Red Hat Summit Red Hat Summitサポートコンソール開発者トライアルの開始お問い合わせ

このコンテンツは選択した言語では利用できません。

8.2. Cached LDAP Authorization Plug-In

Overview
リンクのコピー

Using the cached LDAP authorization plug-in, you can configure a broker to retrieve its authorization data from an X.500 directory server. For better efficiency, this plug-in caches authorization data in the broker and provides support for updating the cached data at regular intervals.

Updating the cache
リンクのコピー

Two alternative mechanisms for updating the authorization cache are supported:
  • Push mechanism—some LDAP directory server implementations support a persistent search feature, which enables applications to receive live updates from the LDAP server (push mechanism). By default, the cached LDAP authorization plug-in attempts to register with the LDAP server to receive these updates.
  • Pull mechanism—if your LDAP directory server does not support live updates, you can configure the cached LDAP authorization plug-in to poll the LDAP server at regular intervals instead (pull mechanism). To enable the pull mechanism, you must set the refreshInterval property on the cached LDAP authorization plug-in.

Sample configuration
リンクのコピー

Example 8.3, “Cached LDAP Authorization Plug-In Configuration” shows an example of how to configure the cached LDAP authorization plug-in. The authorizationPlugin element must be added as a child of the plugins element.

Example 8.3. Cached LDAP Authorization Plug-In Configuration

<beans ... >
  <broker ... >
    ...
    <plugins>
      ...
      <authorizationPlugin>
          <map>
            <cachedLDAPAuthorizationMap
                  legacyGroupMapping="false"
                  connectionURL="ldap://localhost:10389"
                  connectionUsername="uid=admin,ou=system"
                  connectionPassword="secret"
                  queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,ou=system"
                  topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"
                  tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,ou=system"
                  refreshInterval="20000"
                  />
          </map>
      </authorizationPlugin>
    </plugins>
    ...
  </broker>
</beans>
Copy to Clipboard Toggle word wrap

Configuration properties
リンクのコピー

The cached LDAP authorization plug-in supports the following properties:
adminPermissionGroupSearchFilter
Specifies the filter used to search for admin permission groups. This filter is used when searching under the nodes specified by queueSearchBase, topicSearchBase, or tempSearchBase, to obtain the permission groups for queues, topics, or temporary destinations, respectively.
Default is (cn=Admin).
authentication
The authentication method to use when connecting to the LDAP server.
Default is simple.
connectionPassword
The password that matches the DN from connectionUsername. In the directory server, the password is normally stored as a userPassword attribute in the corresponding directory entry.
Default is secret.
connectionProtocol
The connection protocol to use when connecting to the LDAP server.
Default is s.
connectionURL
Specifies the location of the directory server using an LDAP URL, ldap://Host:Port.
Default is ldap://localhost:1024.
connectionUsername
The DN of the user that opens the connection to the directory server.
Default is uid=admin,ou=system.
groupClass
Type of the class that implements the role principal. For example, in order to reuse roles defined for the Apache Karaf JAAS authentication plug-in, you would need to set this property to org.apache.karaf.jaas.boot.principal.RolePrincipal.
Default is org.apache.activemq.jaas.GroupPrincipal.
groupNameAttribute
Specifies which attribute of a permission group node is interpreted as the group name.
Default is cn.
groupObjectClass
Specifies the object class of the LDAP nodes used to store permission groups. Typical values are groupOfNames or groupOfUniqueNames.
Default is groupOfNames.
legacyGroupMapping
If true, specifies that the role members of a privilege group must be specified using just the Common Name RDN, cn=CNValue, of the role group; or if false, specifies that the role members of a privilege group must be specified using the full Distinguished Name.
Default is true.
permissionGroupMemberAttribute
Specifies which attribute of a permission group node defines a member. For example, if the groupObjectClass is set to groupOfNames, this attribute should usually be set to member. Alternatively, if the groupObjectClass is set to groupOfUniqueNames, this attribute should usually be set to uniquemember.
Default is member.
queueSearchBase
The base DN of queue authorization entries.
Default is ou=Queue,ou=Destination,ou=ActiveMQ,ou=system.
readPermissionGroupSearchFilter
Specifies the filter used to search for read permission groups. This filter is used when searching under the nodes specified by queueSearchBase, topicSearchBase, or tempSearchBase, to obtain the permission groups for queues, topics, or temporary destinations, respectively.
Default is (cn=Read).
refreshDisabled
If true, disables cache refreshing.
Default is false.
refreshInterval
Time interval between refreshes of the cache, expressed in milliseconds (where the cache is refreshed by pulling data from the LDAP server). The special value, -1, disables the pull mechanism for refreshing the cache (but does not affect the push mechanism, if the LDAP server supports it).
Default is -1.
tempSearchBase
The base DN of authorization entries for temporary destinations.
Default is ou=Temp,ou=Destination,ou=ActiveMQ,ou=system.
topicSearchBase
The base DN of topic authorization entries.
Default is ou=Topic,ou=Destination,ou=ActiveMQ,ou=system.
userNameAttribute
Specifies which attribute of a user node is interpreted as the username.
Default is uid.
userObjectClass
Specifies the object class of the LDAP nodes used to store users.
Default is person.
writePermissionGroupSearchFilter
Specifies the filter used to search for write permission groups. This filter is used when searching under the nodes specified by queueSearchBase, topicSearchBase, or tempSearchBase, to obtain the permission groups for queues, topics, or temporary destinations, respectively.
Default is (cn=Write).

Authorization settings for different directory servers
リンクのコピー

The most significant differences between directory servers arise in connection with the object class settings in the cached LDAP authorization plug-in. The precise settings depend ultimately on the organisation of your DIT, but the following table gives an idea of the typical object class settings required for different directory servers:
Expand
Directory ServerObject Class Settings
389-DS
Red Hat DS 
userObjectClass="inetorgperson"
groupObjectClass="groupOfUniqueNames"
permissionGroupMemberAttribute="uniqueMember"
Copy to Clipboard Toggle word wrap
Apache DS 
userObjectClass="person"
groupObjectClass="groupOfNames"
permissionGroupMemberAttribute="member"
Copy to Clipboard Toggle word wrap
トップに戻る
Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2025 Red Hat