LDAP Authentication/ACL

LDAP authentication/access control uses an external OpenLDAP server as the authentication data source, which can store large amounts of data and facilitate integration with external device management systems.

Create module

Open EMQX DashboardLDAP AUTH/ACL - 图1 (opens new window), click the “Modules” tab on the left, and choose to add:

image-20200928161310952

Select LDAP authentication/access control module

image-20200928144927769

Configure OpenLDAP related parameters

image-20200928144945076

Finally, click the “Add” button, the module can be added successfully:

image-20200928145033628

LDAP Schema

The data model needs to be configured in the LDAP schema directory. The data model in the default configuration is as follows:

/etc/openldap/schema/emqx.schema

  1. attributetype (1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.1.3 NAME'isEnabled'
  2. EQUALITY booleanMatch
  3. SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
  4. SINGLE-VALUE
  5. USAGE userApplications)
  7. attributetype (1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.1 NAME ('mqttPublishTopic''mpt')
  8. EQUALITY caseIgnoreMatch
  9. SUBSTR caseIgnoreSubstringsMatch
  10. SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  11. USAGE userApplications)
  12. attributetype (1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.2 NAME ('mqttSubscriptionTopic''mst')
  13. EQUALITY caseIgnoreMatch
  14. SUBSTR caseIgnoreSubstringsMatch
  15. SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  16. USAGE userApplications)
  17. attributetype (1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.3 NAME ('mqttPubSubTopic''mpst')
  18. EQUALITY caseIgnoreMatch
  19. SUBSTR caseIgnoreSubstringsMatch
  20. SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  21. USAGE userApplications)
  23. objectclass (1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4 NAME'mqttUser'
  24. AUXILIARY
  25. MAY (mqttPublishTopic $ mqttSubscriptionTopic $ mqttPubSubTopic))
  27. objectclass (1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.2 NAME'mqttDevice'
  28. SUP top
  29. STRUCTURAL
  30. MUST (uid)
  31. MAY (isEnabled))
  33. objectclass (1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.3 NAME'mqttSecurity'
  34. SUP top
  35. AUXILIARY
  36. MAY (userPassword $ userPKCS12 $ pwdAttribute $ pwdLockout))

Edit the ldap configuration file slapd.conf to reference the Schema:

/etc/openldap/slapd.conf

  1. include /etc/openldap/schema/core.schema
  2. include /etc/openldap/schema/cosine.schema
  3. include /etc/openldap/schema/inetorgperson.schema
  4. include /etc/openldap/schema/ppolicy.schema
  5. include /etc/openldap/schema/emqx.schema
  7. database bdb
  8. suffix "dc=emqx,dc=io"
  9. rootdn "cn=root,dc=emqx,dc=io"
  10. rootpw {SSHA}eoF7NhNrejVYYyGHqnt+MdKNBh4r1w3W
  12. directory /etc/openldap/data

The sample data in the default configuration is as follows:

  1. ## create emqx.io
  3. dn:dc=emqx,dc=io
  4. objectclass: top
  5. objectclass: dcobject
  6. objectclass: organization
  7. dc:emqx
  8. o: emqx, Inc.
  10. # create testdevice.emqx.io
  11. dn:ou=testdevice,dc=emqx,dc=io
  12. objectClass: top
  13. objectclass:organizationalUnit
  14. ou:testdevice
  16. dn:uid=mqttuser0001,ou=testdevice,dc=emqx,dc=io
  17. objectClass: top
  18. objectClass: mqttUser
  19. objectClass: mqttDevice
  20. objectClass: mqttSecurity
  21. uid: mqttuser0001
  22. isEnabled: TRUE
  23. mqttAccountName: user1
  24. mqttPublishTopic: mqttuser0001/pub/1
  25. mqttSubscriptionTopic: mqttuser0001/sub/1
  26. mqttPubSubTopic: mqttuser0001/pubsub/1
  27. userPassword:: e1NIQX1tbGIzZmF0NDBNS0JUWFVWWndDS21MNzNSLzA9

After enabling LDAP authentication, you can connect via username: mqttuser0001 and password: public.

LDAP access control configuration method

mqttPublishTopic allowed topics to be published (multiple can be configured)

mqttSubscriptionTopic allows to subscribe to the topic (multiple can be configured)

mqttPubSubTopic allows to subscribe/publish the topic (multiple can be configured)

TIP

The current version only supports OpenLDAP, not Microsoft Active Directory.