You configure a broker to use an LDAP directory server by setting the values for certain configuration properties in the broker’s instance configuration file (config.properties). These properties enable the broker instance to query the LDAP server for information about users and groups when a user attempts to connect to the broker or perform messaging operations.
The imq.authentication.basic.user_repository property specifies the kind of user authentication the broker is to use. By default, this property is set to file, for a flat-file user repository. For LDAP authentication, set it to ldap instead:
imq.authentication.basic.user_repository=ldap
The imq.authentication.type property controls the type of encoding used when passing a password between client and broker. By default, this property is set to digest, denoting MD5 encoding, the form used by flat-file user repositories. For LDAP authentication, set it to basic instead:
imq.authentication.type=basic
This denotes base-64 encoding, the form used by LDAP user repositories.
The following properties control various aspects of LDAP access. See Table 16–8 for more detailed information:
imq.user_repository.ldap.server |
imq.user_repository.ldap.principal |
imq.user_repository.ldap.password |
imq.user_repository.ldap.propertyName |
imq.user_repository.ldap.base |
imq.user_repository.ldap.uidattr |
imq.user_repository.ldap.usrfilter |
imq.user_repository.ldap.grpsearch |
imq.user_repository.ldap.grpbase |
imq.user_repository.ldap.gidattr |
imq.user_repository.ldap.memattr |
imq.user_repository.ldap.grpfilter |
imq.user_repository.ldap.timeout |
imq.user_repository.ldap.ssl.enabled |
The imq.user_repository.ldap.userformat property, if set to a value of dn, specifies that the login username for authentication be in DN username format (for example: uid=mquser,ou=People,dc=red,dc=sun,dc=com). In this case, the broker extracts the value of the imq.user.repository.lpdap.uidatr attribute from the DN username, and uses this value as the user name in access control operations (see User Authorization).
If you want the broker to use a secure, encrypted SSL (Secure Socket Layer) connection for communicating with the LDAP server, set the broker’s imq.user_repository.ldap.ssl.enabled property to true
imq.user_repository.ldap.ssl.enabled=true
and the imq.user_repository.ldap.server property to the port used by the LDAP server for SSL communication: for example,
imq.user_repository.ldap.server=myhost:7878
You will also need to activate SSL communication in the LDAP server.
In addition, you may need to edit the user and group names in the broker’s access control file to match those defined in the LDAP user repository; see User Authorization for more information.
For example, to create administrative users, you use the access control file to specify those users and groups in the LDAP directory that can create ADMIN connections.
Any user or group that can create an ADMIN connection can issue administrative commands.
The following procedure makes use of a broker's access control file, which is described in User Authorization.
Enable the use of the access control file by setting the broker property imq.accesscontrol.enabled to true, which is the default value.
The imq.accesscontrol.enabled property enables use of the access control file.
Open the access control file, accesscontrol.properties. The location for the file is listed in Appendix A, Platform-Specific Locations of Message Queue Data
The file contains an entry such as the following:
service connection access control##################################connection.NORMAL.allow.user=*connection.ADMIN.allow.group=admin
The entries listed are examples. Note that the admin group exists by default in the file-based user repository but does not exist by default in the LDAP directory.
To grant Message Queue administrator privileges to users, enter the user names as follows:
connection.ADMIN.allow.user= userName[[,userName2] …]
The users must be defined in the LDAP directory.
To grant Message Queue administrator privileges to groups, enter the group names as follows:
connection.ADMIN.allow.group= groupName[[,groupName2] …]
The groups must be defined in the LDAP directory.