Ganesh Murthy wrote > If I am reading this correctly, you were able to get LDAP to work on the > router after installing the correct rpms on CentOS? Congratulations. > Share your steps so I can try this locally. > > Thanks.
I am and I have! For the RPM: search on rpmfind.net to "cyrus-sasl-ldap", you're bound to find the one I found. There may be some overhead, and unneeded stuff I have done and installed, I tried to filter those out, but can't promise I left none out :-) Installed software: yum install openldap openldap-clients compat-openldap yum install cyrus-sasl-md5 cyrus-sasl-plain cyrus-sasl-scram yum install python-saslwrapper yum install cyrus-sasl* and that other rpm: yum install /tmp/cyrus-sasl-ldap-2.1.26-21.el7.x86_64.rpm Next I had to do quite alot of stuff on LDAP; took most of my time to figure those out. in cn=config olcAuthzPolicy: to olcAuthzRegexp: uid=([^,]*),cn=digest-md5,cn=auth ldap:///dc=test,o=org??sub?(uid=$1) olcAuthzRegexp: uid=([^,]*),cn=myrealm,cn=digest-md5,cn=auth ldap:///dc=test,o=org??sub?(uid=$1) olcSaslHost: <fqdn hostname> olcSaslRealm: <hostname> In olcDatabase=bdb,cn=config: olcAccess: to dn.children="cn=broker-users,dc=test,o=org" attrs=authzTo by self auth olcOverlay=ppolicy -> olcPPolicyHashCleartext: FALSE Now create a user in cn=broker-users,dc=test,o=org (or whatever suits your DIT) uid=qdrouterd password=qdrouterd (I'm just testing, so this should be fine) authzTo: dn.regex:cn=[^,]*,ou=broker-users,dc=test,o=org$ authzTo: dn.regex:uid=[^,]*,ou=broker-users,dc=test,o=org$ authzTo: dn.regex:^uid=[^,]*,cn=digest-md5,cn=auth$ (This one got me busy for quite a while, I did this with Apache Directory Studio, which does not show operational attributes (authzTo is) and complains about the schema not allowing it. So, not seeing the entries, I assumed they were not there... they were.... all the time... but got some misspellings. In /etc/sasl2/qdrouterd.conf pwcheck_method: auxprop auxprop_plugin: ldapdb ldapdb_uri: ldap://my.ldap.host ldapdb_id: qdrouterd ldapdb_pw: qdrouterd ldapdb_mech: DIGEST-MD5 log_level: 7 Mind the log-level :-) And then the listener in qdrouterd: listener { name: ontvangst host: 0.0.0.0 port: 5672 role: normal authenticatePeer: yes saslMechanisms: EXTERNAL DIGEST-MD5 PLAIN } Now I could do qdstat -a --sasl-user=qdrouterd --sasl-password=qdrouter I havent yet tried to do more than this, but it shows I'm (almost) on track. -- Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
