Ganesh Murthy wrote
> If I am reading this correctly, you were able to get LDAP to work on the
> router after installing the correct rpms on CentOS? Congratulations.
> Share your steps so I can try this locally.
> Thanks.

I am and I have!

For the RPM: search on to "cyrus-sasl-ldap", you're bound to
find the one I found.
There may be some overhead, and unneeded stuff I have done and installed, I
tried to filter those out, but can't promise I left none out :-)

Installed software:
yum install openldap openldap-clients compat-openldap
yum install cyrus-sasl-md5 cyrus-sasl-plain cyrus-sasl-scram
yum install python-saslwrapper
yum install cyrus-sasl*

and that other rpm: yum install

Next I had to do quite alot of stuff on LDAP; took most of my time to figure
those out.
in cn=config
olcAuthzPolicy: to
olcAuthzRegexp: uid=([^,]*),cn=digest-md5,cn=auth
olcAuthzRegexp: uid=([^,]*),cn=myrealm,cn=digest-md5,cn=auth
olcSaslHost: <fqdn hostname>
olcSaslRealm: <hostname>

In olcDatabase=bdb,cn=config:
olcAccess: to dn.children="cn=broker-users,dc=test,o=org" attrs=authzTo by
self auth
olcOverlay=ppolicy -> olcPPolicyHashCleartext: FALSE

Now create a user in cn=broker-users,dc=test,o=org (or whatever suits your
password=qdrouterd (I'm just testing, so this should be fine)
authzTo: dn.regex:cn=[^,]*,ou=broker-users,dc=test,o=org$
authzTo: dn.regex:uid=[^,]*,ou=broker-users,dc=test,o=org$
authzTo: dn.regex:^uid=[^,]*,cn=digest-md5,cn=auth$

(This one got me busy for quite a while, I did this with Apache Directory
Studio, which does not show operational attributes (authzTo is) and
complains about the schema not allowing it. So, not seeing the entries, I
assumed they were not there... they were.... all the time... but got some

In /etc/sasl2/qdrouterd.conf
pwcheck_method: auxprop
auxprop_plugin: ldapdb
ldapdb_uri: ldap://
ldapdb_id: qdrouterd
ldapdb_pw: qdrouterd
ldapdb_mech: DIGEST-MD5
log_level: 7

Mind the log-level :-)

And then the listener in qdrouterd:
listener {
        name: ontvangst
        port: 5672
        role: normal
        authenticatePeer: yes
        saslMechanisms: EXTERNAL DIGEST-MD5 PLAIN

Now I could do qdstat -a --sasl-user=qdrouterd --sasl-password=qdrouter

I havent yet tried to do more than this, but it shows I'm (almost) on track.

Sent from:

To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to