Contents
Cirrus Link Resources
Chariot MQTT Server v1 (previous version)
Cirrus Link Modules for Ignition
Contact Us (Sales/Support)
Forum
Chariot can be configured to use an LDAP server for MQTT client authentication and authorization instead of Chariot's MQTT Credentials.
This feature is available in Chariot v2.4.2 and newer
LDAP Server
- LDAP Server schema and sample data can be found in the following directory:
samples/ldap/ldif/
- Entries in the LDAP Server used for authentication must support simple bind requests
- Entries in the LDAP Server used for authorization must extend the cls-mqttCredential Object Class and use the cls-subTopicFilter and cls-pubTopicFilter attributes to declare their ACLs (see description below)
LDAP Schema Object Classes
| Name | Identifier | Type | Description |
|---|---|---|---|
cls-mqttCredential | 1.3.6.1.4.1.60051.2.2.1 | Auxiliary | This class represents ACLs associate with an MQTT client. It may include one or more of either of the attributes cls-subTopicFilter or cls-pubTopicFilter |
LDAP Schema Attributes
| Name | Identifier | Description |
|---|---|---|
cls-subTopicFilter | 1.3.6.1.4.1.60051.2.1.1 | An MQTT topic filter to subscribe on |
cls-pubTopicFilter | 1.3.6.1.4.1.60051.2.1.2 | An MQTT topic filter to publish on |
Chariot Configuration
The MQTT Credentials LDAP configuration can be found by navigating to the following page on the Chariot UI and selecting the LDAP tab:
CONFIGURATION → MQTT Credentials
The configuration fields are described below. Note that the format of the attributes and object class name might differ in the configuration than the name in the schema (as is the case with Microsoft Active Directory). An administrator for the LDAP directory server should be consulted to fill in the correct values for the configuration (see examples below).
LDAP auth configuration properties:
| Property | Required | Default | Description |
|---|---|---|---|
| usernameAttributeName | yes | The attribute of an entry that represents the username of the MQTT client to authenticate | |
| subTopicAttributeName | yes | The multivalued attribute of an entry that represents a subscription topic filters | |
| pubTopicAttributeName | yes | The multivalued attribute of an entry that represents a publish topic filters | |
| credentialObjectClassName | yes | The ObjectClass of an entry that holds the credentials | |
| host | yes | The URL of the LDAP server | |
| sysUsername | yes | The distinguished name (DN) that Chariot uses to authenticate with the LDAP server | |
| password | yes | The password that Chariot uses to authenticate with the LDAP server | |
| baseDn | yes | The base distinguished name (DN) where entries used for ACLs will be searched for | |
| aclCheckInterval | yes | The interval (in ms) between ACL updates |
Additionally the Chariot MQTT server must be configured to use the LDAP authentication instead of the internal MQTT Credentials. This can be done by manually editing the following configuration file:
conf/com.cirruslink.chariot.server.config
Example configuration:
messageThreads=I"2" port=I"1883" securePort=I"8883" webSocketPort=I"8090" webSocketSecurePort=I"8091" bindAddress="0.0.0.0" enableNonSecure=B"true" enableSecure=B"false" webSocketEnable=B"false" webSocketEnableSecure=B"false" allowAnonymous=B"false" subscriptionManager.target="(type=default)" authenticationService.target="(type=ldap)" authorizationService.target="(type=ldap)" maxMessageSize=I"268435455" maxConnectSize=I"268435455" maxClientIdLength=I"100" maxTopicLength=I"1024" maxTopicLevels=I"10" connectTimout=I"10000" clientAuthPolicy="none"
LDAP Realm configuration properties:
| Property | Required | Default | Description |
|---|---|---|---|
| authenticationService.target | yes | (type=default) | The Authentication Service target must be set to "(type=ldap)" |
| authorizationService.target | yes | (type=default) | The Authorization Service target must be set to "(type=ldap)" |
Examples
Example Microsoft Active Directory configuration:
Example (OpenDJ) LDAP configuration:
Overview
Content Tools