Hello Bryan

On 12 February 2018 at 21:01, bryand <br...@bldixon.net> wrote:
> I'm trying to get Simple LDAP setup with qpid-broker-j-7.0.1.  I noticed in
> the documentation that you can configure group info with LDAP.

Yes, that's right.  The SimpleLDAP authentication provider allows you
to utilise group information from the DIT.

https://qpid.apache.org/releases/qpid-broker-j-7.0.1/book/Java-Broker-Security.html#Java-Broker-Security-LDAP-Provider

Once done, you can write ACL rules in terms of the DN of the group.
You must use quotation marks around the DN otherwise the ACL parser
will reject the commas. For instance:

ACL ALLOW-LOG "cn=mygroup,ou=acme" ACCESS VIRTUALHOST

>  If I do that  how does it work in conjunction with Group Providers?
>  I don't see a Group Provider for use with LDAP or am not understanding it.  
> Maybe I don't need
> to define a Group Provider if using LDAP group membership?

The use of the group provider is optional in this case.  One use case
for the group provider when using LDAP group is to map the DNs of the
group into a logical group name to keep your ACL rules simpler and
easier to maintain.

Unfortunately the ACL system within Broker-J needs a refresh and is
not a particularly friendly experience at the moment.  There is some
advice in the docbook which hopefully helps.  When writing a new ACL,
a workable approach is to begin with an rule-set containing only ACL
DENY-LOG ALL ALLat the Broker control point which will cause the
Broker to deny all operations with details of the denial logged. Build
up the ACL rule by rule, gradually working through the use-cases of
your system. Once the ACL is complete, consider switching the DENY-LOG
actions to DENY.

Hope this helps

Keith

>
>
>
> --
> Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> For additional commands, e-mail: users-h...@qpid.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org

Reply via email to