Shulou(Shulou.com)06/01 Report--

This article shows you the example analysis of the use of EMQX-AUTH-LDAP, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Emqx_auth_ldap, which controls the access terminal by comparing whether the username and password of each terminal trying to access the EMQX are consistent with the user name and password stored by the OpenLDAP server. At the same time, it can also check the ACL for the authenticated client, and judge whether the client has the right to publish and subscribe by checking the mqttPublishTopic and mqttSubscriptionTopic of the corresponding user in OpenLDAP. The functional logic is shown in the following figure:

The current version of emqx_auth_ldap only supports OpenLDAP, not Microsoft Active Directory, and provides the functions of connection authentication and access control. However, users can only manage the data in OpenLDAP through third-party tools, and emqx_auth_ldap itself does not provide such a management function.

Plug-in configuration item description

Here is the default configuration file for the latest version of emqx_auth_ldap, which mainly includes:

Configuration item description auth.ldap.serversldap server address auth.ldap.portldap port number auth.ldap.poolldap address pool number auth.ldap.bind_dnldap bind distinguished name (DN) auth.ldap.bind_passwordldap bind password auth.ldap.timeoutldap query timeout auth.ldap.device_dnldap device proprietary name auth.ldap.match _ objectclassldap matching object class auth.ldap.username.attributetypeldap username attribute type auth.ldap.password Ssl option for password attribute type auth.ldap.sslldap of .attributetypeldap

It is important to note here that users need to have a basic understanding of open ldap in order to configure these parameters correctly.

OpenLDAP configuration description

After the user has configured all the emqx_auth_ldap configuration options, the OpenLDAP server needs to be configured again.

First, you need to copy emqx.schema to the configuration directory of ldap, and if you are a Mac user, copy emqx.schema to / etc/openldap/schema/emqx.schema and then edit ldap's configuration file slapd.conf

/ etc/openldap/schema/emqx.schema

Attributetype (1.3.6.1.4.1.11.2.53.2.2.3.3.1.3 NAME 'isEnabled'EQUALITY booleanMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.7SINGLE-VALUEUSAGE userApplications) attributetype (1.3.6.1.4.1.11.2.53.2.2.3.2.3.4.1 NAME (' mqttPublishTopic' 'mpt') EQUALITY caseIgnoreMatchSUBSTR caseIgnoreSubstringsMatchSYNTAX 1.3. 6.1.4.1.1466.115.121.1.15USAGE userApplications) attributetype (1.3.6.1.4.1.11.2.53.2.2.3.3.4.2 NAME ('mqttSubscriptionTopic'' mst') EQUALITY caseIgnoreMatchSUBSTR caseIgnoreSubstringsMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.15USAGE userApplications) attributetype (1.3.6.1.4.1.11.2.53.2.2.3.1. 2.3.4.3 NAME ('mqttPubSubTopic'' mpst') EQUALITY caseIgnoreMatchSUBSTR caseIgnoreSubstringsMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.15USAGE userApplications) objectclass (1.3.6.1.4.1.11.2.53.2.2.3.3.4 NAME 'mqttUser'AUXILIARYMAY (mqttPublishTopic $mqttSubscriptionTopic $mqttPubSubTopic)) objectclass (1.3.6.1.4.1.11.2.53.2.2.3.1. 2.3.2 NAME 'mqttDevice'SUP topSTRUCTURALMUST (uid) MAY (isEnabled)) objectclass (1.3.6.1.4.1.11.2.53.2.2.3.3.3.3 NAME' mqttSecurity'SUP topAUXILIARYMAY (userPassword $userPKCS12 $pwdAttribute $pwdLockout))

/ etc/openldap/slapd.conf

Include / etc/openldap/schema/core.schemainclude / etc/openldap/schema/cosine.schemainclude / etc/openldap/schema/inetorgperson.schemainclude / etc/openldap/schema/ppolicy.schemainclude / etc/openldap/schema/emqx.schemadatabase bdbsuffix "dc=emqx,dc=io" rootdn "cn=root,dc=emqx,dc=io" rootpw {SSHA} eoF7NhNrejVYYyGHqnt+MdKNBh5r1w3Wdirectory / etc/openldap/data

After editing the configuration file, you can use sudo slapd-d 3 to start the OpenLDAP service, if the following error occurs:

Unrecognized database type (bdb) 5c4a72b9 slapd.conf: line 7: failed init (bdb) slapadd: bad configuration file!

Then you also need to add this to the slapd.conf.

Modulepath / usr/lib/ldapmoduleload back_bdb.la

Start the OpenLDAP service at this time. And then through the command

. / bin/emqx_ctl plugins load emqx_auth_ldap

If you return

Start apps: [emqx_auth_ldap] Plugin emqx_auth_ldap loaded successfully.

Then the plug-in is enabled successfully.

test

If you need to do a functional test of emqx-auth-ldap, you can import the test data provided by emqx-auth-ldap into the OpenLDAP server with the command sudo slapadd-l schema/emqx.io.ldif-f slapd.conf.

At this point, re-load emqx_auth_ldap the plug-in.

1. Connect with the correct user name and password and subscribe to the "mqttuser0001/pubsub/1" topic.

Mosquitto_sub-p 1883-u mqttuser0001-P mqttuser0001-t'Gilberts-dClient mosqsub | 34863 Topic Gilberts-sending CONNECTClient mosqsub | 34863 mqttuser0001/pubsub/1 Gilberts-received CONNACK (0) Client mosqsub | 34863 Topic Gilberts-sending SUBSCRIBE (Mid: 1, Topic: mqttuser0001/pubsub/1, QoS: 0) mqttuser0001/pubsub/1 | 34863 mqttuser0001/pubsub/1 Gilberts-Gilberts (Gilberts: 1): 0

Result: connect and subscribe to topics successfully

two。 Connect with the wrong user name or password and subscribe to the "mqttuser0001/pubsub/1" topic.

Mosquitto_sub-p 1883-u mqttuser0001-P mqttuser0002-t'Gilberts-dClient mosqsub | 34884 mqttuser0001/pubsub/1' Gilberts-sending CONNECTClient mosqsub | 34884 mosquitto_sub Gilberts-received CONNACK (4) Gilberts: bad user name or password.Client mosqsub | 34884 Merry Gilberts-sending DISCONNECT

Result: connection denied

3. Connect with the correct user name and password and subscribe to the "mqttuser0001/req/+/mqttuser0002" topic.

Mosquitto_sub-p 1883-u mqttuser0001-P mqttuser0001-t'Gilberts-d Client mosqsub | 34897 Topic Gilberts-sending CONNECT Client mosqsub | 34897 mqttuser0001/req/+/mqttuser0002 Gilberts-received CONNACK (0) Client mosqsub | 34897 mqttuser0001/req/+/mqttuser0002 Gilberts-sending SUBSCRIBE (Mid: 1, Topic: mqttuser0001/req/+/mqttuser0002, QoS: 0) Client mosqsub | 34897 mqttuser0001/req/+/mqttuser0002 Gilberts-received SUBACK Subscribed (received SUBACK Subscribed: 1): 128

Result: connection succeeded, subscription failed, error reason code 128

4. Subscribers and publishers use the correct usernames and passwords to connect subscribers to the topic 'mqttuser0001/sub'

$mosquitto_sub-p 1883-u mqttuser0001-P mqttuser0001-t'Gilberts-d Client mosqsub | 34991Gilberts-sending CONNECT Client mosqsub | 34991Gilberts-received CONNACK (0) Client mosqsub | 34991Gilberts-sending SUBSCRIBE (Mid: 1, Topic: mqttuser0001/sub, QoS: 0) Client mosqsub | 34991Gilberts-received SUBACK Subscribed (mid: 1): 0

The publisher posts a message to the topic 'mqttuser0001/sub'.

Mosquitto_pub-p 1883-u mqttuser0001-P mqttuser0001-t 'mqttuser0001/sub'-m "hello"

Result: the subscriber did not receive any message and the publication was rejected.

After all the tests and verification of all the functions of emqx_auth_ldap, you can officially use the plug-in.

The above is the case analysis used by EMQX-AUTH-LDAP. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.