Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

8.7. Tutorial: Enable LDAP Authorization in the Broker

Overview
링크 복사

This section explains how to enable LDAP authorization in the broker, so that the broker obtains its authorization data from the directory server.

Compatibility with Apache Karaf principals
링크 복사

In order to avoid unnecessary duplication of user data, this LDAP authorization example reuses the user and role data already created for the Apache Karaf JAAS authentication plug-in (as described in Section 8.3, “Add User Entries to the Directory Server”). This affects the broker's LDAP authorization plug-in configuration, as follows:
  • When you create authorization entries in the LDAP server (as described in Section 8.6, “Tutorial: Add Authorization Entries”), you must specify the full DN of the roles that are being authorized. This enables you to specify roles from any location in the LDAP tree (previously, the LDAP authorization plug-in could only read roles from a fixed location under the ou=ActiveMQ,ou=system node).
  • To enable the use of full DNs when specifying roles, you must set the legacyGroupMapping property to false in the LDAP authorization plug-in (the default is true).
  • Because the Apache Karaf roles are of a different type from the roles natively supported by the LDAP authorization plug-in, you must also specify the type of the Karaf roles, by setting the groupClass property.

Enable LDAP authorization in the broker
링크 복사

Perform the following steps to enable LDAP authorization:
  1. Shut down the JBoss A-MQ container, if it is currently running. In the console window, enter the following command: 
    JBossA-MQ:karaf@root> shutdown -f
    Copy to Clipboard Toggle word wrap
  2. Add the LDAP authorization plug-in to the broker configuration. Open the broker configuration file, InstallDir/etc/activemq.xml, with a text editor and add the authorizationPlugin element, as follows: 
    <beans ...>
  <broker ...>
    ...
    <plugins>
      ...
      <authorizationPlugin>
        <map>
            <cachedLDAPAuthorizationMap
                connectionURL="ldap://localhost:10389"
                connectionUsername="uid=admin,ou=system"
                connectionPassword="secret"
                queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,ou=system"
                topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"
                tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,ou=system"
                refreshInterval="300000"
                legacyGroupMapping="false"
                groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal"
            />
        </map>
      </authorizationPlugin>
    </plugins>
    ...
  </broker>
</beans>
    Copy to Clipboard Toggle word wrap
  3. Ensure that the X.500 directory server is running. If necessary, manually restart the X.500 directory server—see Section 8.2, “Set-up a Directory Server and Browser”. If the server is not running, all broker connections will fail.
  4. Restart the JBoss A-MQ container. Open a new command prompt and start the broker by entering the following command: 
    amq
    Copy to Clipboard Toggle word wrap

Install the Apache ActiveMQ kit
링크 복사

For testing purposes, it is useful to install the Apache ActiveMQ example producer and consumer clients. These example clients are not provided directly in the JBoss A-MQ package. But you can obtain the sample clients by installing the Apache ActiveMQ kit, apache-activemq-5.8.0.redhat-60024-bin.zip, provided in the extras/ directory of the JBoss A-MQ installation.
Install the Apache ActiveMQ kit as follows:
  1. Find the Apache ActiveMQ kit at the following location: 
    InstallDir/extras/apache-activemq-5.8.0.redhat-60024-bin.zip
    Copy to Clipboard Toggle word wrap
  2. Using a suitable archive utility on your platform, unzip the apache-activemq-5.8.0.redhat-60024-bin.zip file and extract it to a convenient location, ActiveMQInstallDir.

Test the new configuration
링크 복사

To test the new configuration, run the example consumer and producer clients as follows:
  1. Run the consumer client with the jdoe user credentials. Open a new command prompt, change directory to ActiveMQInstallDir/example, and enter the following Ant command: 
    ant consumer -Durl=tcp://localhost:61616 -Dmax=100 -Duser=jdoe -Dpassword=secret
    Copy to Clipboard Toggle word wrap
  2. Run the producer client with the jdoe user credentials. Open a new command prompt, change directory to ActiveMQInstallDir/example, and enter the following Ant command: 
    ant producer -Durl=tcp://localhost:61616 -Dmax=100 -Duser=jdoe -Dpassword=secret
    Copy to Clipboard Toggle word wrap
  3. Run a negative test, to demonstrate that unauthorized users are blocked from accessing the broker queues.
    Run the consumer client with the janedoe user credentials. Open a new command prompt, change directory to ActiveMQInstallDir/example, and enter the following Ant command: 
    ant consumer -Durl=tcp://localhost:61616 -Dmax=100 -Duser=janedoe -Dpassword=secret
    Copy to Clipboard Toggle word wrap
    This time, the consumer client fails, because janedoe does not belong to the admin group.
맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat