You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by bryand <br...@bldixon.net> on 2018/02/12 21:01:32 UTC
qpid-broker-j-7.0.1 Simple LDAP and Group Providers
I'm trying to get Simple LDAP setup with qpid-broker-j-7.0.1. I noticed in
the documentation that you can configure group info with LDAP. If I do that
how does it work in conjunction with Group Providers? I don't see a Group
Provider for use with LDAP or am not understanding it. Maybe I don't need
to define a Group Provider if using LDAP group membership?
--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: qpid-broker-j-7.0.1 Simple LDAP and Group Providers
Posted by Keith W <ke...@gmail.com>.
Hello Bryan
On 12 February 2018 at 21:01, bryand <br...@bldixon.net> wrote:
> I'm trying to get Simple LDAP setup with qpid-broker-j-7.0.1. I noticed in
> the documentation that you can configure group info with LDAP.
Yes, that's right. The SimpleLDAP authentication provider allows you
to utilise group information from the DIT.
https://qpid.apache.org/releases/qpid-broker-j-7.0.1/book/Java-Broker-Security.html#Java-Broker-Security-LDAP-Provider
Once done, you can write ACL rules in terms of the DN of the group.
You must use quotation marks around the DN otherwise the ACL parser
will reject the commas. For instance:
ACL ALLOW-LOG "cn=mygroup,ou=acme" ACCESS VIRTUALHOST
> If I do that how does it work in conjunction with Group Providers?
> I don't see a Group Provider for use with LDAP or am not understanding it. Maybe I don't need
> to define a Group Provider if using LDAP group membership?
The use of the group provider is optional in this case. One use case
for the group provider when using LDAP group is to map the DNs of the
group into a logical group name to keep your ACL rules simpler and
easier to maintain.
Unfortunately the ACL system within Broker-J needs a refresh and is
not a particularly friendly experience at the moment. There is some
advice in the docbook which hopefully helps. When writing a new ACL,
a workable approach is to begin with an rule-set containing only ACL
DENY-LOG ALL ALLat the Broker control point which will cause the
Broker to deny all operations with details of the denial logged. Build
up the ACL rule by rule, gradually working through the use-cases of
your system. Once the ACL is complete, consider switching the DENY-LOG
actions to DENY.
Hope this helps
Keith
>
>
>
> --
> Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org