Red Hat AMQ 6
As of February 2025, Red Hat is no longer supporting Red Hat AMQ 6. If you are using AMQ 6, please upgrade: Migrating to AMQ 7.このコンテンツは選択した言語では利用できません。
9.4. Enable LDAP Authentication in the OSGi Container
Overview
リンクのコピーリンクがクリップボードにコピーされました!
				This section explains how to configure an LDAP realm in the OSGi container. The new realm overrides the default 
karaf realm, so that the container authenticates credentials based on user entries stored in the X.500 directory server.
			References
リンクのコピーリンクがクリップボードにコピーされました!
				More detailed documentation is available on LDAP authentication, as follows:
			
- LDAPLoginModule options—are described in detail in Section 2.1.7, “JAAS LDAP Login Module”.
- Configurations for other directory servers—this tutorial covers only 389-DS. For details of how to configure other directory servers, such as Microsoft Active Directory, see the section called “Filter settings for different directory servers”.
Procedure for standalone OSGi container
リンクのコピーリンクがクリップボードにコピーされました!
				To enable LDAP authentication in a standalone OSGi container:
			
- Ensure that the X.500 directory server is running.
- Start Red Hat JBoss A-MQ by entering the following command in a terminal window:./amq ./amqCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Create a file calledldap-module.xml.
- Copy Example 9.1, “JAAS Realm for Standalone” intoldap-module.xml.Example 9.1. JAAS Realm for Standalone Copy to Clipboard Copied! Toggle word wrap Toggle overflow You must customize the following settings in theldap-module.xmlfile:- connection.url
- Set this URL to the actual location of your directory server instance. Normally, this URL has the format,ldap://Hostname:Port. For example, the default port for the 389 Directory Server is IP port389.
- connection.username
- Specifies the username that is used to authenticate the connection to the directory server. For 389 Directory Server, the default is usuallycn=Directory Manager.
- connection.password
- Specifies the password part of the credentials for connecting to the directory server.
- authentication
- You can specify either of the following alternatives for the authentication protocol:- simpleimplies that user credentials are supplied and you are obliged to set the- connection.usernameand- connection.passwordoptions in this case.
- noneimplies that authentication is not performed. There is no need to set the- connection.usernameand- connection.passwordoptions in this case.
 
 This login module creates a JAAS realm calledkaraf, which is the same name as the default JAAS realm used by JBoss A-MQ. By redefining this realm with arankattribute value greater than0, it overrides the standardkarafrealm which has the rank0(but note that in the context of Fabric, the defaultkarafrealm has a rank of99, so you need to define a new realm with rank100or greater to override the default realm in a fabric).For more details about how to configure JBoss A-MQ to use LDAP, see Section 2.1.7, “JAAS LDAP Login Module”.ImportantWhen setting the JAAS properties above, do not enclose the property values in double quotes.
- To deploy the new LDAP module, copy theldap-module.xmlinto the JBoss A-MQdeploy/directory.The LDAP module is automatically activated.NoteSubsequently, if you need to undeploy the LDAP module, you can do so by deleting theldap-module.xmlfile from thedeploy/directory while the Karaf container is running.
Procedure for a Fabric
リンクのコピーリンクがクリップボードにコピーされました!
				To enable LDAP authentication in a Fabric (affecting all of the containers in the current fabric):
			
- Ensure that the X.500 directory server is running.
- If your local Fabric container is not already running, start it now, by entering the following command in a terminal window:./amq ./amqCopy to Clipboard Copied! Toggle word wrap Toggle overflow NoteIf the Fabric container you want to connect to is running on a remote host, you can connect to it using theclientcommand-line utility in theInstallDir/bindirectory.
- Create a new version of the Fabric profile data, by entering the following console command:JBossFuse:karaf@root> version-create Created version: 1.1 as copy of: 1.0 JBossFuse:karaf@root> version-create Created version: 1.1 as copy of: 1.0Copy to Clipboard Copied! Toggle word wrap Toggle overflow NoteIn effect, this command creates a new branch named1.1in the Git repository underlying the ZooKeeper registry.
- Create the new profile resource,ldap-module.xml(a Blueprint configuration file), in version1.1of thedefaultprofile, as follows:JBossFuse:karaf@root> profile-edit --resource ldap-module.xml default 1.1 JBossFuse:karaf@root> profile-edit --resource ldap-module.xml default 1.1Copy to Clipboard Copied! Toggle word wrap Toggle overflow The built-in profile editor opens automatically, which you can use to edit the contents of theldap-module.xmlresource.
- Copy Example 9.2, “JAAS Realm for Fabric” into theldap-module.xmlresource, customizing the configuration properties, as necessary.Example 9.2. JAAS Realm for Fabric Copy to Clipboard Copied! Toggle word wrap Toggle overflow You must customize the following settings in theldap-module.xmlfile:- connection.url
- Set this URL to the actual location of your directory server instance. Normally, this URL has the format,ldap://Hostname:Port. You must be sure to use a hostname that is accessible to all of the containers in the fabric (hence, you cannot uselocalhostas the hostname here). The default port for the 389 Directory Server is IP port389.
- connection.username
- Specifies the username that is used to authenticate the connection to the directory server. For 389 Directory Server, the default is usuallycn=Directory Manager.
- connection.password
- Specifies the password part of the credentials for connecting to the directory server.
- authentication
- You can specify either of the following alternatives for the authentication protocol:- simpleimplies that user credentials are supplied and you are obliged to set the- connection.usernameand- connection.passwordoptions in this case.
- noneimplies that authentication is not performed. There is no need to set the- connection.usernameand- connection.passwordoptions in this case.
 
 This login module creates a JAAS realm calledkaraf, which is the same name as the default JAAS realm used by Red Hat JBoss A-MQ. By redefining this realm with arankof200, it overrides all of the previously installedkarafrealms (in the context of Fabric, you need to override the defaultZookeeperLoginModule, which has a rank of99).ImportantPay particular attention to the value of therankto ensure that it is higher than all previously installedkarafrealms. If therankis not sufficiently high, the new realm will not be used by the fabric.ImportantWhen setting the JAAS properties above, do not enclose the property values in double quotes.ImportantIn a Fabric, the Zookeeper login module must be enabled, in addition to the LDAP login module. This is because Fabric uses the Zookeeper login module internally, to support authentication between ensemble servers. With the configuration shown here, Fabric tries to authenticate first of all against the Zookeeper login module and, if that step fails, it tries to authenticate against the LDAP login module.
- Save and close theldap-module.xmlresource by typing Ctrl-S and Ctrl-X.
- Edit the agent properties of version 1.1 of thedefaultprofile, adding an instruction to deploy the Blueprint resource file defined in the previous step. Enter the following console command:JBossFuse:karaf@root> profile-edit default 1.1 JBossFuse:karaf@root> profile-edit default 1.1Copy to Clipboard Copied! Toggle word wrap Toggle overflow The built-in profile editor opens automatically. Add the following line to the agent properties:bundle.ldap-realm=blueprint:profile:ldap-module.xml bundle.ldap-realm=blueprint:profile:ldap-module.xmlCopy to Clipboard Copied! Toggle word wrap Toggle overflow Save and close the agent properties by typing Ctrl-S and Ctrl-X.
- The new LDAP realm is not activated, until you upgrade a container to use the new version,1.1. To activate LDAP on a single container (for example, on a container calledroot), enter the following console command:JBossFuse:karaf@root> container-upgrade 1.1 root JBossFuse:karaf@root> container-upgrade 1.1 rootCopy to Clipboard Copied! Toggle word wrap Toggle overflow To activate LDAP on all containers in the fabric, enter the following console command:JBossFuse:karaf@root> container-upgrade --all 1.1 JBossFuse:karaf@root> container-upgrade --all 1.1Copy to Clipboard Copied! Toggle word wrap Toggle overflow ImportantIt is advisable to upgrade just a single container initially, to make sure that everything is working properly. This is particularly important, if you have only remote access to the fabric: if you upgrade all of the containers at once, you might not be able to reconnect to the fabric.
- To check that the LDAP realm is activated, enter the following console command:JBossFuse:karaf@root> jaas-realms Index Realm Module Class 1 karaf org.apache.karaf.jaas.modules.ldap.LDAPLoginModuleJBossFuse:karaf@root> jaas-realms Index Realm Module Class 1 karaf org.apache.karaf.jaas.modules.ldap.LDAPLoginModuleCopy to Clipboard Copied! Toggle word wrap Toggle overflow If the output of this command lists theZookeperLoginModule, this means the LDAP realm is not yet activated. It might take a minute or so for activation of the LDAP realm to complete.
Test the LDAP authentication
リンクのコピーリンクがクリップボードにコピーされました!
				Test the new LDAP realm by connecting to the running container using the JBoss A-MQ 
client utility, as follows:
			- Open a new command prompt.
- Change directory to the JBoss A-MQInstallDir/bindirectory.
- Enter the following command to log on to the running container instance using the identityjdoe:client -u jdoe -p secret client -u jdoe -p secretCopy to Clipboard Copied! Toggle word wrap Toggle overflow You should successfully log into the container's remote console. At the command console, typejaas:followed by the [Tab] key (to activate content completion):Copy to Clipboard Copied! Toggle word wrap Toggle overflow You should see thatjdoehas access to all of thejaascommands (which is consistent with theAdministratorrole).
- Log off the remote console by entering the logout command.
- Enter the following command to log on to the running container instance using the identityjanedoe:client -u janedoe -p secret client -u janedoe -p secretCopy to Clipboard Copied! Toggle word wrap Toggle overflow You should successfully log into the container's remote console. At the command console, typejaas:followed by the [Tab] key (to activate content completion):Copy to Clipboard Copied! Toggle word wrap Toggle overflow You should see thatjanedoehas access to almost all of thejaascommands, except forjaas:update(which is consistent with theDeployerrole).
- Log off the remote console by entering the logout command.
- Enter the following command to log on to the running container instance using the identitycrider:client -u crider -p secret client -u crider -p secretCopy to Clipboard Copied! Toggle word wrap Toggle overflow You should successfully log into the container's remote console. At the command console, typejaas:followed by the [Tab] key (to activate content completion):JBossFuse:janedoe@root> jaas: jaas:groupcreate jaas:groups jaas:realms JBossFuse:janedoe@root> jaas: jaas:groupcreate jaas:groups jaas:realmsCopy to Clipboard Copied! Toggle word wrap Toggle overflow You should see thatcriderhas access to only three of thejaascommands (which is consistent with theMonitorrole).
- Log off the remote console by entering the logout command.