이 콘텐츠는 선택한 언어로 제공되지 않습니다.
8.2. Cached LDAP Authorization Plug-In
Overview
Using the cached LDAP authorization plug-in, you can configure a broker to retrieve its authorization data from an X.500 directory server. For better efficiency, this plug-in caches authorization data in the broker and provides support for updating the cached data at regular intervals.
Updating the cache
Two alternative mechanisms for updating the authorization cache are supported:
- Push mechanism—some LDAP directory server implementations support a persistent search feature, which enables applications to receive live updates from the LDAP server (push mechanism). By default, the cached LDAP authorization plug-in attempts to register with the LDAP server to receive these updates.
- Pull mechanism—if your LDAP directory server does not support live updates, you can configure the cached LDAP authorization plug-in to poll the LDAP server at regular intervals instead (pull mechanism). To enable the pull mechanism, you must set the
refreshIntervalproperty on the cached LDAP authorization plug-in.
Sample configuration
Example 8.3, “Cached LDAP Authorization Plug-In Configuration” shows an example of how to configure the cached LDAP authorization plug-in. The
authorizationPlugin element must be added as a child of the plugins element.
Example 8.3. Cached LDAP Authorization Plug-In Configuration
<beans ... >
<broker ... >
...
<plugins>
...
<authorizationPlugin>
<map>
<cachedLDAPAuthorizationMap
legacyGroupMapping="false"
connectionURL="ldap://localhost:10389"
connectionUsername="uid=admin,ou=system"
connectionPassword="secret"
queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,ou=system"
topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"
tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,ou=system"
refreshInterval="20000"
/>
</map>
</authorizationPlugin>
</plugins>
...
</broker>
</beans>Configuration properties
The cached LDAP authorization plug-in supports the following properties:
adminPermissionGroupSearchFilter- Specifies the filter used to search for admin permission groups. This filter is used when searching under the nodes specified by
queueSearchBase,topicSearchBase, ortempSearchBase, to obtain the permission groups for queues, topics, or temporary destinations, respectively.Default is(cn=Admin). authentication- The authentication method to use when connecting to the LDAP server.Default is
simple. connectionPassword- The password that matches the DN from
connectionUsername. In the directory server, the password is normally stored as auserPasswordattribute in the corresponding directory entry.Default issecret. connectionProtocol- The connection protocol to use when connecting to the LDAP server.Default is
s. connectionURL- Specifies the location of the directory server using an LDAP URL,
ldap://Host:Port.Default isldap://localhost:1024. connectionUsername- The DN of the user that opens the connection to the directory server.Default is
uid=admin,ou=system. groupClass- Type of the class that implements the role principal. For example, in order to reuse roles defined for the Apache Karaf JAAS authentication plug-in, you would need to set this property to
org.apache.karaf.jaas.boot.principal.RolePrincipal.Default isorg.apache.activemq.jaas.GroupPrincipal. groupNameAttribute- Specifies which attribute of a permission group node is interpreted as the group name.Default is
cn. groupObjectClass- Specifies the object class of the LDAP nodes used to store permission groups. Typical values are
groupOfNamesorgroupOfUniqueNames.Default isgroupOfNames. legacyGroupMapping- If
true, specifies that the role members of a privilege group must be specified using just the Common Name RDN,cn=CNValue, of the role group; or iffalse, specifies that the role members of a privilege group must be specified using the full Distinguished Name.Default istrue. permissionGroupMemberAttribute- Specifies which attribute of a permission group node defines a member. For example, if the
groupObjectClassis set togroupOfNames, this attribute should usually be set tomember. Alternatively, if thegroupObjectClassis set togroupOfUniqueNames, this attribute should usually be set touniquemember.Default ismember. queueSearchBase- The base DN of queue authorization entries.Default is
ou=Queue,ou=Destination,ou=ActiveMQ,ou=system. readPermissionGroupSearchFilter- Specifies the filter used to search for read permission groups. This filter is used when searching under the nodes specified by
queueSearchBase,topicSearchBase, ortempSearchBase, to obtain the permission groups for queues, topics, or temporary destinations, respectively.Default is(cn=Read). refreshDisabled- If
true, disables cache refreshing.Default isfalse. refreshInterval- Time interval between refreshes of the cache, expressed in milliseconds (where the cache is refreshed by pulling data from the LDAP server). The special value,
-1, disables the pull mechanism for refreshing the cache (but does not affect the push mechanism, if the LDAP server supports it).Default is-1. tempSearchBase- The base DN of authorization entries for temporary destinations.Default is
ou=Temp,ou=Destination,ou=ActiveMQ,ou=system. topicSearchBase- The base DN of topic authorization entries.Default is
ou=Topic,ou=Destination,ou=ActiveMQ,ou=system. userNameAttribute- Specifies which attribute of a user node is interpreted as the username.Default is
uid. userObjectClass- Specifies the object class of the LDAP nodes used to store users.Default is
person. writePermissionGroupSearchFilter- Specifies the filter used to search for write permission groups. This filter is used when searching under the nodes specified by
queueSearchBase,topicSearchBase, ortempSearchBase, to obtain the permission groups for queues, topics, or temporary destinations, respectively.Default is(cn=Write).
Authorization settings for different directory servers
The most significant differences between directory servers arise in connection with the object class settings in the cached LDAP authorization plug-in. The precise settings depend ultimately on the organisation of your DIT, but the following table gives an idea of the typical object class settings required for different directory servers:
| Directory Server | Object Class Settings |
|---|---|
|
389-DS
Red Hat DS
|
userObjectClass="inetorgperson" groupObjectClass="groupOfUniqueNames" permissionGroupMemberAttribute="uniqueMember" |
|
Apache DS
|
userObjectClass="person" groupObjectClass="groupOfNames" permissionGroupMemberAttribute="member" |
