9.4. Enable LDAP Authentication in the OSGi Container
Overview
This section explains how to configure an LDAP realm in the OSGi container. The new realm overrides the default
karaf
realm, so that the container authenticates credentials based on user entries stored in the X.500 directory server.
References
More detailed documentation is available on LDAP authentication, as follows:
- LDAPLoginModule options—are described in detail in Section 2.1.7, “JAAS LDAP Login Module”.
- Configurations for other directory servers—this tutorial covers only 389-DS. For details of how to configure other directory servers, such as Microsoft Active Directory, see the section called “Filter settings for different directory servers”.
Procedure for standalone OSGi container
To enable LDAP authentication in a standalone OSGi container:
- Ensure that the X.500 directory server is running.
- Start Red Hat AMQ by entering the following command in a terminal window:
./bin/amq
- Create a file called
ldap-module.xml
. - Copy Example 9.1, “JAAS Realm for Standalone” into
ldap-module.xml
.Example 9.1. JAAS Realm for Standalone
<?xml version="1.0" encoding="UTF-8"?> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"> <jaas:config name="karaf" rank="200"> <jaas:module flags="required" className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.url=ldap://Hostname:Port connection.username=cn=Directory Manager connection.password=LDAPPassword connection.protocol= user.base.dn=ou=People,dc=localdomain user.filter=(&(objectClass=inetOrgPerson)(uid=%u)) user.search.subtree=true role.base.dn=ou=Groups,dc=localdomain role.name.attribute=cn role.filter=(uniquemember=%fqdn) role.search.subtree=true authentication=simple </jaas:module> </jaas:config> </blueprint>
You must customize the following settings in theldap-module.xml
file:- connection.url
- Set this URL to the actual location of your directory server instance. Normally, this URL has the format,
ldap://Hostname:Port
. For example, the default port for the 389 Directory Server is IP port389
. - connection.username
- Specifies the username that is used to authenticate the connection to the directory server. For 389 Directory Server, the default is usually
cn=Directory Manager
. - connection.password
- Specifies the password part of the credentials for connecting to the directory server.
- authentication
- You can specify either of the following alternatives for the authentication protocol:
simple
implies that user credentials are supplied and you are obliged to set theconnection.username
andconnection.password
options in this case.none
implies that authentication is not performed. There is no need to set theconnection.username
andconnection.password
options in this case.
This login module creates a JAAS realm calledkaraf
, which is the same name as the default JAAS realm used by AMQ. By redefining this realm with arank
attribute value greater than0
, it overrides the standardkaraf
realm which has the rank0
(but note that in the context of Fabric, the defaultkaraf
realm has a rank of99
, so you need to define a new realm with rank100
or greater to override the default realm in a fabric).For more details about how to configure AMQ to use LDAP, see Section 2.1.7, “JAAS LDAP Login Module”.ImportantWhen setting the JAAS properties above, do not enclose the property values in double quotes. - To deploy the new LDAP module, copy the
ldap-module.xml
into the AMQdeploy/
directory.The LDAP module is automatically activated.NoteSubsequently, if you need to undeploy the LDAP module, you can do so by deleting theldap-module.xml
file from thedeploy/
directory while the Karaf container is running.
Procedure for a Fabric
To enable LDAP authentication in a Fabric (affecting all of the containers in the current fabric):
- Ensure that the X.500 directory server is running.
- If your local Fabric container is not already running, start it now, by entering the following command in a terminal window:
./bin/amq
NoteIf the Fabric container you want to connect to is running on a remote host, you can connect to it using theclient
command-line utility in theInstallDir/bin
directory. - Create a new version of the Fabric profile data, by entering the following console command:
JBossFuse:karaf@root> version-create Created version: 1.1 as copy of: 1.0
NoteIn effect, this command creates a new branch named1.1
in the Git repository underlying the ZooKeeper registry. - Create the new profile resource,
ldap-module.xml
(a Blueprint configuration file), in version1.1
of thedefault
profile, as follows:JBossFuse:karaf@root> profile-edit --resource ldap-module.xml default 1.1
The built-in profile editor opens automatically, which you can use to edit the contents of theldap-module.xml
resource. - Copy Example 9.2, “JAAS Realm for Fabric” into the
ldap-module.xml
resource, customizing the configuration properties, as necessary.Example 9.2. JAAS Realm for Fabric
<?xml version="1.0" encoding="UTF-8"?> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0" xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0"> <command-bundle xmlns="http://karaf.apache.org/xmlns/shell/v1.0.0"> <command name="jasypt/encrypt"> <action class="io.fabric8.fabric.jaas.EncryptPasswordCommand" /> </command> </command-bundle> <!-- AdminConfig property place holder for the org.apache.karaf.jaas --> <cm:property-placeholder persistent-id="io.fabric8.fabric.jaas" update-strategy="reload"> <cm:default-properties> <cm:property name="encryption.name" value="" /> <cm:property name="encryption.enabled" value="true" /> <cm:property name="encryption.prefix" value="{CRYPT}" /> <cm:property name="encryption.suffix" value="{CRYPT}" /> <cm:property name="encryption.algorithm" value="MD5" /> <cm:property name="encryption.encoding" value="hexadecimal" /> </cm:default-properties> </cm:property-placeholder> <jaas:config name="karaf" rank="200"> <jaas:module className="io.fabric8.jaas.ZookeeperLoginModule" flags="sufficient"> path = /fabric/authentication/users encryption.name = ${encryption.name} encryption.enabled = ${encryption.enabled} encryption.prefix = ${encryption.prefix} encryption.suffix = ${encryption.suffix} encryption.algorithm = ${encryption.algorithm} encryption.encoding = ${encryption.encoding} </jaas:module> <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="sufficient"> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.url=ldap://Hostname:Port connection.username=cn=Directory Manager connection.password=LDAPPassword connection.protocol= user.base.dn=ou=People,dc=localdomain user.filter=(&(objectClass=inetOrgPerson)(uid=%u)) user.search.subtree=true role.base.dn=ou=Groups,dc=localdomain role.name.attribute=cn role.filter=(uniquemember=%fqdn) role.search.subtree=true authentication=simple </jaas:module> </jaas:config> <!-- The Backing Engine Factory Service for the ZookeeperLoginModule --> <service interface="org.apache.karaf.jaas.modules.BackingEngineFactory"> <bean class="io.fabric8.jaas.ZookeeperBackingEngineFactory" /> </service> </blueprint>
You must customize the following settings in theldap-module.xml
file:- connection.url
- Set this URL to the actual location of your directory server instance. Normally, this URL has the format,
ldap://Hostname:Port
. You must be sure to use a hostname that is accessible to all of the containers in the fabric (hence, you cannot uselocalhost
as the hostname here). The default port for the 389 Directory Server is IP port389
. - connection.username
- Specifies the username that is used to authenticate the connection to the directory server. For 389 Directory Server, the default is usually
cn=Directory Manager
. - connection.password
- Specifies the password part of the credentials for connecting to the directory server.
- authentication
- You can specify either of the following alternatives for the authentication protocol:
simple
implies that user credentials are supplied and you are obliged to set theconnection.username
andconnection.password
options in this case.none
implies that authentication is not performed. There is no need to set theconnection.username
andconnection.password
options in this case.
This login module creates a JAAS realm calledkaraf
, which is the same name as the default JAAS realm used by Red Hat AMQ. By redefining this realm with arank
of200
, it overrides all of the previously installedkaraf
realms (in the context of Fabric, you need to override the defaultZookeeperLoginModule
, which has a rank of99
).ImportantPay particular attention to the value of therank
to ensure that it is higher than all previously installedkaraf
realms. If therank
is not sufficiently high, the new realm will not be used by the fabric.ImportantWhen setting the JAAS properties above, do not enclose the property values in double quotes.ImportantIn a Fabric, the Zookeeper login module must be enabled, in addition to the LDAP login module. This is because Fabric uses the Zookeeper login module internally, to support authentication between ensemble servers. With the configuration shown here, Fabric tries to authenticate first of all against the Zookeeper login module and, if that step fails, it tries to authenticate against the LDAP login module. - Save and close the
ldap-module.xml
resource by typing Ctrl-S and Ctrl-X. - Edit the agent properties of version 1.1 of the
default
profile, adding an instruction to deploy the Blueprint resource file defined in the previous step. Enter the following console command:JBossFuse:karaf@root> profile-edit default 1.1
The built-in profile editor opens automatically. Add the following line to the agent properties:bundle.ldap-realm=blueprint:profile:ldap-module.xml
Save and close the agent properties by typing Ctrl-S and Ctrl-X. - The new LDAP realm is not activated, until you upgrade a container to use the new version,
1.1
. To activate LDAP on a single container (for example, on a container calledroot
), enter the following console command:JBossFuse:karaf@root> container-upgrade 1.1 root
To activate LDAP on all containers in the fabric, enter the following console command:JBossFuse:karaf@root> container-upgrade --all 1.1
ImportantIt is advisable to upgrade just a single container initially, to make sure that everything is working properly. This is particularly important, if you have only remote access to the fabric: if you upgrade all of the containers at once, you might not be able to reconnect to the fabric. - To check that the LDAP realm is activated, enter the following console command:
JBossFuse:karaf@root> jaas-realms Index Realm Module Class 1 karaf org.apache.karaf.jaas.modules.ldap.LDAPLoginModule
If the output of this command lists theZookeperLoginModule
, this means the LDAP realm is not yet activated. It might take a minute or so for activation of the LDAP realm to complete.
Test the LDAP authentication
Test the new LDAP realm by connecting to the running container using the AMQ
client
utility, as follows:
- Open a new command prompt.
- Change directory to the AMQ
InstallDir/bin
directory. - Enter the following command to log on to the running container instance using the identity
jdoe
:client -u jdoe -p secret
You should successfully log into the container's remote console. At the command console, typejaas:
followed by the [Tab] key (to activate content completion):JBossFuse:jdoe@root> jaas: jaas:cancel jaas:groupadd jaas:groupcreate jaas:groupdel jaas:grouproleadd jaas:grouproledel jaas:groups jaas:manage jaas:pending jaas:realms jaas:roleadd jaas:roledel jaas:update jaas:useradd jaas:userdel jaas:users
You should see thatjdoe
has access to all of thejaas
commands (which is consistent with theAdministrator
role). - Log off the remote console by entering the logout command.
- Enter the following command to log on to the running container instance using the identity
janedoe
:client -u janedoe -p secret
You should successfully log into the container's remote console. At the command console, typejaas:
followed by the [Tab] key (to activate content completion):JBossFuse:janedoe@root> jaas: jaas:cancel jaas:groupadd jaas:groupcreate jaas:groupdel jaas:grouproleadd jaas:grouproledel jaas:groups jaas:manage jaas:pending jaas:realms jaas:roleadd jaas:roledel jaas:useradd jaas:userdel jaas:users
You should see thatjanedoe
has access to almost all of thejaas
commands, except forjaas:update
(which is consistent with theDeployer
role). - Log off the remote console by entering the logout command.
- Enter the following command to log on to the running container instance using the identity
crider
:client -u crider -p secret
You should successfully log into the container's remote console. At the command console, typejaas:
followed by the [Tab] key (to activate content completion):JBossFuse:janedoe@root> jaas: jaas:groupcreate jaas:groups jaas:realms
You should see thatcrider
has access to only three of thejaas
commands (which is consistent with theMonitor
role). - Log off the remote console by entering the logout command.