EMQX > > MQTT > AUTH > Authentication/Access Control III (EMQX-AUTH-LDAP)

Before reading this tutorial, you need to be familiar with it. MQTT Agreements, familiarity EMQX Simple use also requires familiarity. open ldap Configuration and use.

emqx_auth_ldap It controls the access terminal by comparing the username and password of each terminal trying to access EMQX with the username and password stored in the OpenLDAP server. At the same time, it can check the ACL of the authenticated client and check the mqttPubl of the application in OpenLDAP. IshTopic and mqttSubscriptionTopic determine whether the client has publish and subscribe rights. Its functional logic is shown in the following figure:

WechatIMG482.png

The current version of emqx_auth_ldap only supports OpenLDAP, does not support Microsoft Active Directory, and provides connection authentication and access control functions. However, users can only manage data in OpenLDAP through third-party tools, and emqx_auth_ldap itself does not provide such management functions.

Plug-in Configuration Item Description

The default configuration file of the latest version of emqx_auth_ldap is given here, which mainly includes:

Configuration Items Explain
auth.ldap.servers ldap server address
auth.ldap.port ldap port number
auth.ldap.pool Number of ldap address pools
auth.ldap.bind_dn The binding proprietary name (DN) of ldap
auth.ldap.bind_password ldap's Binding Password
auth.ldap.timeout Query timeout for ldap
auth.ldap.device_dn ldap equipment proper name
auth.ldap.match_objectclass Matching object class of ldap
auth.ldap.username.attributetype ldap user name attribute type
auth.ldap.password.attributetype ldap's password attribute type
auth.ldap.ssl ssl options for ldap

It should be noted here that users need to have a basic understanding of open ldap in order to configure these parameters correctly.

OpenLDAP configuration instructions

When the user configures all the configuration options of emqx_auth_ldap, the OpenLDAP server needs to be reconfigured.

First, you need to copy emqx.schema to the ldap configuration directory. If you are a Mac user, copy emqx.schema to / etc/openldap/schema/emqx.schema, and then edit the ldap configuration file slapd.conf.

/etc/openldap/schema/emqx.schema

attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.1.3 NAME 'isEnabled'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications )

attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.1 NAME ( 'mqttPublishTopic' 'mpt' )
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )
attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.2 NAME ( 'mqttSubscriptionTopic' 'mst' )
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )
attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.3 NAME ( 'mqttPubSubTopic' 'mpst' )
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )

objectclass ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4 NAME 'mqttUser'
AUXILIARY
MAY ( mqttPublishTopic $ mqttSubscriptionTopic $ mqttPubSubTopic) )

objectclass ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.2 NAME 'mqttDevice'
SUP top
STRUCTURAL
MUST ( uid )
MAY ( isEnabled ) )

objectclass ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.3 NAME 'mqttSecurity'
SUP top
AUXILIARY
MAY ( userPassword $ userPKCS12 $ pwdAttribute $ pwdLockout ) )

/etc/openldap/slapd.conf

include  /etc/openldap/schema/core.schema
include  /etc/openldap/schema/cosine.schema
include  /etc/openldap/schema/inetorgperson.schema
include  /etc/openldap/schema/ppolicy.schema
include  /etc/openldap/schema/emqx.schema

database bdb
suffix "dc=emqx,dc=io"
rootdn "cn=root,dc=emqx,dc=io"
rootpw {SSHA}eoF7NhNrejVYYyGHqnt+MdKNBh4r1w3W

directory       /etc/openldap/data

After editing the configuration file, you can start the OpenLDAP service through sudo slapd-d 3 if the following error occurs:

Unrecognized database type (bdb)
5c4a72b9 slapd.conf: line 7: <database> failed init (bdb)
slapadd: bad configuration file!

Then you need to add this item in slapd.conf

modulepath /usr/lib/ldap
moduleload back_bdb.la

Start the OpenLDAP service at this time. Then by command

./bin/emqx_ctl plugins load emqx_auth_ldap

If returned

Start apps: [emqx_auth_ldap]
Plugin emqx_auth_ldap loaded successfully.

Then the plug-in is enabled successfully.

test

If functional testing of emqx-auth-ldap is required, the test data provided by emqx-auth-ldap can be imported into the OpenLDAP server through the command sudo slapadd-l schema/emqx.io.ldif-f slapd.conf.

At this point, load the emqx_auth_ldap plug-in again.

1. Connect with the correct username and password and subscribe to the theme "mqttuser0001/pubsub/1".

mosquitto_sub -p 1883 -u mqttuser0001 -P mqttuser0001 -t 'mqttuser0001/pubsub/1' -d
Client mosqsub|34863-Gilberts- sending CONNECT
Client mosqsub|34863-Gilberts- received CONNACK (0)
Client mosqsub|34863-Gilberts- sending SUBSCRIBE (Mid: 1, Topic: mqttuser0001/pubsub/1, QoS: 0)
Client mosqsub|34863-Gilberts- received SUBACK
Subscribed (mid: 1): 0

Result: Connect and successfully subscribe to topics

2. Connect with the wrong username or password and subscribe to the theme "mqttuser0001/pubsub/1".

mosquitto_sub -p 1883 -u mqttuser0001 -P mqttuser0002 -t 'mqttuser0001/pubsub/1' -d
Client mosqsub|34884-Gilberts- sending CONNECT
Client mosqsub|34884-Gilberts- received CONNACK (4)
Connection Refused: bad user name or password.
Client mosqsub|34884-Gilberts- sending DISCONNECT

Result: Connection rejected

3. Connect with the correct username and password and subscribe to the theme "mqttuser0001/req/+/mqttuser0002".

mosquitto_sub -p 1883 -u mqttuser0001 -P mqttuser0001 -t 'mqttuser0001/req/+/mqttuser0002' -d Client mosqsub|34897-Gilberts- sending CONNECT Client mosqsub|34897-Gilberts- received CONNACK (0) Client mosqsub|34897-Gilberts- sending SUBSCRIBE (Mid: 1, Topic: mqttuser0001/req/+/mqttuser0002, QoS: 0) Client mosqsub|34897-Gilberts- received SUBACK Subscribed (mid: 1): 128 

Result: Successful connection, unsuccessful subscription, error reason code 128

4. Subscribers and publishers use the correct username and password to connect subscribers to the topic'mqttuser0001/sub'

  $ mosquitto_sub -p 1883 -u mqttuser0001 -P mqttuser0001 -t 'mqttuser0001/sub' -d   Client mosqsub|34991-Gilberts- sending CONNECT   Client mosqsub|34991-Gilberts- received CONNACK (0)   Client mosqsub|34991-Gilberts- sending SUBSCRIBE (Mid: 1, Topic: mqttuser0001/sub, QoS: 0)   Client mosqsub|34991-Gilberts- received SUBACK   Subscribed (mid: 1): 0 

Publishers post messages to the theme'mqttuser 0001/sub'.

  mosquitto_pub -p 1883 -u mqttuser0001 -P mqttuser0001 -t 'mqttuser0001/sub' -m "hello" 

Result: Subscribers did not receive any messages and publications were rejected.

After completing all the tests and verifying all the functions of emqx_auth_ldap, the plug-in can be used formally.

Tags: Database Attribute SSL sudo

Posted on Fri, 06 Sep 2019 03:40:34 -0700 by Robert Plank