Page History

...

LDAP Schema Object Classes

Name	Identifier	Type	Description
cls-mqttCredential	1.3.6.1.4.1.60051.2.2.1	Auxiliary	This class represents ACLs associate with an MQTT client. It may include one or more of either of the attributes cls-subTopicFilter or cls-pubTopicFilter

LDAP Schema Attributes

Name	Identifier	Description
cls-subTopicFilter	1.3.6.1.4.1.60051.2.1.1	An MQTT topic filter to subscribe on
cls-pubTopicFilter	1.3.6.1.4.1.60051.2.1.2	An MQTT topic filter to publish on

Chariot Configuration

The MQTT Credentials LDAP configuration can be found by navigating to the following page on the Chariot UI and selecting the LDAP tab:

...

The configuration fields are described below. Note that the format of the attributes and object class name might differ in the configuration than the name in the schema (as is the case with Microsoft Active Directory). An administrator for the LDAP directory server should be consulted to fill in the correct values for the configuration (see examples below).

LDAP auth configuration Configuration properties:

Tip
As of release v2.5.0 Chariot will use the supplied login username as the name for the simple bind request with the Microsoft AD server. Additionally the Domain, Auto Suffix, and/or Username Suffix & Prefix properties can be configured to support bind requests with a user principal name (UPN) of another form.

Property	Required	Default	Description

usernameAttributeName

Username Attribute Name

yes

The attribute of an entry that represents the username of the MQTT client to authenticate

subTopicAttributeName

Sub Topic Attribute Name

yes

The multivalued attribute of an entry that represents a subscription topic filters

pubTopicAttributeName

Pub Topic Attribute Name

yes

The multivalued attribute of an entry that represents a publish topic filters

credentialObjectClassName

Credential Object ClassName

yes

The ObjectClass of an entry that holds the credentials

host

Host

yes

The URL of the LDAP server

sysUsername

System Username

yes

The distinguished name (DN) that Chariot uses to authenticate with the LDAP server

password

System Password

yes

The password that Chariot uses to authenticate with the LDAP server

baseDn

Base DN

yes

The base distinguished name (DN) where entries used for ACLs will be searched for

aclCheckInterval

ACL Check Interval

yes

The interval (in ms) between ACL updates

Additionally the Chariot MQTT server must be configured to use the LDAP authentication instead of the internal MQTT Credentials. This can be done by manually editing the following configuration file:

conf/com.cirruslink.chariot.server.config

Example configuration:

No Format

messageThreads=I"2"
port=I"1883"
securePort=I"8883"
webSocketPort=I"8090"
webSocketSecurePort=I"8091"
bindAddress="0.0.0.0"
enableNonSecure=B"true"
enableSecure=B"false"
webSocketEnable=B"false"
webSocketEnableSecure=B"false"
allowAnonymous=B"false"
subscriptionManager.target="(type=default)"
authenticationService.target="(type=ldap)"
authorizationService.target="(type=ldap)"
maxMessageSize=I"268435455"
maxConnectSize=I"268435455"
maxClientIdLength=I"100"
maxTopicLength=I"1024"
maxTopicLevels=I"10"
connectTimout=I"10000"
clientAuthPolicy="none"

LDAP Realm configuration properties:


Domain	no		The Windows Active Directory domain name. Example: "MyDomain.com".
Auto Suffix	no	false	If Chariot should automatically append "@<domain>" to the username when authenticating
Username Suffix	no		A manually specified suffix to append to the username when authenticating
Username Prefix	no		A manually specified prefix to prepend to the username when authenticating

PropertyRequiredDefaultDescriptionauthenticationService.targetyes(type=default)The Authentication Service target must be set to "(type=ldap)"authorizationService.targetyes(type=default)The Authorization Service target must be set to "(type=ldap)"