Converting schema to active directory

[kevin-olbrich]

Hi!

The docs state that the module is not compatible with AD. What exactly is the problem with that backend? If I look at the schema (https://github.com/emqx/emqx-auth-ldap/blob/master/emqx.schema), the attributes can be created easily. The only thing that could be an issue is the mqttSecurity class because the attributes are named differently.

[kevin-olbrich]

I'm willing to invest time into converting the LDAP schema into AD compatible syntax but please allow a question before:

TIP

The emqx_auth_ldap plugin also includes ACL feature, which can be disabled via comments. The current version only supports openldap and does not support Microsoft active directory.

Source: https://docs.emqx.io/en/broker/v4.1/advanced/auth-ldap.html

I would like to know if AD is not working because there is a problem or it just was never implemented (schema) or tested. If it's just the schema and testing, I am willing to volunteer.

[kevin-olbrich]

User auth works fine but i'm blocked by https://github.com/emqx/emqx-auth-ldap/issues/75

[kevin-olbrich]

Translated Active Directory Schema

dn: CN=isEnabled,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
changetype: add
objectClass: top
objectClass: attributeSchema
cn: isEnabled
distinguishedName: CN=isEnabled,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.1.3
attributeSyntax: 2.5.5.8
isSingleValued: TRUE
adminDisplayName: isEnabled
adminDescription: isEnabled
oMSyntax: 1
lDAPDisplayName: isEnabled
name: isEnabled

dn: CN=mqttPublishTopic,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
changetype: add
objectClass: top
objectClass: attributeSchema
cn: mqttPublishTopic
distinguishedName: CN=mqttPublishTopic,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.1
attributeSyntax: 2.5.5.4
isSingleValued: FALSE
adminDisplayName: mqttPublishTopic
adminDescription: mqttPublishTopic
oMSyntax: 20
lDAPDisplayName: mqttPublishTopic
name: mqttPublishTopic

dn: CN=mqttSubscriptionTopic,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
changetype: add
objectClass: top
objectClass: attributeSchema
cn: mqttSubscriptionTopic
distinguishedName: CN=mqttSubscriptionTopic,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.2
attributeSyntax: 2.5.5.4
isSingleValued: FALSE
adminDisplayName: mqttSubscriptionTopic
adminDescription: mqttSubscriptionTopic
oMSyntax: 20
lDAPDisplayName: mqttSubscriptionTopic
name: mqttSubscriptionTopic

dn: CN=mqttPubSubTopic,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
changetype: add
objectClass: top
objectClass: attributeSchema
cn: mqttPubSubTopic
distinguishedName: CN=mqttPubSubTopic,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.3
attributeSyntax: 2.5.5.4
isSingleValued: FALSE
adminDisplayName: mqttPubSubTopic
adminDescription: mqttPubSubTopic
oMSyntax: 20
lDAPDisplayName: mqttPubSubTopic
name: mqttPubSubTopic

dn: CN=mqttAccountName,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
changetype: add
objectClass: top
objectClass: attributeSchema
cn: mqttAccountName
distinguishedName: CN=mqttAccountName,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.4
attributeSyntax: 2.5.5.4
isSingleValued: FALSE
adminDisplayName: mqttAccountName
adminDescription: mqttAccountName
oMSyntax: 20
searchFlags: 3
lDAPDisplayName: mqttAccountName
name: mqttAccountName
isMemberOfPartialAttributeSet: TRUE

dn: CN=mqttUser,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
changetype: add
objectClass: top
objectClass: classSchema
cn: mqttUser
distinguishedName: CN=mqttUser,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
instanceType: 4
possSuperiors: container
possSuperiors: organizationalUnit
subClassOf: top
governsID: 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4
mayContain: mqttAccountName
mayContain: mqttPublishTopic
mayContain: mqttPubSubTopic
mayContain: mqttSubscriptionTopic
rDNAttID: cn
uSNChanged: 34637996
adminDisplayName: mqttUser
adminDescription: mqttUser
objectClassCategory: 3
lDAPDisplayName: mqttUser
name: mqttUser
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
defaultObjectCategory: CN=mqttUser,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com

dn: CN=mqttDevice,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
changetype: add
objectClass: top
objectClass: classSchema
cn: mqttDevice
distinguishedName: CN=mqttDevice,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
instanceType: 4
possSuperiors: container
possSuperiors: organizationalUnit
subClassOf: top
governsID: 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.2
mustContain: uid
mayContain: isEnabled
rDNAttID: cn
adminDisplayName: mqttDevice
adminDescription: mqttDevice
objectClassCategory: 1
lDAPDisplayName: mqttDevice
name: mqttDevice
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
defaultObjectCategory: CN=mqttDevice,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com

dn: CN=mqttSecurity,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
changetype: add
objectClass: top
objectClass: classSchema
cn: mqttSecurity
distinguishedName: CN=mqttSecurity,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
instanceType: 4
possSuperiors: container
possSuperiors: organizationalUnit
subClassOf: top
governsID: 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.3
mayContain: userPassword
mayContain: userPKCS12
rDNAttID: cn
adminDisplayName: mqttSecurity
adminDescription: mqttSecurity
objectClassCategory: 3
lDAPDisplayName: mqttSecurity
name: mqttSecurity
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com
defaultObjectCategory: CN=mqttSecurity,CN=Schema,CN=Configuration,DC=intra,DC=example,DC=com

Objects using these attributes have been confirmed working in EMQX - AD setup.