Out-of-the-box the credentials to access are admin:admin, istructions are at: $ACTIVEMQ_HOME/docs/WebConsole-README.txt.
In order to enable a LDAP based authorization, you need to modify the jaas conf file (default is: $ACTIVEMQ_HOME/conf/login.config) and a couple of Java Additional Parameters ($ACTIVEMQ_OPTS) which can be specified in various places, wrapper.conf, for example.
You also need a java LDAP library: ldaptive. Please copy the newest ldaptive jar file from http://www.ldaptive.org/download in your $ACTIVEMQ_HOME/lib.
login.config
The login.config should look like:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Licensed to the Apache Software Foundation (ASF) under one or more | |
| * contributor license agreements. See the NOTICE file distributed with | |
| * this work for additional information regarding copyright ownership. | |
| * The ASF licenses this file to You under the Apache License, Version 2.0 | |
| * (the "License"); you may not use this file except in compliance with | |
| * the License. You may obtain a copy of the License at | |
| * | |
| * http://www.apache.org/licenses/LICENSE-2.0 | |
| * | |
| * Unless required by applicable law or agreed to in writing, software | |
| * distributed under the License is distributed on an "AS IS" BASIS, | |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| * See the License for the specific language governing permissions and | |
| * limitations under the License. | |
| */ | |
| activemq { | |
| org.ldaptive.jaas.LdapLoginModule required | |
| debug=true | |
| storePass="true" | |
| ldapUrl="ldap://ldap.example.org:389" | |
| baseDn="ou=people,dc=example,dc=org" | |
| useStartTLS="true" | |
| credentialConfig="{trustCertificates=file:/etc/ssl/certs/ca-chain.pem}" | |
| userFilter="(uid={user})"; | |
| org.ldaptive.jaas.LdapRoleAuthorizationModule required | |
| useFirstPass="true" | |
| ldapUrl="ldap://ldap.example.org:389" | |
| bindDn="cn=hawtio,ou=agents,dc=example,dc=org" | |
| baseDn="ou=groups,dc=example,dc=org" | |
| bindCredential="secret" | |
| roleFilter="(&(cn=the_admins_group)(memberUid={user}))" | |
| useStartTLS="true" | |
| credentialConfig="{trustCertificates=file:/etc/ssl/certs/ca-chain.pem}" | |
| defaultRole="admins" | |
| roleAttribute="cn"; | |
| }; |
The cn=hawtio,ou=agents,dc=example,dc=org is a principal allowed to browse the groups' memberships.
Users allowed to access to hawt.io have to be members of the cn=the_admins_group,ou=groups,dc=example,dc=org group.
The LDAP server is ldap.example.org and it is contacted over TLS.
Java Additional Parameters
The relevant Java Additional Parameters are:- hawtio.realm=activemq: should match the key if config.login (activemq in the previous example);
- hawtio.role=admins: group membership required. As the defaultRole membership is granted to the users found in the roleFilter, you need to match the defaultRole;
- hawtio.rolePrincipalClasses=org.ldaptive.jaas.LdapRole: the java class of the role. The given value is correct for a ldaptive-granted role;
- java.security.auth.login.config=%ACTIVEMQ_CONF%/login.config: location of the jaas config file.
Enable logging
This couple of lines in logback.xml can help you a lot:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <logger name="org.ldaptive" additivity="false"> | |
| <level value="DEBUG"/> | |
| <appender-ref ref="R" /> | |
| <appender-ref ref="stdout" /> | |
| </logger> | |
| <logger name="io.hawt" additivity="false"> | |
| <level value="DEBUG"/> | |
| <appender-ref ref="R" /> | |
| <appender-ref ref="stdout" /> | |
| </logger> |
No comments:
Post a Comment