9.5. Add Broker Authorization Entries

Overview

Before enabling LDAP authorization in the broker, you need to create a suitable tree of entries in the directory server to represent permissions. You need to create the following kinds of entry:
Queue entries
Each queue entry has a Common Name (cn), which can be the name of a specific queue or a wildcard pattern that matches multiple queues. Under each queue entry, you must create sub-entries for the admin, read, and write permissions.
Topic entries
Each topic entry has a Common Name (cn), which can be the name of a specific topic or a wildcard pattern that matches multiple topics. Under each topic entry, you must create sub-entries for the admin, read, and write permissions.
Advisory topics entry
In particular, you must define one topic entry with the Common Name, ActiveMQ.Advisory.$, which is a wildcard pattern that matches all advisory topics.
Temporary queues entry
A single Temp entry contains the admin, read, and write permissions that apply to all temporary queues.

Using wildcards in queue and topic entries

When setting the common name of queue and topic entries in the directory server, you can use any of the wildcards shown in Table 9.1, “Destination Name Wildcards in LDAP” to match one or more segments of a destination name.

Table 9.1. Destination Name Wildcards in LDAP

WildcardDescription
.Separates segments in a path name.
*Matches any single segment in a path name.
$Matches any number of segments in a path name.
For example, the pattern, FOO.*, will match FOO.BAR, but not FOO.BAR.LONG; whereas the pattern, FOO.$, will match FOO.BAR and FOO.BAR.LONG.
Note
In the context of LDAP entries, the $ character is used instead of the usual > character to match multiple destination name segments.

Steps to add authorization entries

Perform the following steps to add authorization entries to the directory server:
  1. The next few steps describe how to create the ou=ActiveMQ node.
    1. Right-click the YourDomain node, and select NewOrganizational Unit from the context menu. The Create New Organizational Unit dialog appears.
    2. Select the Unit tab in the left-hand pane of the Create New Organizational Unit dialog.
    3. Enter ActiveMQ in the Name field.
    4. Click OK, to close the Create New Organizational Unit dialog.
  2. The next few steps describe how to create the ou=Destination node.
    1. Right-click on the ActiveMQ node and select NewOrganizational Unit from the context menu. The Create New Organizational Unit dialog appears.
    2. Select the Unit tab in the left-hand pane of the Create New Organizational Unit dialog.
    3. Enter Destination in the Name field.
    4. Click OK, to close the Create New Organizational Unit dialog.
  3. In a similar manner to the preceding steps, by right-clicking on the Destination node and invoking the NewOrganizational Unit context menu option, create the following organisationalUnit nodes as children of the ou=Destination node: 
    ou=Queue,ou=Destination,ou=ActiveMQ,dc=YourDomain
ou=Topic,ou=Destination,ou=ActiveMQ,dc=YourDomain
ou=Temp,ou=Destination,ou=ActiveMQ,dc=YourDomain
  4. In the LDAP Browser window, you should now see the following tree:

    Figure 9.1. DIT after Creating Destination, Queue, Topic and Temp Nodes

    DIT after Creating Destination, Queue, Topic and Temp Nodes
  5. The next few steps describe how to create the following nodes: 
    cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=YourDomain
cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=YourDomain
    These nodes represent name patterns that match queue names and topic names, respectively. The cn=$ queue node defines an entry that matches all queue names, so it can be used to define access rights for all queues. The cn=ActiveMQ.Advisory.$ node defines a topic entry that matches all advisory topics.
    1. Right-click on the ou=Queue node and select NewOther. The New Object dialog appears.
    2. Select applicationprocess. Click OK.
    3. The Property Editor dialog now appears. In the Full name field, enter $ (where $ represents the wildcard that matches any queue name). Click OK.
    4. In a similar manner to the preceding steps, by right-clicking on the ou=Topic node and selecting the NewOther context menu option, create the following applicationProcess node as a child of the ou=Topic node: 
      cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=YourDomain
  6. The next few steps describe how to create the permission group nodes, which represent admin, read, and write permissions, for the ou=Queue node.
    1. Right-click on the cn=$ node (initially depicted as a spherical icon in the console) and select NewGroup from the context menu.
    2. The Create New Group dialog appears. Select the General tab in the left-hand pane of the Create New Group dialog.
    3. Set the Group Name field to admin.
    4. Select the Members tab in the left-hand pane of the Create New Group dialog.
    5. Click Add to open the Search users and groups dialog.
    6. In the Search field, select Groups from the drop-down menu, and click the Search button.
    7. From the list of groups that is now displayed, select Administrator.
    8. Click OK, to close the Search users and groups dialog.
    9. Click OK, to close the Create New Group dialog.
    10. In a similar manner to the preceding steps, by right-clicking on the cn=$ node and opening the NewGroup dialog, create the following additional groupOfUniqueNames nodes as children of the cn=$ node: 
      cn=read,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=YourDomain
cn=write,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=YourDomain
  7. Copy the cn=admin, cn=read, and cn=write permission nodes and paste them as children of the cn=ActiveMQ.Advisory.$ node, as follows.
    Using a combination of mouse and keyboard, select the three nodes, cn=admin, cn=read, and cn=write, and type Ctrl-C to copy them. Select the cn=ActiveMQ.Advisory.$ node and type Ctrl-V to paste the copied nodes as children.
  8. Similarly, copy the cn=admin, cn=read, and cn=write permission nodes and paste them as children of the ou=Temp node.
  9. In the LDAP Browser window, you should now see the following tree:

    Figure 9.2. DIT after Creating Children of Queue, Topic and Temp Nodes

    DIT after Creating Children of Queue, Topic and Temp Nodes