Google Git
Sign in
apache / activemq-website / d62caf6b8d6b4ea40b8515583c3438d1622657c3 / . / content / cached-ldap-authorization-module.html
blob: 8bbf016888c95a4034175e99cab09d39fb3353e3 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>ActiveMQ</title>
<link rel="icon" type="image/png" href="/assets/img/favicon.png">
<link rel="stylesheet" href="/css/main.css">
<script defer src="https://use.fontawesome.com/releases/v5.0.8/js/all.js" integrity="sha384-SlE991lGASHoBfWbelyBPLsUlwY1GwNDJo3jSJO04KZ33K2bwfV9YBauFfnzvynJ" crossorigin="anonymous"></script>
<script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js" integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q" crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script>
</head>
<body>
<nav class="navbar navbar-expand-lg navbar-light fixed-top">
<div class="container">
<!-- <a class="navbar-brand mr-auto" href="#"><img style="height: 50px" src="assets/img/apache-feather.png" /></a> -->
<a class="navbar-brand mr-auto" href="/"><img src="/assets/img/activemq_logo_black_small.png" style="height: 50px"/></a>
<button class="navbar-toggler ml-auto" type="button" data-toggle="collapse" data-target="#navbarContent" aria-controls="navbarContent" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="ml-auto collapse navbar-collapse" id="navbarContent">
<ul class="navbar-nav ml-auto">
<li class="nav-item">
<a class="nav-link active" href="/index.html">Home</a>
</li>
<li class="nav-item dropdown">
<a class="nav-link" id="navbarDropdownComponents" data-target="#" href="" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Components</a>
<ul class="dropdown-menu dropdown-menu-center" aria-labelledby="navbarDropdownComponents">
<div class="row">
<div class="col-12">
<ul class="multi-column-dropdown">
<li class="nav-item"><a class="dropdown-item" href="/components/classic">ActiveMQ 5</a></li>
<li class="nav-item"><a class="dropdown-item" href="/components/artemis/">ActiveMQ Artemis</a></li>
<li class="nav-item"><a class="dropdown-item" href="/components/nms">NMS Clients</a></li>
<li class="nav-item"><a class="dropdown-item" href="/components/cms">CMS Client</a></li>
</ul>
</div>
</div>
</ul>
</li>
<li class="nav-item dropdown">
<a class="nav-link" id="navbarDropdownCommunity" data-target="#" href="" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Contact</a>
<ul class="dropdown-menu dropdown-menu-center multi-column columns-1" aria-labelledby="navbarDropdownCommunity">
<div class="row">
<div class="col-12">
<ul class="multi-column-dropdown">
<li class="nav-item"><a class="dropdown-item" href="/contact#mailing">Mailing Lists</a></li>
<li class="nav-item"><a class="dropdown-item" href="/contact#chat">Chat</a></li>
<li class="nav-item"><a class="dropdown-item" href="/contact#issues">Report Issues</a></li>
<li class="nav-item"><a class="dropdown-item" href="/contact#contributing">Contributing</a></li>
<li class="nav-item"><a class="dropdown-item" href="/security-advisories.html">Security</a></li>
</ul>
</div>
</div>
</ul>
</li>
<li class="nav-item dropdown">
<a class="nav-link" id="navbarDropdownTeam" data-target="#" href="" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Apache</a>
<ul class="dropdown-menu dropdown-menu-center multi-column columns-1" aria-labelledby="navbarDropdownTeam">
<div class="row">
<div class="col-sm-12">
<ul class="multi-column-dropdown">
<li class="nav-item"><a class="dropdown-item" href="https://www.apache.org">The Apache Software Foundation</a></li>
<li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/licenses/">License</a></li>
<li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/foundation/thanks.html">Thanks</a></li>
<li class="nav-item"><a class="dropdown-item" href="/security-advisories.html">Security</a></li>
<li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/events/current-event">Events</a></li>
<li class="nav-item"><a class="dropdown-item" href="https://people.apache.org/phonebook.html?pmc=activemq">PMC & Committers</a></li>
<li class="nav-item"><a class="dropdown-item" href="/team/reports">Board Reports</a></li>
</ul>
</div>
</div>
</ul>
</li>
</ul>
</div>
</div>
</nav>
<div class="content">
<div class="page-title-activemq5">
<div class="container">
<h1>Cached LDAP Authorization Module</h1>
</div>
</div>
<div class="container" >
<div class="row" style="margin-top: 30px">
<div class="col-12 activemq5">
<p><a href="features">Features</a> &gt; <a href="security">Security</a> &gt; <a href="cached-ldap-authorization-module">Cached LDAP Authorization Module</a></p>
<blockquote>
<p><strong>Available since 5.6</strong></p>
<p>Cached LDAP authorization module is an implementation of an default authorization module that initializes and updates data from LDAP. It supports all standard features like defining wildcard policy entries and entry for temporary destinations.</p>
</blockquote>
<h2 id="initializing">Initializing</h2>
<p>We provide two ldif files for easy starting. The first one is for <a href="http://directory.apache.org/">Apache Directory Server</a> (<a href="https://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-apacheds.ldif">ldif</a>), which we use in embedded mode for testing. For an example on how to initialize the embedded ApacheDS with this ldif file take a look at <a href="https://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/java/org/apache/activemq/security/CachedLDAPSecurityTest.java">CachedLDAPSecurityTest</a></p>
<p>The other one is for <a href="http://www.openldap.org/">OpenLDAP</a> (<a href="https://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-openldap.ldif">ldif</a>)</p>
<p>The provided ldif and examples assume <code class="highlighter-rouge">dc=activemq,dc=apache,dc=org</code> suffix to be used for entries, so the configuration similar to the one shown in the following snippet</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>suffix "dc=activemq,dc=apache,dc=org"
rootdn "cn=admin,dc=activemq,dc=apache,dc=org"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}lfAYn54xCFghgQv5B2Kqn3d3eLojqxtS
</code></pre></div></div>
<p>should be put into your <code class="highlighter-rouge">slapd.conf</code></p>
<p>To initialize your (properly configured) OpenLDAP do something like</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ldapadd -x -D "cn=admin,dc=activemq,dc=apache,dc=org" -w sunflower -f activemq-openldap.ldif
</code></pre></div></div>
<h2 id="configuring">Configuring</h2>
<p>Once entries are in LDAP, you can configure the module to load entries from there. A default values are adapted for embedded Apache DS server, so all you have to do in that case is add your plugin to the broker xml conf</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;authorizationPlugin&gt;
&lt;map&gt;
&lt;cachedLDAPAuthorizationMap/&gt;
&lt;/map&gt;
&lt;/authorizationPlugin&gt;
</code></pre></div></div>
<p>For the OpenLDAP case, you should define more parameters</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;authorizationPlugin&gt;
&lt;map&gt;
&lt;cachedLDAPAuthorizationMap
connectionURL="ldap://localhost:389"
connectionUsername="cn=admin,dc=activemq,dc=apache,dc=org"
connectionPassword="sunflower"
queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org"
topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org"
tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org"
refreshInterval="300000"
legacyGroupMapping="false"
/&gt;
&lt;/map&gt;
&lt;/authorizationPlugin&gt;
</code></pre></div></div>
<p>Full examples of configurations for <a href="https://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-apacheds.xml">Apache DS</a> and <a href="https://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-openldap.xml">OpenLDAP</a></p>
<p>The list of all properties for <code class="highlighter-rouge">cachedLDAPAuthorizationMap</code></p>
<table>
<thead>
<tr>
<th>property</th>
<th>default value</th>
<th>description</th>
<th>version</th>
</tr>
</thead>
<tbody>
<tr>
<td>connectionURL</td>
<td>ldap://localhost:1024</td>
<td>LDAP Server connection address</td>
<td> </td>
</tr>
<tr>
<td>connectionUsername</td>
<td>uid=admin,ou=system</td>
<td>Dn to be used for connecting to the server</td>
<td> </td>
</tr>
<tr>
<td>connectionPassword</td>
<td>secret</td>
<td>Password to be used for connecting to the server</td>
<td> </td>
</tr>
<tr>
<td>connectionProtocol</td>
<td>s</td>
<td>Connection protocol to be used for connecting to the server</td>
<td> </td>
</tr>
<tr>
<td>authentication</td>
<td>simple</td>
<td>Authentication method to be used when connecting to the server</td>
<td> </td>
</tr>
<tr>
<td>queueSearchBase</td>
<td>ou=Queue,ou=Destination,ou=ActiveMQ,ou=system</td>
<td>Base dn of queue related entries</td>
<td>5.7 and later</td>
</tr>
<tr>
<td>topicSearchBase</td>
<td>ou=Topic,ou=Destination,ou=ActiveMQ,ou=system</td>
<td>Base dn of topic related entries</td>
<td>5.7 and later</td>
</tr>
<tr>
<td>tempSearchBase</td>
<td>ou=Temp,ou=Destination,ou=ActiveMQ,ou=system</td>
<td>Base dn of temporary destinations related entries</td>
<td>5.7 and later</td>
</tr>
<tr>
<td>refreshInterval</td>
<td>-1</td>
<td>Interval (in milliseconds) of pulling changes from the server, -1 means pulling is off, see #Updates for more info</td>
<td> </td>
</tr>
<tr>
<td>legacyGroupMapping</td>
<td>true</td>
<td>Should permission group members be configured as CN and not a full DN</td>
<td>5.7 and later</td>
</tr>
</tbody>
</table>
<h2 id="updates">Updates</h2>
<p>Many LDAP servers supports so called “persistent search” feature which allows applications to receive changes in LDAP in a “push” manner. By default this plugin assumes that LDAP server supports this feature and will “register” to get live updates.</p>
<p>For servers that doesn’t support this yet (like OpenLDAP), we provide “pull” updates. In this case you need to set <code class="highlighter-rouge">refreshInterval</code> property, which will define the update period for the plugin (so in this case, updates will not be immediately applied)</p>
</div>
</div>
</div>
</div>
<div class="row sitemap">
<div class="col-sm-12">
<div class="container">
<div class="row">
<div class="col-sm-12">
<div class="row">
<div class="col-sm-3">
<div >
<img class="float-left" style="max-height: 100px" src="/assets/img/activemq_logo_white_vertical_small.png"/>
</div>
</div>
<div style="text-align: center; margin-bottom: 0px; margin-top: 30px; font-size: 65%" class="col-sm-6">
<p>Apache ActiveMQ, ActiveMQ, ActiveMQ Artemis, Apache, the Apache feather logo, and the Apache ActiveMQ project logo are trademarks of The Apache Software Foundation. Copyright &copy; 2019, The Apache Software Foundation. Licensed under <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License 2.0</a>.</p>
</div>
<div class="col-sm-3">
<div >
<a href="https://www.apache.org"><img class="float-right" style="margin-top: 10px; max-height: 80px" src="/assets/img/apache-logo-small.png"/></a>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>