Red Hat AMQ 6
As of February 2025, Red Hat is no longer supporting Red Hat AMQ 6. If you are using AMQ 6, please upgrade: Migrating to AMQ 7.Questo contenuto non è disponibile nella lingua selezionata.
7.3. LDAP Authorization Plug-In
Overview
Copia collegamentoCollegamento copiato negli appunti!
				Using the LDAP authorization plug-in, you can configure a broker to retrieve its authorization data from an X.500 directory server. This plug-in does not support caching and contacts the LDAP server every time an authorization needs to be checked.
			
Configuring the LDAP authorization plug-in
Copia collegamentoCollegamento copiato negli appunti!
				To configure the LDAP authorization plug-in, add the 
authorizationPlugin element to the list of plug-ins in the broker configuration and configure it to use the LDAPAuthorizationMap authorization map, as shown in Example 7.4, “LDAP Authorization Plug-In Configuration”.
			Example 7.4. LDAP Authorization Plug-In Configuration
LDAP authorization plug-in properties
Copia collegamentoCollegamento copiato negli appunti!
				The LDAP authorization plug-in supports the following properties:
			
- initialContextFactory
- Must always be set tocom.sun.jndi.ldap.LdapCtxFactory.
- connectionURL
- Specify the location of the directory server using an ldap URL,ldap://Host:Port. You can optionally qualify this URL, by adding a forward slash,/, followed by the DN of a particular node in the directory tree. For example,ldap://ldapserver:10389/ou=system.
- authentication
- Specifies the authentication method used when binding to the LDAP server. Can take either of the values,simple(username and password) ornone(anonymous).NoteSimple Authentication and Security Layer (SASL) authentication is currently not supported.
- connectionUsername
- The DN of the user that opens the connection to the directory server. For example,uid=admin,ou=system.
- connectionPassword
- The password that matches the DN fromconnectionUsername. In the directory server, in the DIT, the password is normally stored as auserPasswordattribute in the corresponding directory entry.
- connectionProtocol
- Currently, the only supported value is a blank string. In future, this option will allow you to select the Secure Socket Layer (SSL) for the connection to the directory server.NoteThis option must be set explicitly to an empty string, because it has no default value.
- topicSearchMatchingFormat
- Specifies the DN of the node whose children provide the permissions for the current topic. Before passing to the LDAP search operation, the string value you provide here is subjected to string substitution, as implemented by thejava.text.MessageFormatclass. Essentially, this means that the special string,{0}, is substituted by the name of the current topic.For example, if this property is set tocn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=systemand the current topic isTEST.FOO, the DN becomescn=TEST.FOO,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system.
- topicSearchSubtreeBool
- Specify the search depth for permission entries (admin, read or write entries), relative to the node specified bytopicSearchMatchingFormat. This option can take boolean values, as follows:- false—(default) try to match one of the child entries of the- topicSearchMatchingFormatnode (maps to- javax.naming.directory.SearchControls.ONELEVEL_SCOPE).
- true—try to match any entry belonging to the subtree of the- topicSearchMatchingFormatnode (maps to- javax.naming.directory.SearchControls.SUBTREE_SCOPE).
 
- queueSearchMatchingFormat
- Specifies the DN of the node whose children provide the permissions for the current queue. The special string,{0}, is substituted by the name of the current queue.For example, if this property is set tocn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=systemand the current queue isTEST.FOO, the DN becomescn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system.
- queueSearchSubtreeBool
- Specify the search depth for permission entries (admin, read or write entries), relative to the node specified bytopicSearchMatchingFormat. This option can take boolean values, as follows:- false—(default) try to match one of the child entries of the- topicSearchMatchingFormatnode (maps to- javax.naming.directory.SearchControls.ONELEVEL_SCOPE).
- true—try to match any entry belonging to the subtree of the- topicSearchMatchingFormatnode (maps to- javax.naming.directory.SearchControls.SUBTREE_SCOPE).
 
- advisorySearchBase
- Specifies the DN of the node whose children provide the permissions for all advisory topics. In this case the DN is a literal value (that is, no string substitution is performed on the property value).For example, a typical value of this property iscn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system.
- tempSearchBase
- Specifies the DN of the node whose children provide the permissions for all temporary queues and topics (apart from advisory topics). In this case the DN is a literal value (that is, no string substitution is performed on the property value).For example, a typical value of this property iscn=ActiveMQ.Temp,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system.
- adminBase
- Specifies an LDAP search filter, which is used when looking up the admin permissions for any kind of queue or topic. The search filter attempts to match one of the children (or descendants, ifSUBTREE_SCOPEis enabled) of the queue or topic node.For example, if this property is set to(cn=admin), it will match any child whosecnattribute is set toadmin.
- adminAttribute
- Specifies an attribute of the node matched byadminBase, whose value is the DN of a role/group that has admin permissions.For example, consider acn=adminnode that is a child of the node,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system, as shown:Thecn=adminnode might typically have some attributes, as follows:If you now set theadminAttributeproperty tomember, the authorization plug-in grants admin privileges over theTEST.FOOqueue to thecn=adminsgroup and thecn=usersgroup.
- readBase
- Specifies an LDAP search filter, which is used when looking up the read permissions for any kind of queue or topic. The search filter attempts to match one of the children (or descendants, ifSUBTREE_SCOPEis enabled) of the queue or topic node.For example, if this property is set to(cn=read), it will match any child whosecnattribute is set toread.
- readAttribute
- Specifies an attribute of the node matched byreadBase, whose value is the DN of a role/group that has read permissions.
- writeBase
- Specifies an LDAP search filter, which is used when looking up the write permissions for any kind of queue or topic. The search filter attempts to match one of the children (or descendants, ifSUBTREE_SCOPEis enabled) of the queue or topic node.For example, if this property is set to(cn=write), it will match any child whosecnattribute is set towrite.
- writeAttribute
- Specifies an attribute of the node matched bywriteBase, whose value is the DN of a role/group that has write permissions.
 
    