DN becomescn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system. queueSearchSubtreeBool- Specify the search depth for permission entries (admin, read or write entries), relative to the node specified by
topicSearchMatchingFormat. This option can take boolean values, as follows:false—(default) try to match one of the child entries of thetopicSearchMatchingFormatnode (maps tojavax.naming.directory.SearchControls.ONELEVEL_SCOPE).true—try to match any entry belonging to the subtree of thetopicSearchMatchingFormatnode (maps tojavax.naming.directory.SearchControls.SUBTREE_SCOPE).
advisorySearchBase- Specifies the DN of the node whose children provide the permissions for all advisory topics. In this case the DN is a literal value (that is, no string substitution is performed on the property value).For example, a typical value of this property is
cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system. tempSearchBase- Specifies the DN of the node whose children provide the permissions for all temporary queues and topics (apart from advisory topics). In this case the DN is a literal value (that is, no string substitution is performed on the property value).For example, a typical value of this property is
cn=ActiveMQ.Temp,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system. adminBase- Specifies an LDAP search filter, which is used when looking up the admin permissions for any kind of queue or topic. The search filter attempts to match one of the children (or descendants, if
SUBTREE_SCOPEis enabled) of the queue or topic node.For example, if this property is set to(cn=admin), it will match any child whosecnattribute is set toadmin. adminAttribute- Specifies an attribute of the node matched by
adminBase, whose value is the DN of a role/group that has admin permissions.For example, consider acn=adminnode that is a child of the node,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system, as shown:
Thecn=adminnode might typically have some attributes, as follows:
If you now set theadminAttributeproperty tomember, the authorization plug-in grants admin privileges over theTEST.FOOqueue to thecn=adminsgroup and thecn=usersgroup. readBase- Specifies an LDAP search filter, which is used when looking up the read permissions for any kind of queue or topic. The search filter attempts to match one of the children (or descendants, if
SUBTREE_SCOPEis enabled) of the queue or topic node.For example, if this property is set to(cn=read), it will match any child whosecnattribute is set toread. readAttribute- Specifies an attribute of the node matched by
readBase, whose value is the DN of a role/group that has read permissions. writeBase- Specifies an LDAP search filter, which is used when looking up the write permissions for any kind of queue or topic. The search filter attempts to match one of the children (or descendants, if
SUBTREE_SCOPEis enabled) of the queue or topic node.For example, if this property is set to(cn=write), it will match any child whosecnattribute is set towrite. writeAttribute- Specifies an attribute of the node matched by
writeBase, whose value is the DN of a role/group that has write permissions.
