search

ansible-middleware / amq

A collection to manage AMQ brokers
Apache License 2.0
16 stars 12 forks source link

Add LDAP plugin configuration to JAAS login.config #96

Closed guidograzioli closed 1 year ago

guidograzioli commented 1 year ago

The following new parameters allows to configure a secondary (sufficient) or primary (required) LDAP authentication endpoint.

Variable Description Default
activemq_auth_properties_enabled Whether to enable property based JAAS config True
activemq_auth_ldap_enabled Whether to enable LDAP based JAAS config False
activemq_auth_ldap_url URL for LDAP server connection ldap://localhost:389
activemq_auth_ldap_conn_username Bind username for LDAP server uid=admin,ou=system
activemq_auth_ldap_conn_password Bind user password for LDAP server password
activemq_auth_ldap_conn_codec Optional password codec class for bind user password {{ activemq_password_codec }}
activemq_auth_ldap_conn_protocol Protocol for LDAP connection s
activemq_auth_ldap_auth Type of LDAP server authentication simple
activemq_auth_ldap_user_base Base for user search ou=Users,dc=example,dc=com
activemq_auth_ldap_user_search User attribute (uid={0})
activemq_auth_ldap_user_search_subtree Whether to enable subtree user search True
activemq_auth_ldap_role_base Base for role search ou=Groups,dc=example,dc=com
activemq_auth_ldap_role_name Role attribute cn
activemq_auth_ldap_role_search Role search attribute (member={0})
activemq_auth_ldap_role_search_subtree Whether to enable subtree role search False

Example:

    activemq_hawtio_role: Scientists
    activemq_auth_ldap_enabled: True
    activemq_auth_ldap_url: ldap://ldap.forumsys.com:389
    activemq_auth_ldap_conn_username: uid=tesla,dc=example,dc=com
    activemq_auth_ldap_conn_password: password
    activemq_auth_ldap_user_base: dc=example,dc=com
    activemq_auth_ldap_user_search: '(uid={0})'
    activemq_auth_ldap_role_base: dc=example,dc=com
    activemq_auth_ldap_role_name: cn
    activemq_auth_ldap_role_search: '(uniqueMember={0})'
    activemq_auth_ldap_role_search_subtree: True
    activemq_users:
      - user: amq
        password: amqbrokerpass
        roles: [ admin ]
      - user: other
        password: amqotherpass
        roles: [ consumer, producer ]
    activemq_roles:
      - name: admin
        permissions: [ createNonDurableQueue, deleteNonDurableQueue, createDurableQueue, deleteDurableQueue, createAddress, deleteAddress, consume, browse, send, manage ]
      - name: Scientists
        permissions: [ createNonDurableQueue, deleteNonDurableQueue, createDurableQueue, deleteDurableQueue, createAddress, deleteAddress, consume, browse, send, manage ]

It will authenticate and authorized LDAP users in the "Scientists" group; in addition to amq and other defined in property files.

Fix #80