-
Language:
English
-
Language:
English
7.2. Cached LDAP Authorization Plug-In
Overview
Using the cached LDAP authorization plug-in, you can configure a broker to retrieve its authorization data from an X.500 directory server. For better efficiency, this plug-in caches authorization data in the broker and provides support for updating the cached data at regular intervals.
Updating the cache
Two alternative mechanisms for updating the authorization cache are supported:
- Push mechanism—some LDAP directory server implementations support a persistent search feature, which enables applications to receive live updates from the LDAP server (push mechanism). By default, the cached LDAP authorization plug-in attempts to register with the LDAP server to receive these updates.
- Pull mechanism—if your LDAP directory server does not support live updates, you can configure the cached LDAP authorization plug-in to poll the LDAP server at regular intervals instead (pull mechanism). To enable the pull mechanism, you must set the
refreshIntervalproperty on the cached LDAP authorization plug-in.
Sample configuration
Example 7.3, “Cached LDAP Authorization Plug-In Configuration” shows an example of how to configure the cached LDAP authorization plug-in. The
authorizationPlugin element must be added as a child of the plugins element.
Example 7.3. Cached LDAP Authorization Plug-In Configuration
<beans ... >
<broker ... >
...
<plugins>
...
<authorizationPlugin>
<map>
<cachedLDAPAuthorizationMap
legacyGroupMapping="false"
connectionURL="ldap://localhost:10389"
connectionUsername="uid=admin,ou=system"
connectionPassword="secret"
queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,ou=system"
topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"
tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,ou=system"
refreshInterval="20000"
/>
</map>
</authorizationPlugin>
</plugins>
...
</broker>
</beans>Configuration properties
The cached LDAP authorization plug-in supports the following properties:
connectionURL- Specifies the location of the directory server using an LDAP URL,
ldap://Host:Port.Default isldap://localhost:1024. connectionUsername- The DN of the user that opens the connection to the directory server.Default is
uid=admin,ou=system. connectionPassword- The password that matches the DN from
connectionUsername. In the directory server, the password is normally stored as auserPasswordattribute in the corresponding directory entry.Default issecret. connectionProtocol- The connection protocol to use when connecting to the LDAP server.Default is
s. authentication- The authentication method to use when connecting to the LDAP server.Default is
simple. queueSearchBase- The base DN of queue authorization entries.Default is
ou=Queue,ou=Destination,ou=ActiveMQ,ou=system. topicSearchBase- The base DN of topic authorization entries.Default is
ou=Topic,ou=Destination,ou=ActiveMQ,ou=system. tempSearchBase- The base DN of authorization entries for temporary destinations.Default is
ou=Temp,ou=Destination,ou=ActiveMQ,ou=system. refreshInterval- Time interval between refreshes of the cache, expressed in milliseconds (where the cache is refreshed by pulling data from the LDAP server). The special value,
-1, disables the pull mechanism for refreshing the cache (but does not affect the push mechanism, if the LDAP server supports it).Default is-1. legacyGroupMapping- If
true, specifies that the role members of a privilege group must be specified using just the Common Name RDN,cn=CNValue, of the role group; or iffalse, specifies that the role members of a privilege group must be specified using the full Distinguished Name.Default istrue. groupClass- Type of the class that implements the role principal. For example, in order to reuse roles defined for the Apache Karaf JAAS authentication plug-in, you would need to set this property to
org.apache.karaf.jaas.boot.principal.RolePrincipal.Default isorg.apache.activemq.jaas.GroupPrincipal.
