Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Here’s how to set up the ldap-realm in the ESE config.xml file:

base-dn: LDAP distinguished name

simple-bind:

rdns: The relative distinguished names (RDN) of the base DN that the ESE uses to bind to the LDAP server. Make sure that this DN is bindable and has the necessary rights to search for the users and permissions.

userPassword: The password portion that the ESE uses to perform a simple bind operation on the LDAP server.

Code Block
<ldap-realm>
    <name>my-ldap-server</name>
    <enabled>true</enabled>
    <configuration>
        <servers>
          <ldap-server>
            <host>your hostname</host>
            <port>389</port>
          </ldap-server>
        </servers>
        <tls>tcp</tls>
        <base-dn>dc=hivemq,dc=com</base-dn>
        <simple-bind>
            <rdns>cn=ese,cn=hivemq</rdns>
            <userPassword>password</userPassword>
        </simple-bind>
    </configuration>
</ldap-realm>

...

Next, to implement custom authentication logic using LDAP, you must configure the LDAP Authentication Manager in your ESE config.xml:

clients-rdns: LDAP directory name.

uid-attribute: The unique LDAP attribute that is used to identify every entry in the subtree of client RDNs. The default setting is uid.

Code Block
<ldap-authentication-manager>
    <realm>my-ldap-server</realm>
    <clients-rdns>ou=mqtt-clients,ou=iot-services</clients-rdns>
    <uid-attribute>cn</uid-attribute>
    <required-object-class>hmq-mqttClient</required-object-class>
</ldap-authentication-manager>

...

Code Block
languagexml
<ldap-authorization-manager>
    <realm>my-ldap-server</realm>
    <directory-descent>false</directory-descent>
    <use-authorization-key>false</use-authorization-key>
    <use-authorization-role-key>true</use-authorization-role-key>
</ldap-authorization-manager>

...

Code Block
languagexml
<?xml version="1.0" encoding="UTF-8" ?>
<enterprise-security-extension xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="config.xsd" version="1">

    <realms>
        <!-- Enable LDAP Realm  -->
        <ldap-realm>
            <name>my-ldap-server</name>
            <enabled>true</enabled>
            <configuration>
                <servers>
                    <ldap-server>
                        <host>testhivemq.com</host>
                        <port>389</port>
                    </ldap-server>
                </servers>
                <tls>tcp</tls>
                <base-dn>DC=testhivemq,DC=com</base-dn>
                <simple-bind>
                    <rdns>CN=HiveMQ,OU=Management,OU=hivemq/rdns>
                    <userPassword>hivemq</userPassword>
                </simple-bind>
            </configuration>
        </ldap-realm>
    </realms>
    <pipelines>
        <!-- Secure access to the MQTT broker -->
        <listener-pipeline listener="ALL">
            <!-- Authenticate MQTT client against a LDAP Server -->
            <ldap-authentication-manager>
                <realm>my-ldap-server</realm>
                <clients-rdns>CN=customer1,OU=Customers</clients-rdns>
                <uid-attribute>cn</uid-attribute>
           </ldap-authentication-manager>
            <!-- Authorize MQTT client client against a LDAP Server -->
            <ldap-authorization-manager>
                <realm>my-ldap-server</realm>
                <use-authorization-key>true</use-authorization-key>
                <use-authorization-role-key>true</use-authorization-role-key>
            </ldap-authorization-manager>
        </listener-pipeline>
    </pipelines>
</enterprise-security-extension>

  1. Restart the Broker

Info

After making changes to AD users or permissions, either restart the broker

...

or the ESE to apply the updates. Please note that ESE caches permissions by default.

...

Filter by label (Content by label)
page
showLabelsfalse
max5
spacescom.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@957
maxCheckboxfalse
showSpacefalse
sortmodified
showSpacetypefalsepage
reversetruetype
labelskb-how-to-article
cqllabel in ( "ese" , "authentication" , "authorization" , "LDAP" , "AD" , "ldap-realm" ) and type = "page" and space = "KB"labelskb-how-to-article