このコンテンツは選択した言語では利用できません。
7.2. Cached LDAP Authorization Plug-In
Overview
Using the cached LDAP authorization plug-in, you can configure a broker to retrieve its authorization data from an X.500 directory server. For better efficiency, this plug-in caches authorization data in the broker and provides support for updating the cached data at regular intervals.
Updating the cache
Two alternative mechanisms for updating the authorization cache are supported:
- Push mechanism—some LDAP directory server implementations support a persistent search feature, which enables applications to receive live updates from the LDAP server (push mechanism). By default, the cached LDAP authorization plug-in attempts to register with the LDAP server to receive these updates.
- Pull mechanism—if your LDAP directory server does not support live updates, you can configure the cached LDAP authorization plug-in to poll the LDAP server at regular intervals instead (pull mechanism). To enable the pull mechanism, you must set the
refreshInterval
property on the cached LDAP authorization plug-in.
Sample configuration
Example 7.3, “Cached LDAP Authorization Plug-In Configuration” shows an example of how to configure the cached LDAP authorization plug-in. The
authorizationPlugin
element must be added as a child of the plugins
element.
Example 7.3. Cached LDAP Authorization Plug-In Configuration
<beans ... > <broker ... > ... <plugins> ... <authorizationPlugin> <map> <cachedLDAPAuthorizationMap legacyGroupMapping="false" connectionURL="ldap://localhost:10389" connectionUsername="uid=admin,ou=system" connectionPassword="secret" queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,ou=system" topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,ou=system" tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,ou=system" refreshInterval="20000" /> </map> </authorizationPlugin> </plugins> ... </broker> </beans>
Configuration properties
The cached LDAP authorization plug-in supports the following properties:
connectionURL
- Specifies the location of the directory server using an LDAP URL,
ldap://Host:Port
.Default isldap://localhost:1024
. connectionUsername
- The DN of the user that opens the connection to the directory server.Default is
uid=admin,ou=system
. connectionPassword
- The password that matches the DN from
connectionUsername
. In the directory server, the password is normally stored as auserPassword
attribute in the corresponding directory entry.Default issecret
. connectionProtocol
- The connection protocol to use when connecting to the LDAP server.Default is
s
. authentication
- The authentication method to use when connecting to the LDAP server.Default is
simple
. queueSearchBase
- The base DN of queue authorization entries.Default is
ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
. topicSearchBase
- The base DN of topic authorization entries.Default is
ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
. tempSearchBase
- The base DN of authorization entries for temporary destinations.Default is
ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
. refreshInterval
- Time interval between refreshes of the cache, expressed in milliseconds (where the cache is refreshed by pulling data from the LDAP server). The special value,
-1
, disables the pull mechanism for refreshing the cache (but does not affect the push mechanism, if the LDAP server supports it).Default is-1
. legacyGroupMapping
- If
true
, specifies that the role members of a privilege group must be specified using just the Common Name RDN,cn=CNValue
, of the role group; or iffalse
, specifies that the role members of a privilege group must be specified using the full Distinguished Name.Default istrue
. baseDn
- Base DN of the directory sub-tree that contains data for Apache ActiveMQ.Default is
ou=system
. groupClass
- Type of the class that implements the role principal. For example, in order to reuse roles defined for the Apache Karaf JAAS authentication plug-in, you would need to set this property to
org.apache.karaf.jaas.boot.principal.RolePrincipal
.Default isorg.apache.activemq.jaas.GroupPrincipal
.