Available since 5.6

Cached LDAP authorization module is an implementation of an default authorization module that initializes and updates data from LDAP. It supports all standard features like defining wildcard policy entries and entry for temporary destinations.

Initializing

We provide two ldif files for easy starting. The first one is for Apache Directory Server (ldif), which we use in embedded mode for testing. For an example on how to initialize the embedded ApacheDS with this ldif file take a look at CachedLDAPSecurityTest

The other one is for OpenLDAP (ldif)

The provided ldif and examples assume dc=activemq,dc=apache,dc=org suffix to be used for entries, so the configuration similar to the one shown in the following snippet 
suffix          "dc=activemq,dc=apache,dc=org"
rootdn          "cn=admin,dc=activemq,dc=apache,dc=org"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}lfAYn54xCFghgQv5B2Kqn3d3eLojqxtS

should be put into your slapd.conf

To initialize your (properly configured) OpenLDAP do something like

ldapadd -x -D "cn=admin,dc=activemq,dc=apache,dc=org" -w sunflower -f activemq-openldap.ldif

Configuring

Once entries are in LDAP, you can configure the module to load entries from there. A default values are adapted for embedded Apache DS server, so all you have to do in that case is add your plugin to the broker xml conf

<authorizationPlugin>
    <map>
        <cachedLDAPAuthorizationMap/>
    </map>
</authorizationPlugin>

For the OpenLDAP case, you should define more parameters 

<authorizationPlugin>
    <map>
        <cachedLDAPAuthorizationMap
            connectionURL="ldap://localhost:389"
            connectionUsername="cn=admin,dc=activemq,dc=apache,dc=org"
            connectionPassword="sunflower"
            queueSearchBase="ou=Queue,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org"
            topicSearchBase="ou=Topic,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org"
            tempSearchBase="ou=Temp,ou=Destination,ou=ActiveMQ,dc=activemq,dc=apache,dc=org"
            refreshInterval="300000"
            legacyGroupMapping="false"
        />
    </map>
</authorizationPlugin>

Full examples of configurations for Apache DS and OpenLDAP

The list of all properties for cachedLDAPAuthorizationMap

propertydefault valuedescriptionversion
connectionURLldap://localhost:1024LDAP Server connection address 
connectionUsernameuid=admin,ou=systemDn to be used for connecting to the server 
connectionPasswordsecretPassword to be used for connecting to the server 
connectionProtocolsConnection protocol to be used for connecting to the server 
authenticationsimpleAuthentication method to be used when connecting to the server 
queueSearchBaseou=Queue,ou=Destination,ou=ActiveMQ,ou=systemBase dn of queue related entries5.7 and later
topicSearchBaseou=Topic,ou=Destination,ou=ActiveMQ,ou=systemBase dn of topic related entries5.7 and later
tempSearchBaseou=Temp,ou=Destination,ou=ActiveMQ,ou=systemBase dn of temporary destinations related entries5.7 and later
refreshInterval-1Interval (in milliseconds) of pulling changes from the server, -1 means pulling is off, see #Updates for more info 
legacyGroupMappingtrueShould permission group members be configured as CN and not a full DN5.7 and later
baseDnou=systemBase dn of ActiveMQ related entries5.6

Updates

Many LDAP servers supports so called "persistent search" feature which allows applications to receive changes in LDAP in a "push" manner. By default this plugin assumes that LDAP server supports this feature and will "register" to get live updates.

For servers that doesn't support this yet (like OpenLDAP), we provide "pull" updates. In this case you need to set refreshInterval property, which will define the update period for the plugin (so in this case, updates will not be immediately applied)

Overview

Search


Sub Projects

Community

Features

Connectivity

Using ActiveMQ 5

Using ActiveMQ 4

Tools

External Tools

Support

Related Projects

Developers

Tests

Project Reports
© 2004-2011 The Apache Software Foundation.
Apache ActiveMQ, ActiveMQ, Apache, the Apache feather logo, and the Apache ActiveMQ project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.
Graphic Design By Hiram