This section describes how to configure LDAP authentication in the broker, so that it can authenticate incoming credentials based on user entries stored in the X.500 directory server. The tutorial concludes by showing how to program credentials in Java clients and by running an end-to-end demonstration using the consumer and producer tools.
Perform the following steps to enable LDAP authentication:
Create the login configuration file. Using a text editor, create the file,
login.config
under the directory,$ACTIVEMQ_HOME/conf
. Paste the following text into thelogin.config
file:LDAPLogin { org.apache.activemq.jaas.LDAPLoginModule required debug=true initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connectionURL="ldap://localhost:10389" connectionUsername="uid=admin,ou=system" connectionPassword=secret connectionProtocol="" authentication=simple userBase="ou=User,ou=ActiveMQ,ou=system" userSearchMatching="(uid={0})" userSearchSubtree=false roleBase="ou=Group,ou=ActiveMQ,ou=system" roleName=cn roleSearchMatching="(member=uid={1})" roleSearchSubtree=false ; };
Where these settings assume that the broker connects to a default instance of the Apache Directory Server running on the local host. The account with username,
uid=admin,ou=system
, and password,secret
, is the default administration account created by the Apache server.Note If you are using the OpenLDAP Directory Server, the syntax required for the
roleSearchMatching
property is different. You must set it asroleSearchMatching="(member:=uid={1})"
.Add the LDAP authentication plug-in to the broker configuration. Open the broker configuration file,
$ACTIVEMQ_HOME/conf/activemq.xml
, with a text editor and add thejaasAuthenticationPlugin
element, as follows:<beans> <broker ...> ... <plugins> <jaasAuthenticationPlugin configuration="LDAPLogin" /> </plugins> ... </broker> </beans>
The value of the configuration attribute,
LDAPLogin
, references the login entry from thelogin.config
file.Comment out the mediation router elements in the broker configuration. Open the broker configuration file and comment out the
camelContext
element as follows:<beans> <broker ...> ... </broker> <!-- <camelContext> ... </camelContext> --> ... </beans>
The Camel route is not used in the current tutorial. If you left it enabled, you would have to supply it with appropriate username/password credentials, because it acts as a broker client.
Add username/password credentials to the consumer tool. Edit the file,
example/src/ConsumerTool.java
, search for the line that creates a newActiveMQConnectionFactory
instance, and just before this line, set the credentials,user
andpassword
, as shown:// Java ... public void run() { ... user = "jdoe"; password = "sunflower"; ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory(user, password, url); ... }
Add username/password credentials to the producer tool. Edit the file,
example/src/ProducerTool.java
, search for the line that creates a newActiveMQConnectionFactory
instance, and just before this line, set the credentials,user
andpassword
, just as you did for the consumer tool.Ensure that the X.500 directory server is running. If necessary, manually restart the X.500 directory server. If the server is not running, all broker connections will fail.
Run the broker. Open a new command prompt and start the broker by entering the following command:
activemq
Run the consumer client. Open a new command prompt, change directory to
example
and enter the following Ant command:ant consumer -Durl=tcp://localhost:61616 -Dmax=100
Run the producer client. Open a new command prompt, change directory to
example
and enter the following Ant command:ant producer -Durl=tcp://localhost:61616
Perform a negative test. Edit one of the client source files (for example,
ConsumerTool.java
) and change the credentials (username and password) to some invalid values. Now, if you re-run the client, you will get an authentication error.