...
Here’s how to set up the ldap-realm in the ESE config.xml file:
base-dn: LDAP distinguished name
simple-bind:
rdns: The relative distinguished names (RDN) of the base DN that the ESE uses to bind to the LDAP server. Make sure that this DN is bindable and has the necessary rights to search for the users and permissions.
userPassword: The password portion that the ESE uses to perform a simple bind operation on the LDAP server.
| Code Block |
|---|
<ldap-realm>
<name>my-ldap-server</name>
<enabled>true</enabled>
<configuration>
<servers>
<ldap-server>
<host>your hostname</host>
<port>389</port>
</ldap-server>
</servers>
<tls>tcp</tls>
<base-dn>dc=hivemq,dc=com</base-dn>
<simple-bind>
<rdns>cn=ese,cn=hivemq</rdns>
<userPassword>password</userPassword>
</simple-bind>
</configuration>
</ldap-realm> |
...
Next, to implement custom authentication logic using LDAP, you must configure the LDAP Authentication Manager in your ESE config.xml:clients-rdns: LDAP directory name.
uid-attribute: The unique LDAP attribute that is used to identify every entry in the subtree of client RDNs. The default setting is uid.
| Code Block |
|---|
<ldap-authentication-manager>
<realm>my-ldap-server</realm>
<clients-rdns>ou=mqtt-clients,ou=iot-services</clients-rdns>
<uid-attribute>cn</uid-attribute>
<required-object-class>hmq-mqttClient</required-object-class>
</ldap-authentication-manager> |
...
| Code Block | ||
|---|---|---|
| ||
<ldap-authorization-manager>
<realm>my-ldap-server</realm>
<directory-descent>false</directory-descent>
<use-authorization-key>false</use-authorization-key>
<use-authorization-role-key>true</use-authorization-role-key>
</ldap-authorization-manager> |
...
| Code Block | ||
|---|---|---|
| ||
<?xml version="1.0" encoding="UTF-8" ?>
<enterprise-security-extension xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="config.xsd" version="1">
<realms>
<!-- Enable LDAP Realm -->
<ldap-realm>
<name>my-ldap-server</name>
<enabled>true</enabled>
<configuration>
<servers>
<ldap-server>
<host>testhivemq.com</host>
<port>389</port>
</ldap-server>
</servers>
<tls>tcp</tls>
<base-dn>DC=testhivemq,DC=com</base-dn>
<simple-bind>
<rdns>CN=HiveMQ,OU=Management,OU=hivemq/rdns>
<userPassword>hivemq</userPassword>
</simple-bind>
</configuration>
</ldap-realm>
</realms>
<pipelines>
<!-- Secure access to the MQTT broker -->
<listener-pipeline listener="ALL">
<!-- Authenticate MQTT client against a LDAP Server -->
<ldap-authentication-manager>
<realm>my-ldap-server</realm>
<clients-rdns>CN=customer1,OU=Customers</clients-rdns>
<uid-attribute>cn</uid-attribute>
</ldap-authentication-manager>
<!-- Authorize MQTT client client against a LDAP Server -->
<ldap-authorization-manager>
<realm>my-ldap-server</realm>
<use-authorization-key>true</use-authorization-key>
<use-authorization-role-key>true</use-authorization-role-key>
</ldap-authorization-manager>
</listener-pipeline>
</pipelines>
</enterprise-security-extension>
|
Restart the Broker
| Info |
|---|
After making changes to AD users or permissions, either restart the broker |
...
or the ESE to apply the updates. Please note that ESE caches permissions by default. |
\uD83D\uDCCB Related articles
...
| Filter by label (Content by label) | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|