9.6. Enable LDAP Authorization in the Broker

Overview

This section explains how to enable LDAP authorization in the broker, so that the broker obtains its authorization data from the directory server.

Compatibility with Apache Karaf principals

To avoid unnecessary duplication of user data, this LDAP authorization example reuses the user and role data already created for the Apache Karaf JAAS authentication plug-in (as described in Section 9.3, “Add User Entries to the Directory Server”). This affects the broker's LDAP authorization plug-in configuration, as follows:
  • When you create authorization entries in the LDAP server (as described in Section 9.5, “Add Broker Authorization Entries”), you must specify the full DN of the roles that are being authorized. This enables you to specify roles from any location in the LDAP tree (previously, the LDAP authorization plug-in could read roles only from a fixed location under the ou=ActiveMQ,ou=system node).
  • To enable the use of full DNs when specifying roles, you must set the legacyGroupMapping property to false in the LDAP authorization plug-in (the default is true).
  • Because the Apache Karaf roles are a different type than the roles natively supported by the LDAP authorization plug-in, you must also specify the type of the Karaf roles, by setting the groupClass property.

Enable broker LDAP authorization in a standalone OSGi container

Perform the following steps to enable broker LDAP authorization in a standalone OSGi container:
  1. Shut down the AMQ container, if it is currently running. In the console window, enter the following command:
    JBossA-MQ:karaf@root> shutdown
  2. Make a backup copy of the broker configuration file, InstallDir/etc/activemq.xml.
  3. Replace the LDAP authorization plug-in in the broker configuration. Open the broker configuration file, InstallDir/etc/activemq.xml, with a text editor and replace the default authorizationMap element by the cachedLDAPAuthorizationMap element, as follows:
    <beans ...>
      <broker ...>
        ...
        <plugins>
          ...
          <!-- Check user credentials and get roles, using JAAS authentication plug-in -->
          <jaasAuthenticationPlugin configuration = "karaf"/>
    
          <!-- Check destination permissions, using authorization plug-in -->
          <authorizationPlugin>
            <map>
              <cachedLDAPAuthorizationMap
                  connectionURL="ldap://Hostname:Port"
                  connectionUsername="cn=Directory Manager"
                  connectionPassword="LDAPPassword"
                  queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,dc=YourDomain"
                  topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,dc=YourDomain"
                  tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,dc=YourDomain"
                  groupObjectClass="groupOfUniqueNames"
                  permissionGroupMemberAttribute="uniquemember"
                  refreshInterval="300000"
                  legacyGroupMapping="false"
                  groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal"
                  />
            </map>
          </authorizationPlugin>
        </plugins>
        ...
      </broker>
    </beans>
    You must customize the following settings in the activemq.xml file:
    connectionURL
    Set this URL to the actual location of your directory server instance. Normally, this URL has the format, ldap://Hostname:Port. For example, the default port for the 389 Directory Server is IP port 389.
    connectionUsername
    Specifies the username that is used to authenticate the connection to the directory server. For 389 Directory Server, the default is usually cn=Directory Manager.
    connectionPassword
    Specifies the password part of the credentials for connecting to the directory server.
    queueSearchBase
    Replace YourDomain with the name of the root node on your directory server.
    topicSearchBase
    Replace YourDomain with the name of the root node on your directory server.
    tempSearchBase
    Replace YourDomain with the name of the root node on your directory server.
    Note
    For more details about the options available on the cachedLDAPAuthorizationMap element, see Section 8.2, “Cached LDAP Authorization Plug-In”.
  4. Ensure that the X.500 directory server is running. If necessary, manually restart the X.500 directory server—see Section 9.2, “Set-up a Directory Server and Console”. If the server is not running, all broker connections will fail.
  5. Restart the AMQ container. Open a new command prompt and start the broker by entering the following command:
    amq

Enable broker LDAP authorization in a Fabric

Perform the following steps to enable broker LDAP authorization in a fabric:
  1. Create a new version of the Fabric profile data, by entering the following console command:
    JBossFuse:karaf@root> version-create
    Created version: 1.2 as copy of: 1.1
    Where we have assumed that the current version is 1.1.
    Note
    In effect, this command creates a new branch named 1.2 in the Git repository underlying the ZooKeeper registry.
  2. Edit the broker.xml resource in version 1.2 of the mq-base profile, as follows:
    JBossFuse:karaf@root> profile-edit --resource broker.xml mq-base 1.2
    The built-in profile editor opens automatically, which you can use to edit the contents of the broker.xml resource.
  3. Add the LDAP authorization plug-in to the broker configuration, broker.xml. Using the editor that opened in the previous step, add the default authorizationPlugin element as a child of the plugins element, as follows:
    <beans ...>
      <broker ...>
        ...
        <plugins>
          ...
          <authorizationPlugin>
            <map>
              <cachedLDAPAuthorizationMap
                  connectionURL="ldap://Hostname:Port"
                  connectionUsername="cn=Directory Manager"
                  connectionPassword="LDAPPassword"
                  queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,dc=YourDomain"
                  topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,dc=YourDomain"
                  tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,dc=YourDomain"
                  groupObjectClass="groupOfUniqueNames"
                  permissionGroupMemberAttribute="uniquemember"
                  refreshInterval="300000"
                  legacyGroupMapping="false"
                  groupClass="org.apache.karaf.jaas.boot.principal.RolePrincipal"
                  />
            </map>
          </authorizationPlugin>
        </plugins>
        ...
      </broker>
    </beans>
    You must customize the following settings in the broker.xml resource:
    connectionURL
    Set this URL to the actual location of your directory server instance. Normally, this URL has the format, ldap://Hostname:Port. For example, the default port for the 389 Directory Server is IP port 389.
    connectionUsername
    Specifies the username that is used to authenticate the connection to the directory server. For 389 Directory Server, the default is usually cn=Directory Manager.
    connectionPassword
    Specifies the password part of the credentials for connecting to the directory server.
    queueSearchBase
    Replace YourDomain with the name of the root node on your directory server.
    topicSearchBase
    Replace YourDomain with the name of the root node on your directory server.
    tempSearchBase
    Replace YourDomain with the name of the root node on your directory server.
    Note
    For more details about the options available on the cachedLDAPAuthorizationMap element, see Section 8.2, “Cached LDAP Authorization Plug-In”.
  4. Save and close the broker.xml resource by typing Ctrl-S and Ctrl-X.
  5. To check that you have edited the broker.xml resource correctly, you can print out the 1.2 version of the mq-base profile and its resources using the following console command:
    JBossFuse:karaf@root> profile-display --version 1.2 -r mq-base
  6. Ensure that the X.500 directory server is running. If necessary, manually restart the X.500 directory server—see Section 9.2, “Set-up a Directory Server and Console”. If the server is not running, all broker connections will fail.
  7. The broker LDAP authorization is not activated, until you upgrade a container to use the new version, 1.2, of the mq-base profile. For example, to activate broker LDAP authorization on the root container, enter the following console command (assuming a broker profile is already deployed on the root container):
    JBossFuse:karaf@root> container-upgrade 1.2 root

Install the Apache ActiveMQ kit

For testing purposes, it is useful to install the Apache ActiveMQ example producer and consumer clients. These example clients are not provided directly in the AMQ package. But you can obtain the sample clients by installing the Apache ActiveMQ kit, apache-activemq-5.11.0.redhat-630187-bin.zip, provided in the extras/ directory of the AMQ installation.
Install the Apache ActiveMQ kit as follows:
  1. Find the Apache ActiveMQ kit at the following location:
    InstallDir/extras/apache-activemq-5.11.0.redhat-630187-bin.zip
  2. Using a suitable archive utility on your platform, unzip the apache-activemq-5.11.0.redhat-630187-bin.zip file and extract it to a convenient location, ActiveMQInstallDir.

Test the new configuration

To test the new configuration, run the example consumer and producer clients as follows:
  1. Run the consumer client with the jdoe user credentials. Open a new command prompt, change directory to ActiveMQInstallDir/examples/openwire/swissarmy, and enter the following Ant command:
    ant consumer -Durl=tcp://localhost:61616 -Dmax=100 -Duser=jdoe -Dpassword=secret
    Note
    If testing against a Fabric container, you might need to change the broker port to 61617.
  2. Run the producer client with the jdoe user credentials. Open a new command prompt, change directory to ActiveMQInstallDir/examples/openwire/swissarmy, and enter the following Ant command:
    ant producer -Durl=tcp://localhost:61616 -Dmax=100 -Duser=jdoe -Dpassword=secret
  3. Run a negative test, to demonstrate that unauthorized users are blocked from accessing the broker queues.
    Run the consumer client with the janedoe user credentials. Open a new command prompt, change directory to ActiveMQInstallDir/examples/openwire/swissarmy, and enter the following Ant command:
    ant consumer -Durl=tcp://localhost:61616 -Dmax=100 -Duser=janedoe -Dpassword=secret
    This time, the consumer client fails, because janedoe does not belong to the Administrator group.