このコンテンツは選択した言語では利用できません。
8.4. Enable LDAP Authentication in the OSGi Container
Overview
In this part of the tutorial you will configure an LDAP realm in the OSGi container. The new realm overrides the default karaf realm, so that the container authenticates credentials based on user entries stored in the X.500 directory server.
Procedure
To enable LDAP authentication:
- Ensure that the X.500 directory server is running.
- Start Red Hat JBoss A-MQ by entering the following command in a terminal window:
amq
- Create a Blueprint configuration file called
ldap-module.xml. - Copy Example 8.1, “Blueprint JAAS Realm” into
ldap-module.xml.Example 8.1. Blueprint JAAS Realm
<?xml version="1.0" encoding="UTF-8"?> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"> <jaas:config name="karaf" rank="1"> <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required"> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=uid=admin,ou=system connection.password=secret connection.protocol= connection.url=ldap://localhost:10389 user.base.dn=ou=users,ou=system user.filter=(uid=%u) user.search.subtree=true role.base.dn=ou=roles,ou=system role.name.attribute=cn role.filter=(member=uid=%u) role.search.subtree=true authentication=simple </jaas:module> </jaas:config> </blueprint>This login module creates a JAAS realm calledkaraf, which is the same name as the default JAAS realm used by Red Hat JBoss A-MQ. By redefining this realm with arankattribute value greater than0, it overrides the standardkarafrealm which has the rank0. For more information on configuring a JAAS realm see Section 2.1.2, “Defining JAAS Realms”.For a detailed description of configuring JBoss A-MQ to use LDAP see Section 2.2, “Enabling LDAP Authentication”.ImportantWhen setting the JAAS properties above, do not enclose the property values in double quotes.TipIf you use OpenLDAP, the syntax of the role filter is(member:=uid=%u). - To deploy the new LDAP module, copy the
ldap-module.xmlinto the JBoss A-MQdeploy/directory.The LDAP module is automatically activated. - Test the new LDAP realm by connecting to the running container using the Red Hat JBoss A-MQ
clientutility.- Open a new command prompt.
- change directory to the JBoss A-MQ
InstallDir/bindirectory. - Enter the following command to log on to the running container instance using the identity
janedoe:client -u janedoe -p secretYou should receive the following message:Authentication failureThis fails becausejanedoedoes not have theadminrole which is required for using the remote console. - Enter the following command to log on to the running container instance using the identity
jdoe:client -u jdoe -p secretYou should successfully log into the container's remote console becausejdoedoes have theadminrole. - Log off the remote console by entering the logout command.
