Contents
Cirrus Link Resources
Chariot MQTT Server v1 (previous version)
Cirrus Link Modules for Ignition
Contact Us (Sales/Support)
Forum
The Chariot Security Service can be configured to add an LDAP Realm to use when authenticating and authorizing access via the Chariot UI. Each LDAP Realm uses a simple bind authentication to connect to the LDAP server to search for users and groups. A user that is logging in to the Chariot UI will have their username mapped to the distinguished name (DN) of an LDAP entry using a configure template (see below). Chariot will use simple bind authentication to authenticate the user and will search for group membership to determine the corresponding Chariot Role membership using the configured mapping.
The following file must be manually edited to add an LDAP Realm configuration:
conf/com.cirruslink.chariot.security.config
Example configuration:
tokenTimeout="5400000" ticketTimeout="3000" defaultRealmEnabled=B"false" ldap.1.enabled=B"true" ldap.1.url="ldap://localhost:389" ldap.1.sysUserDn="cn=chariot" ldap.1.sysPassword="123456" ldap.1.userDnTemplate="uid={0},ou=users,dc=cirruslink,dc=com" ldap.1.groupBaseDn="ou=groups,dc=cirruslink,dc=com" ldap.1.groupNameAttribute="cn" ldap.1.groupToRoleMapping="group1=admin,group2=guest"
LDAP Realm configuration properties:
Property | Required | Default | Description |
---|---|---|---|
enabled | no | true | A boolean indicating if the LDAP Realm should be enabled |
url | yes | The URL of the LDAP server | |
sysUserDn | yes | The distinguished name (DN) that Chariot uses to authenticate with the LDAP | |
sysPassword | yes | The password that Chariot uses to authenticate with the LDAP server | |
userDnTemplate | yes | The template used to construct the distinguished name (DN) of the LDAP entry corresponding to the user attempting to login. The login username is represented by "{0}" in the template | |
groupBaseDn | yes | The base distinguished name (DN) where group entries are found | |
groupNameAttribute | yes | The attribute to use for the group name when mapping to Chariot Role names | |
groupToRoleMapping | yes | A comma-separated list of group names mapped to the names of Chariot Role names |
Chariot can be configured to use an LDAP server for MQTT client authentication and authorization instead of Chariot's MQTT Credentials.
samples/ldap/ldif/
LDAP Schema Object Classes
Name | Identifier | Type | Description |
---|---|---|---|
cls-mqttCredential | 1.3.6.1.4.1.60051.2.2.1 | Auxiliary | This class represents ACLs associate with an MQTT client. It may include one or more of either of the attributes cls-subTopicFilter or cls-pubTopicFilter |
LDAP Schema Attributes
Name | Identifier | Description |
---|---|---|
cls-subTopicFilter | 1.3.6.1.4.1.60051.2.1.1 | An MQTT topic filter to subscribe on |
cls-pubTopicFilter | 1.3.6.1.4.1.60051.2.1.2 | An MQTT topic filter to publish on |
The following configuration file must be manually added to configure LDAP authentication and authorization in the MQTT server:
conf/com.cirruslink.chariot.server.auth.ldap.config
Example (OpenDJ) LDAP configuration:
usernameAttributeName="uid" subTopicAttributeName="cls-subTopicFilter" pubTopicAttributeName="cls-pubTopicFilter" credentialObjectClassName="cls-mqttCredential" baseDn="dc=cirruslink,dc=com" url="ldap://localhost:389" username="cn=chariot" password="123456" aclCheckInterval="10000"
Example Microsoft Active Directory configuration:
usernameAttributeName="sAMAccountName" subTopicAttributeName="clsSubTopicFilter" pubTopicAttributeName="clsPubTopicFilter" credentialObjectClassName="clsMqttCredential" baseDn="CN=Users,DC=chariot,DC=io" url="ldap://chariot-testing.chariot.io:389" sysUserDn="CN=Administrator,CN=Users,DC=chariot,DC=io" sysPassword="*******" aclCheckInterval=I"10000"
LDAP auth configuration properties:
Property | Required | Default | Description |
---|---|---|---|
usernameAttributeName | yes | The attribute of an entry that represents the username of the MQTT client to authenticate | |
subTopicAttributeName | yes | The multivalued attribute of an entry that represents a subscription topic filters | |
pubTopicAttributeName | yes | The multivalued attribute of an entry that represents a publish topic filters | |
credentialObjectClassName | yes | The ObjectClass of an entry that holds the credentials | |
url | yes | The URL of the LDAP server | |
username | yes | The distinguished name (DN) that Chariot uses to authenticate with the LDAP server | |
password | yes | The password that Chariot uses to authenticate with the LDAP server | |
baseDn | yes | The base distinguished name (DN) where entries used for ACLs will be searched for | |
aclCheckInterval | yes | The interval (in ms) between ACL updates |
Additionally the Chariot MQTT server must be configured to use the LDAP authentication instead of the internal MQTT Credentials. This can be done by manually editing the following configuration file:
conf/com.cirruslink.chariot.server.auth.ldap.config
Example configuration:
messageThreads=I"2" port=I"1883" securePort=I"8883" webSocketPort=I"8090" webSocketSecurePort=I"8091" bindAddress="0.0.0.0" enableNonSecure=B"true" enableSecure=B"false" webSocketEnable=B"false" webSocketEnableSecure=B"false" allowAnonymous=B"false" subscriptionManager.target="(type=default)" authenticationService.target="(type=ldap)" authorizationService.target="(type=ldap)" maxMessageSize=I"268435455" maxConnectSize=I"268435455" maxClientIdLength=I"100" maxTopicLength=I"1024" maxTopicLevels=I"10" connectTimout=I"10000" clientAuthPolicy="none"
LDAP Realm configuration properties:
Property | Required | Default | Description |
---|---|---|---|
authenticationService.target | yes | (type=default) | The Authentication Service target must be set to "(type=ldap)" |
authorizationService.target | yes | (type=default) | The Authorization Service target must be set to "(type=ldap)" |