-
Language:
English
-
Language:
English
9.5. Add Broker Authorization Entries
Overview
Before enabling LDAP authorization in the broker, you need to create a suitable tree of entries in the directory server to represent permissions. You need to create the following kinds of entry:
- Queue entries
- Each queue entry has a Common Name (
cn
), which can be the name of a specific queue or a wildcard pattern that matches multiple queues. Under each queue entry, you must create sub-entries for the admin, read, and write permissions. - Topic entries
- Each topic entry has a Common Name (
cn
), which can be the name of a specific topic or a wildcard pattern that matches multiple topics. Under each topic entry, you must create sub-entries for the admin, read, and write permissions. - Advisory topics entry
- In particular, you must define one topic entry with the Common Name,
ActiveMQ.Advisory.$
, which is a wildcard pattern that matches all advisory topics. - Temporary queues entry
- A single
Temp
entry contains the admin, read, and write permissions that apply to all temporary queues.
Using wildcards in queue and topic entries
When setting the common name of queue and topic entries in the directory server, you can use any of the wildcards shown in Table 9.1, “Destination Name Wildcards in LDAP” to match one or more segments of a destination name.
Table 9.1. Destination Name Wildcards in LDAP
Wildcard | Description |
---|---|
. | Separates segments in a path name. |
* | Matches any single segment in a path name. |
$ | Matches any number of segments in a path name. |
For example, the pattern,
FOO.*
, will match FOO.BAR
, but not FOO.BAR.LONG
; whereas the pattern, FOO.$
, will match FOO.BAR
and FOO.BAR.LONG
.
Note
In the context of LDAP entries, the
$
character is used instead of the usual >
character to match multiple destination name segments.
Steps to add authorization entries
Perform the following steps to add authorization entries to the directory server:
- The next few steps describe how to create the
ou=ActiveMQ
node.- Right-click the
YourDomain
node, and select New → Organizational Unit from the context menu. The Create New Organizational Unit dialog appears. - Select the Unit tab in the left-hand pane of the Create New Organizational Unit dialog.
- Enter
ActiveMQ
in the Name field. - Click OK, to close the Create New Organizational Unit dialog.
- The next few steps describe how to create the
ou=Destination
node.- Right-click on the
ActiveMQ
node and select New → Organizational Unit from the context menu. The Create New Organizational Unit dialog appears. - Select the Unit tab in the left-hand pane of the Create New Organizational Unit dialog.
- Enter
Destination
in the Name field. - Click OK, to close the Create New Organizational Unit dialog.
- In a similar manner to the preceding steps, by right-clicking on the
Destination
node and invoking the New → Organizational Unit context menu option, create the followingorganisationalUnit
nodes as children of theou=Destination
node:ou=Queue,ou=Destination,ou=ActiveMQ,dc=YourDomain ou=Topic,ou=Destination,ou=ActiveMQ,dc=YourDomain ou=Temp,ou=Destination,ou=ActiveMQ,dc=YourDomain
- In the LDAP Browser window, you should now see the following tree:
Figure 9.1. DIT after Creating Destination, Queue, Topic and Temp Nodes
- The next few steps describe how to create the following nodes:
cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=YourDomain cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=YourDomain
These nodes represent name patterns that match queue names and topic names, respectively. Thecn=$
queue node defines an entry that matches all queue names, so it can be used to define access rights for all queues. Thecn=ActiveMQ.Advisory.$
node defines a topic entry that matches all advisory topics.- Right-click on the
ou=Queue
node and select New → Other. The New Object dialog appears. - Select applicationprocess. Click OK.
- The Property Editor dialog now appears. In the Full name field, enter
$
(where$
represents the wildcard that matches any queue name). Click OK. - In a similar manner to the preceding steps, by right-clicking on the
ou=Topic
node and selecting the New → Other context menu option, create the followingapplicationProcess
node as a child of theou=Topic
node:cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,dc=YourDomain
- The next few steps describe how to create the permission group nodes, which represent
admin
,read
, andwrite
permissions, for theou=Queue
node.- Right-click on the
cn=$
node (initially depicted as a spherical icon in the console) and select New → Group from the context menu. - The Create New Group dialog appears. Select the General tab in the left-hand pane of the Create New Group dialog.
- Set the Group Name field to
admin
. - Select the Members tab in the left-hand pane of the Create New Group dialog.
- Click Add to open the Search users and groups dialog.
- In the Search field, select
Groups
from the drop-down menu, and click the Search button. - From the list of groups that is now displayed, select
Administrator
. - Click OK, to close the Search users and groups dialog.
- Click OK, to close the Create New Group dialog.
- In a similar manner to the preceding steps, by right-clicking on the
cn=$
node and opening the New → Group dialog, create the following additionalgroupOfUniqueNames
nodes as children of thecn=$
node:cn=read,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=YourDomain cn=write,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,dc=YourDomain
- Copy the
cn=admin
,cn=read
, andcn=write
permission nodes and paste them as children of thecn=ActiveMQ.Advisory.$
node, as follows.Using a combination of mouse and keyboard, select the three nodes,cn=admin
,cn=read
, andcn=write
, and typeCtrl-C
to copy them. Select thecn=ActiveMQ.Advisory.$
node and typeCtrl-V
to paste the copied nodes as children. - Similarly, copy the
cn=admin
,cn=read
, andcn=write
permission nodes and paste them as children of theou=Temp
node. - In the LDAP Browser window, you should now see the following tree:
Figure 9.2. DIT after Creating Children of Queue, Topic and Temp Nodes