Contents
Cirrus Link Resources
Chariot MQTT Server v1 (previous version)
Cirrus Link Modules for Ignition
Contact Us (Sales/Support)
Forum
Chariot UI - LDAP Users and Groups/Roles
The Chariot Security Service can be configured to add an LDAP Realm to use when authenticating and authorizing access via the Chariot UI. Each LDAP Realm uses a simple bind authentication to connect to the LDAP server to search for users and groups. A user that is logging in to the Chariot UI will have their username mapped to the distinguished name (DN) of an LDAP entry using a configure template (see below). Chariot will use simple bind authentication to authenticate the user and will search for group membership to determine the corresponding Chariot Role membership using the configured mapping.
Adding a Microsoft Active Directory source
To add a Microsoft Active Directory source, navigate to the following page:
CONFIGURATION → Accounts → Sources
Click on the Add Source button and select the "Active Directory" Source Type.
Configuration Fields:
| Property | Required | Description | Default |
|---|---|---|---|
| Name | X | A unique name for this source configuration | |
| Enabled | A boolean indicating if the LDAP Realm should be enabled | true | |
| Host | X | The IP address or hostname of the directory server | |
| Port | X | The port number of the directory server | 389 |
| Use TLS | Whether to use a TLS encrypted connection | false | |
| System Username | X | The Distinguished Name (DN) used to authenticate with the directory server | |
| System Password | X | The password used to authenticate with the directory server | |
| User Search Base | X | The base Distinguished Name (DN) for searching for users in the directory server | |
| User Search Filter | The search filter for querying a user | (&(objectClass=user)(sAMAccountName={0})) | |
| User List Filter | The search filter for listing users | (&(objectClass=user)(sAMAccountName=*)) | |
| User Name Attribute | The directory server attribute that represents the short name of the user | sAMAccountName | |
| User Full Name Attributes | The directory server attribute that represents the full name of the user | name | |
| User Group Attribute | The directory server attribute that represents the groups of a user | memberOf | |
| Group Search Base | X | The base Distinguished Name (DN) for searching for groups in the directory server | |
| Group Search Filter | The search filter for querying groups in the directory server | (objectClass=group) | |
| Group Name Attribute | The directory server attribute that represents the group name | cn | |
| Group To Role Mapping | X | A comma separated mapping of directory server group names to Chariot role names | |
| Referral | How Chariot should handle referrals returned by the directory server ('ignore' or 'follow') | ignore | |
| Connect Timeout | The maximum time in milliseconds that Chariot will attempt a connection to the directory server | 10000 | |
| Read Timeout | The maximum time in milliseconds that Chariot will attempt a read with the directory server | 5000 | |
| Enable Cache | Whether results from the directory serve should be cached locally | true | |
| Cache Timeout | The period of time cached results will be held before needing to be updated | 10000 |
Adding an LDAP directory server source
To add a generic LDAP directory server source, navigate to the following page:
CONFIGURATION → Accounts → Sources
Click on the Add Source button and select the "LDAP" Source Type.
Configuration Fields:
| Property | Required | Description | Default |
|---|---|---|---|
| Name | X | A unique name for this source configuration | |
| Enabled | A boolean indicating if the LDAP Realm should be enabled | true | |
| Host | X | The IP address or hostname of the directory server | |
| Port | X | The port number of the directory server | 389 |
| Use TLS | Whether to use a TLS encrypted connection | false | |
| System Username | X | The Distinguished Name (DN) used to authenticate with the directory server | |
| System Password | X | The password used to authenticate with the directory server | |
| User Search Base | X | The base Distinguished Name (DN) for searching for users in the directory server | ou=users,dc=example,dc=com |
| User DN Template | X | The template for building the user's Distinguished Name (DN) | uid={0},ou=users,dc=example,dc=com |
| User List Filter | The search filter for listing users | (&(objectClass=inetOrgPerson)(uid=*)) | |
| User Name Attribute | The directory server attribute that represents the short name of the user | uid | |
| User Full Name Attributes | The directory server attribute that represents the full name of the user | cn | |
| Group Search Base | X | The base Distinguished Name (DN) for searching for groups in the directory server | ou=groups,dc=example,dc=com |
| Group Search Filter | The search filter for querying groups in the directory server | (objectClass=groupOfNames) | |
| Group Name Attribute | The directory server attribute that represents the group name | cn | |
| Group To Role Mapping | X | A comma separated mapping of directory server group names to Chariot role names | |
| Referral | How Chariot should handle referrals returned by the directory server ('ignore' or 'follow') | ignore | |
| Connect Timeout | The maximum time in milliseconds that Chariot will attempt a connection to the directory server | 10000 | |
| Read Timeout | The maximum time in milliseconds that Chariot will attempt a read with the directory server | 5000 | |
| Enable Cache | Whether results from the directory serve should be cached locally | true | |
| Cache Timeout | The period of time cached results will be held before needing to be updated | 10000 |
Everything below this line is outdated
Chariot MQTT - LDAP Authentication and ACLs
Chariot can be configured to use an LDAP server for MQTT client authentication and authorization instead of Chariot's MQTT Credentials.
LDAP Server
- LDAP Server schema and sample data can be found in the following directory:
samples/ldap/ldif/
- Entries in the LDAP Server used for authentication must support simple bind requests
- Entries in the LDAP Server used for authorization must extend the cls-mqttCredential Object Class and use the cls-subTopicFilter and cls-pubTopicFilter attributes to declare their ACLs (see description below)
LDAP Schema Object Classes
| Name | Identifier | Type | Description |
|---|---|---|---|
cls-mqttCredential | 1.3.6.1.4.1.60051.2.2.1 | Auxiliary | This class represents ACLs associate with an MQTT client. It may include one or more of either of the attributes cls-subTopicFilter or cls-pubTopicFilter |
LDAP Schema Attributes
| Name | Identifier | Description |
|---|---|---|
cls-subTopicFilter | 1.3.6.1.4.1.60051.2.1.1 | An MQTT topic filter to subscribe on |
cls-pubTopicFilter | 1.3.6.1.4.1.60051.2.1.2 | An MQTT topic filter to publish on |
Chariot Configuration
The following configuration file must be manually added to configure LDAP authentication and authorization in the MQTT server:
conf/com.cirruslink.chariot.server.auth.ldap.config
Example (OpenDJ) LDAP configuration:
usernameAttributeName="uid" subTopicAttributeName="cls-subTopicFilter" pubTopicAttributeName="cls-pubTopicFilter" credentialObjectClassName="cls-mqttCredential" baseDn="dc=cirruslink,dc=com" url="ldap://localhost:389" username="cn=chariot" password="123456" aclCheckInterval="10000"
Example Microsoft Active Directory configuration:
usernameAttributeName="sAMAccountName" subTopicAttributeName="clsSubTopicFilter" pubTopicAttributeName="clsPubTopicFilter" credentialObjectClassName="clsMqttCredential" baseDn="CN=Users,DC=chariot,DC=io" url="ldap://chariot-testing.chariot.io:389" sysUserDn="CN=Administrator,CN=Users,DC=chariot,DC=io" sysPassword="*******" aclCheckInterval=I"10000"
LDAP auth configuration properties:
| Property | Required | Default | Description |
|---|---|---|---|
| usernameAttributeName | yes | The attribute of an entry that represents the username of the MQTT client to authenticate | |
| subTopicAttributeName | yes | The multivalued attribute of an entry that represents a subscription topic filters | |
| pubTopicAttributeName | yes | The multivalued attribute of an entry that represents a publish topic filters | |
| credentialObjectClassName | yes | The ObjectClass of an entry that holds the credentials | |
| url | yes | The URL of the LDAP server | |
| username | yes | The distinguished name (DN) that Chariot uses to authenticate with the LDAP server | |
| password | yes | The password that Chariot uses to authenticate with the LDAP server | |
| baseDn | yes | The base distinguished name (DN) where entries used for ACLs will be searched for | |
| aclCheckInterval | yes | The interval (in ms) between ACL updates |
Additionally the Chariot MQTT server must be configured to use the LDAP authentication instead of the internal MQTT Credentials. This can be done by manually editing the following configuration file:
conf/com.cirruslink.chariot.server.auth.ldap.config
Example configuration:
messageThreads=I"2" port=I"1883" securePort=I"8883" webSocketPort=I"8090" webSocketSecurePort=I"8091" bindAddress="0.0.0.0" enableNonSecure=B"true" enableSecure=B"false" webSocketEnable=B"false" webSocketEnableSecure=B"false" allowAnonymous=B"false" subscriptionManager.target="(type=default)" authenticationService.target="(type=ldap)" authorizationService.target="(type=ldap)" maxMessageSize=I"268435455" maxConnectSize=I"268435455" maxClientIdLength=I"100" maxTopicLength=I"1024" maxTopicLevels=I"10" connectTimout=I"10000" clientAuthPolicy="none"
LDAP Realm configuration properties:
| Property | Required | Default | Description |
|---|---|---|---|
| authenticationService.target | yes | (type=default) | The Authentication Service target must be set to "(type=ldap)" |
| authorizationService.target | yes | (type=default) | The Authorization Service target must be set to "(type=ldap)" |
Overview
Content Tools