Hello Bryan On 12 February 2018 at 21:01, bryand <[email protected]> wrote: > I'm trying to get Simple LDAP setup with qpid-broker-j-7.0.1. I noticed in > the documentation that you can configure group info with LDAP.
Yes, that's right. The SimpleLDAP authentication provider allows you to utilise group information from the DIT. https://qpid.apache.org/releases/qpid-broker-j-7.0.1/book/Java-Broker-Security.html#Java-Broker-Security-LDAP-Provider Once done, you can write ACL rules in terms of the DN of the group. You must use quotation marks around the DN otherwise the ACL parser will reject the commas. For instance: ACL ALLOW-LOG "cn=mygroup,ou=acme" ACCESS VIRTUALHOST > If I do that how does it work in conjunction with Group Providers? > I don't see a Group Provider for use with LDAP or am not understanding it. > Maybe I don't need > to define a Group Provider if using LDAP group membership? The use of the group provider is optional in this case. One use case for the group provider when using LDAP group is to map the DNs of the group into a logical group name to keep your ACL rules simpler and easier to maintain. Unfortunately the ACL system within Broker-J needs a refresh and is not a particularly friendly experience at the moment. There is some advice in the docbook which hopefully helps. When writing a new ACL, a workable approach is to begin with an rule-set containing only ACL DENY-LOG ALL ALLat the Broker control point which will cause the Broker to deny all operations with details of the denial logged. Build up the ACL rule by rule, gradually working through the use-cases of your system. Once the ACL is complete, consider switching the DENY-LOG actions to DENY. Hope this helps Keith > > > > -- > Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
