Configuring HiveMQ Security Extension with Active Directory for MQTT Client Authentication and Authorization

This guide walks you through configuring the HiveMQ Security Extension to use Active Directory (AD) to authenticate and authorize MQTT clients through the LDAP realm.

Prerequisites:

  1. A fully configured Active Directory server with the appropriate users and permissions.

  2. Valid HiveMQ Security Extension license

  3. latest HiveMQ version.

 Instructions

1. Configuring the LDAP Realm

To integrate Active Directory with HiveMQ, you’ll need to configure the LDAP realm. Details can be found in the HiveMQ documentation.

Here’s how to set up the ldap-realm in the ESE config.xml file:

base-dn: LDAP distinguished name

simple-bind:

rdns: The relative distinguished names (RDN) of the base DN that the ESE uses to bind to the LDAP server. Make sure that this DN is bindable and has the necessary rights to search for the users and permissions.

userPassword: The password portion that the ESE uses to perform a simple bind operation on the LDAP server.

<ldap-realm> <name>my-ldap-server</name> <enabled>true</enabled> <configuration> <servers> <ldap-server> <host>your hostname</host> <port>389</port> </ldap-server> </servers> <tls>tcp</tls> <base-dn>dc=hivemq,dc=com</base-dn> <simple-bind> <rdns>cn=ese,cn=hivemq</rdns> <userPassword>password</userPassword> </simple-bind> </configuration> </ldap-realm>
  1. Configuring the LDAP Authentication Manager

Next, to implement custom authentication logic using LDAP, you must configure the LDAP Authentication Manager in your ESE config.xml:

clients-rdns: LDAP directory name.

uid-attribute: The unique LDAP attribute that is used to identify every entry in the subtree of client RDNs. The default setting is uid.

<ldap-authentication-manager> <realm>my-ldap-server</realm> <clients-rdns>ou=mqtt-clients,ou=iot-services</clients-rdns> <uid-attribute>cn</uid-attribute> </ldap-authentication-manager>
  1. Configuring the LDAP Authorization Manager

For custom authorization logic over LDAP, you’ll need to configure the LDAP Authorization Manager in the ESE config.xml:
You can also use different realms for Authorization logic, for example: File-realm, SQL-realm etc. then you will need to use the respective authorization manager of that realm. For more details please check our documentation.

<ldap-authorization-manager> <realm>my-ldap-server</realm> <use-authorization-key>false</use-authorization-key> <use-authorization-role-key>true</use-authorization-role-key> </ldap-authorization-manager>
  1. Final config.xml Example

Here’s an overview of how the config.xml will look after completing the steps:

 

  1. Restart the Broker

After making changes to AD users or permissions, either restart the broker or the ESE to apply the updates. Please note that ESE caches permissions by default.

 

 Related articles