Contents
Cirrus Link Resources
Chariot MQTT Server v1 (previous version)
Cirrus Link Modules for Ignition
Contact Us (Sales/Support)
Forum
...
To add a Microsoft Active Directory source, navigate complete the following steps:
Configuration Fields:
Property | Required | Description | Default |
---|---|---|---|
Name | X | A unique name for this source configuration | |
Enabled | A boolean indicating if the LDAP Realm should be enabled | true | |
Host | X | The IP address or hostname of the directory server | |
Port | X | The port number of the directory server | 389 |
Use TLS | Whether to use a TLS encrypted connection | false | |
System Username | X | The Distinguished Name (DN) used to authenticate with the directory server | |
System Password | X | The password used to authenticate with the directory server | |
User Search Base | X | The base Distinguished Name (DN) for searching for users in the directory server | |
User Search Filter | The search filter for querying a user | (&(objectClass=user)(sAMAccountName={0})) | |
User List Filter | The search filter for listing users | (&(objectClass=user)(sAMAccountName=*)) | |
User Name Attribute | The directory server attribute that represents the short name of the user | sAMAccountName | |
User Full Name Attributes | The directory server attribute that represents the full name of the user | name | |
User Group Attribute | The directory server attribute that represents the groups of a user | memberOf | |
Group Search Base | X | The base Distinguished Name (DN) for searching for groups in the directory server | |
Group Search Filter | The search filter for querying groups in the directory server | (objectClass=group) | |
Group Name Attribute | The directory server attribute that represents the group name | cn | |
Group To Role Mapping | X | A comma separated mapping of directory server group names to Chariot role names | |
Referral | How Chariot should handle referrals returned by the directory server ('ignore' or 'follow') | ignore | |
Connect Timeout | The maximum time in milliseconds that Chariot will attempt a connection to the directory server | 10000 | |
Read Timeout | The maximum time in milliseconds that Chariot will attempt a read with the directory server | 5000 | |
Enable Cache | Whether results from the directory serve should be cached locally | true | |
Cache Timeout | The period of time cached results will be held before needing to be updated | 10000 |
...
To add a generic LDAP directory server source, navigate complete the following steps:
Configuration Fields:
Property | Required | Description | Default |
---|---|---|---|
Name | X | A unique name for this source configuration | |
Enabled | A boolean indicating if the LDAP Realm should be enabled | true | |
Host | X | The IP address or hostname of the directory server | |
Port | X | The port number of the directory server | 389 |
Use TLS | Whether to use a TLS encrypted connection | false | |
System Username | X | The Distinguished Name (DN) used to authenticate with the directory server | |
System Password | X | The password used to authenticate with the directory server | |
User Search Base | X | The base Distinguished Name (DN) for searching for users in the directory server | ou=users,dc=example,dc=com |
User DN Template | X | The template for building the user's Distinguished Name (DN) | uid={0},ou=users,dc=example,dc=com |
User List Filter | The search filter for listing users | (&(objectClass=inetOrgPerson)(uid=*)) | |
User Name Attribute | The directory server attribute that represents the short name of the user | uid | |
User Full Name Attributes | The directory server attribute that represents the full name of the user | cn | |
Group Search Base | X | The base Distinguished Name (DN) for searching for groups in the directory server | ou=groups,dc=example,dc=com |
Group Search Filter | The search filter for querying groups in the directory server | (objectClass=groupOfNames) | |
Group Name Attribute | The directory server attribute that represents the group name | cn | |
Group To Role Mapping | X | A comma separated mapping of directory server group names to Chariot role names | |
Referral | How Chariot should handle referrals returned by the directory server ('ignore' or 'follow') | ignore | |
Connect Timeout | The maximum time in milliseconds that Chariot will attempt a connection to the directory server | 10000 | |
Read Timeout | The maximum time in milliseconds that Chariot will attempt a read with the directory server | 5000 | |
Enable Cache | Whether results from the directory serve should be cached locally | true | |
Cache Timeout | The period of time cached results will be held before needing to be updated | 10000 |
Chariot can be configured to use an LDAP server for MQTT client authentication and authorization instead of Chariot's MQTT Credentials.
samples/ldap/ldif/
LDAP Schema Object Classes
...
cls-mqttCredential
...
1.3.6.1.4.1.60051.2.2.1
...
LDAP Schema Attributes
...
cls-subTopicFilter
...
1.3.6.1.4.1.60051.2.1.1
...
An MQTT topic filter to subscribe on
...
cls-pubTopicFilter
...
1.3.6.1.4.1.60051.2.1.2
...
An MQTT topic filter to publish on
The following configuration file must be manually added to configure LDAP authentication and authorization in the MQTT server:
conf/com.cirruslink.chariot.server.auth.ldap.config
Example (OpenDJ) LDAP configuration:
No Format |
---|
usernameAttributeName="uid"
subTopicAttributeName="cls-subTopicFilter"
pubTopicAttributeName="cls-pubTopicFilter"
credentialObjectClassName="cls-mqttCredential"
baseDn="dc=cirruslink,dc=com"
url="ldap://localhost:389"
username="cn=chariot"
password="123456"
aclCheckInterval="10000" |
Example Microsoft Active Directory configuration:
...
...
10000 |
...
LDAP auth configuration properties:
...
Additionally the Chariot MQTT server must be configured to use the LDAP authentication instead of the internal MQTT Credentials. This can be done by manually editing the following configuration file:
conf/com.cirruslink.chariot.server.auth.ldap.config
Example configuration:
No Format |
---|
messageThreads=I"2"
port=I"1883"
securePort=I"8883"
webSocketPort=I"8090"
webSocketSecurePort=I"8091"
bindAddress="0.0.0.0"
enableNonSecure=B"true"
enableSecure=B"false"
webSocketEnable=B"false"
webSocketEnableSecure=B"false"
allowAnonymous=B"false"
subscriptionManager.target="(type=default)"
authenticationService.target="(type=ldap)"
authorizationService.target="(type=ldap)"
maxMessageSize=I"268435455"
maxConnectSize=I"268435455"
maxClientIdLength=I"100"
maxTopicLength=I"1024"
maxTopicLevels=I"10"
connectTimout=I"10000"
clientAuthPolicy="none" |
LDAP Realm configuration properties: