Contents
Cirrus Link Resources
Chariot MQTT Server v1 (previous version)
Cirrus Link Modules for Ignition
Contact Us (Sales/Support)
Forum
Chariot can be configured to use an LDAP server for MQTT client authentication and authorization instead of Chariot's MQTT Credentials.
samples/ldap/ldif/
LDAP Schema Object Classes
Name | Identifier | Type | Description |
---|---|---|---|
cls-mqttCredential | 1.3.6.1.4.1.60051.2.2.1 | Auxiliary | This class represents ACLs associate with an MQTT client. It may include one or more of either of the attributes cls-subTopicFilter or cls-pubTopicFilter |
LDAP Schema Attributes
Name | Identifier | Description |
---|---|---|
cls-subTopicFilter | 1.3.6.1.4.1.60051.2.1.1 | An MQTT topic filter to subscribe on |
cls-pubTopicFilter | 1.3.6.1.4.1.60051.2.1.2 | An MQTT topic filter to publish on |
The following configuration file must be manually added to configure LDAP authentication and authorization in the MQTT server:
conf/com.cirruslink.chariot.server.auth.ldap.config
Example (OpenDJ) LDAP configuration:
usernameAttributeName="uid" subTopicAttributeName="cls-subTopicFilter" pubTopicAttributeName="cls-pubTopicFilter" credentialObjectClassName="cls-mqttCredential" baseDn="dc=cirruslink,dc=com" url="ldap://localhost:389" username="cn=chariot" password="123456" aclCheckInterval="10000"
Example Microsoft Active Directory configuration:
usernameAttributeName="sAMAccountName" subTopicAttributeName="clsSubTopicFilter" pubTopicAttributeName="clsPubTopicFilter" credentialObjectClassName="clsMqttCredential" baseDn="CN=Users,DC=chariot,DC=io" url="ldap://chariot-testing.chariot.io:389" sysUserDn="CN=Administrator,CN=Users,DC=chariot,DC=io" sysPassword="*******" aclCheckInterval=I"10000"
LDAP auth configuration properties:
Property | Required | Default | Description |
---|---|---|---|
usernameAttributeName | yes | The attribute of an entry that represents the username of the MQTT client to authenticate | |
subTopicAttributeName | yes | The multivalued attribute of an entry that represents a subscription topic filters | |
pubTopicAttributeName | yes | The multivalued attribute of an entry that represents a publish topic filters | |
credentialObjectClassName | yes | The ObjectClass of an entry that holds the credentials | |
url | yes | The URL of the LDAP server | |
username | yes | The distinguished name (DN) that Chariot uses to authenticate with the LDAP server | |
password | yes | The password that Chariot uses to authenticate with the LDAP server | |
baseDn | yes | The base distinguished name (DN) where entries used for ACLs will be searched for | |
aclCheckInterval | yes | The interval (in ms) between ACL updates |
Additionally the Chariot MQTT server must be configured to use the LDAP authentication instead of the internal MQTT Credentials. This can be done by manually editing the following configuration file:
conf/com.cirruslink.chariot.server.auth.ldap.config
Example configuration:
messageThreads=I"2" port=I"1883" securePort=I"8883" webSocketPort=I"8090" webSocketSecurePort=I"8091" bindAddress="0.0.0.0" enableNonSecure=B"true" enableSecure=B"false" webSocketEnable=B"false" webSocketEnableSecure=B"false" allowAnonymous=B"false" subscriptionManager.target="(type=default)" authenticationService.target="(type=ldap)" authorizationService.target="(type=ldap)" maxMessageSize=I"268435455" maxConnectSize=I"268435455" maxClientIdLength=I"100" maxTopicLength=I"1024" maxTopicLevels=I"10" connectTimout=I"10000" clientAuthPolicy="none"
LDAP Realm configuration properties:
Property | Required | Default | Description |
---|---|---|---|
authenticationService.target | yes | (type=default) | The Authentication Service target must be set to "(type=ldap)" |
authorizationService.target | yes | (type=default) | The Authorization Service target must be set to "(type=ldap)" |