LDAP

LDAP authentication uses an external LDAP server as the authentication data source, which can store a large amount of data and facilitate integration with external device management systems.

Plugin:

  1. emqx_auth_ldap

TIP

The emqx_auth_ldap plugin also includes ACL feature, which can be disabled via comments. The current version only supports openldap and does not support Microsoft active directory.

LDAP Configuration

To enable LDAP authentication, you need to configure the following in etc/plugins/emqx_auth_ldap.conf:

  1. # etc/plugins/emqx_auth_ldap.conf
  3. auth.ldap.servers = 127.0.0.1
  5. auth.ldap.port = 389
  7. auth.ldap.pool = 8
  9. ## ldap's Binding Distinguished Name (DN)
  10. auth.ldap.bind_dn = cn=root,dc=emqx,dc=io
  12. ##     ldap's Binding password
  13. auth.ldap.bind_password = public
  15. ## ldap's query timeout
  16. auth.ldap.timeout = 30s
  18. ## ldap's device distinguished name
  19. auth.ldap.device_dn = ou=device,dc=emqx,dc=io
  21. ## ldap's matching object class
  22. auth.ldap.match_objectclass = mqttUser
  24. ## ldap's username attribute type
  25. auth.ldap.username.attributetype = uid
  27. ##     ldap's password attribute type
  28. auth.ldap.password.attributetype = userPassword
  30. ## TLS Configuration item
  31. ## auth.ldap.ssl.certfile = etc/certs/cert.pem
  32. ## auth.ldap.ssl.keyfile = etc/certs/key.pem
  33. ## auth.ldap.ssl.cacertfile = etc/certs/cacert.pem
  34. ## auth.ldap.ssl.verify = verify_peer
  35. ## auth.ldap.ssl.fail_if_no_peer_cert = true

LDAP Schema

The data model needs to be configured in the LDAP schema directory. By default, the data model is as follows:

/etc/openldap/schema/emqx.schema

  1. attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.1.3 NAME 'isEnabled'
  2. EQUALITY booleanMatch
  3. SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
  4. SINGLE-VALUE
  5. USAGE userApplications )
  7. attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.1 NAME ( 'mqttPublishTopic' 'mpt' )
  8. EQUALITY caseIgnoreMatch
  9. SUBSTR caseIgnoreSubstringsMatch
  10. SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  11. USAGE userApplications )
  12. attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.2 NAME ( 'mqttSubscriptionTopic' 'mst' )
  13. EQUALITY caseIgnoreMatch
  14. SUBSTR caseIgnoreSubstringsMatch
  15. SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  16. USAGE userApplications )
  17. attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.3 NAME ( 'mqttPubSubTopic' 'mpst' )
  18. EQUALITY caseIgnoreMatch
  19. SUBSTR caseIgnoreSubstringsMatch
  20. SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  21. USAGE userApplications )
  23. objectclass ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4 NAME 'mqttUser'
  24. AUXILIARY
  25. MAY ( mqttPublishTopic $ mqttSubscriptionTopic $ mqttPubSubTopic) )
  27. objectclass ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.2 NAME 'mqttDevice'
  28. SUP top
  29. STRUCTURAL
  30. MUST ( uid )
  31. MAY ( isEnabled ) )
  33. objectclass ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.3 NAME 'mqttSecurity'
  34. SUP top
  35. AUXILIARY
  36. MAY ( userPassword $ userPKCS12 $ pwdAttribute $ pwdLockout ) )

The configuration file slapd.conf was edited with reference of Schema:

/etc/openldap/slapd.conf

  1. include  /etc/openldap/schema/core.schema
  2. include  /etc/openldap/schema/cosine.schema
  3. include  /etc/openldap/schema/inetorgperson.schema
  4. include  /etc/openldap/schema/ppolicy.schema
  5. include  /etc/openldap/schema/emqx.schema
  7. database bdb
  8. suffix "dc=emqx,dc=io"
  9. rootdn "cn=root,dc=emqx,dc=io"
  10. rootpw {SSHA}eoF7NhNrejVYYyGHqnt+MdKNBh4r1w3W
  12. directory       /etc/openldap/data