LDAP Tutorial: Add User Entries and Group Entries
Source: https://access.redhat.com/documentation/en-US/Fuse_MQ_Enterprise/7.1/html/Security_Guide/files/LDAP-AddUserEntries.html
Overview
The basic prerequisite for using LDAP authentication in the broker is to have an X.500 directory server running and configured with a collection of user entries and group entries. For users who are unfamiliar with X.500 directory servers, this section briefly describes how to create user entries and group entries using the Apache Directory Studio as an administrative tool.
Alternative approach
As an alternative to creating the user entries and group entries manually, as described here, you could create the entries by importing an LDIF file—for details, see Appendix B.
Steps to add a user entry
Perform the following steps to add a user entry to the directory server:
- Ensure that the X.500 directory server is running (see Install Apache Directory Server).
- Start the LDAP Browser, as follows:
- If you installed the standalone version of Apache Directory Studio, double-click the relevant icon to launch the application.
- If you installed the LDAP Browser plug-in into an existing Eclipse IDE, start Eclipse and open the LDAP perspective. To open the LDAP perspective, selectWindow|Open Perspective|Other and in the Open Perspective dialog, select LDAP and click OK.
- Open a connection to the directory server. Right-click inside the Connections view in the lower left corner and select New Connection. The New LDAP Connection wizard opens.
- Specify the network parameters for the new connection. In the Connection name field, enter
Apache Directory Server
. In the Hostname field enter the name of the host where the Apache Directory Server is running. In the Port field, enter the IP port of the directory server (for the default instance of the Apache directory server, this is 10389). Click Next.Figure 5. New LDAP Connection Wizard
- Enter the parameters for simple authentication. In the Bind DN or user field, enter the DN of the administrator’s account on the directory server (for the default instance of the Apache directory server, this is
uid=admin,ou=system
). In the Bind password field, enter the administrator’s password (for the default instance of the Apache directory server, the administrator’s password issecret
). Click Finish.Figure 6. Authentication Step of New LDAP Connection
- If the connection is successfully established, you should see an outline of the Directory Information Tree (DIT) in the LDAP Browser view. In the LDAP Browserview, drill down to the
ou=system
node, as shown. - The next few steps describe how to create some new nodes to hold the user entries and group entries.Right-click on the
ou=system
node and select | . The New Entry wizard appears. - In the Entry Creation Method pane, select the Create entry from scratch radiobutton. Click Next.
- In the Object Classes pane, select
organisationalUnit
from the list of Available object classes on the left and then click Add to populate the list of Selected object classes. Click Next.Figure 7. New Entry Wizard
- In the Distinguished Name pane, complete the RDN field, putting
ou
in front andActiveMQ
after the equals sign. Click Next and then click Finish.Figure 8. Distinguished Name Step of New Entry Wizard
- In a similar manner as described in steps 710, by right-clicking on the
ou=ActiveMQ
node and invoking the New Entry wizard, create the followingorganisationalUnit
nodes as children of theou=ActiveMQ
node:ou=User,ou=ActiveMQ,ou=system ou=Group,ou=ActiveMQ,ou=system
In the LDAP Browser window, you should now see the following tree:
Figure 9. DIT after Creating ActiveMQ, User, and Group Nodes
- The next few steps describe how to create a
jdoe
user entry.Right-click on theou=User
node and select | . The New Entry wizard appears. - In the Entry Creation Method pane, select the Create entry from scratch radiobutton. Click Next.
- In the Object Classes pane, select
inetOrgPerson
from the list of Available object classes on the left and then click Add to populate the list of Selected object classes. Click Next. - In the Distinguished Name pane, complete the RDN field, putting
uid
in front andjdoe
after the equals sign. Click Next. - Now fill in the mandatory attributes in the Attributes pane. Set the cn (common name) attribute to
Jane Doe
and the sn (surname) attribute toDoe
. - Add a
userPassword
attribute in the Attributes pane. Right-click inside the list of attributes and select New Attribute. The New Attribute wizard appears. - From the Attribute type drop-down list, select
userPassword
. Click Finish. - The Password Editor dialog appears. In the Enter New Password field, enter the password,
sunflower
. Click Ok.Figure 10. Attributes Step of New Entry Wizard
- Click Finish, to close the New Entry wizard.
- The next few steps describe how to create an
admin
user entry.Right-click on theou=User
node and select | . The New Entry wizard appears. - In the Entry Creation Method pane, select the Create entry from scratch radiobutton. Click Next.
- In the Object Classes pane, select both
account
andsimpleSecurityObject
from the list of Available object classes on the left and then click Add to populate the list of Selected object classes. Click Next. - In the Distinguished Name pane, complete the RDN field, putting
uid
in front andadmin
after the equals sign. Click Next. - You are now prompted to provide a password, through the Password Editor dialog. In the Enter New Password field, enter the password,
sunflower
. Click Ok.Figure 11. Attributes Step of New Entry Wizard
- Click Finish, to close the New Entry wizard.
- The next few steps describe how to create the
admins
group entry.Right-click on theou=Group
node and select | . The New Entry wizard appears. - In the Entry Creation Method pane, select the Create entry from scratch radiobutton. Click Next.
- In the Object Classes pane, select
groupOfNames
from the list of Available object classes on the left and then click Add to populate the list of Selected object classes. Click Next. - In the Distinguished Name pane, complete the RDN field, putting
cn
in front andadmins
after the equals sign. Click Next. - You are now prompted to provide a value for the mandatory
member
attribute, through the DN Editor dialog. In the text field, enter the last part of the DN for theadmin
user,uid=admin
. Click Ok.Figure 12. Attributes Step of New Entry Wizard
- Click Finish, to close the New Entry wizard.
- The next few steps describe how to create the
users
group entry.Right-click on theou=Group
node and select | . The New Entry wizard appears. - In the Entry Creation Method pane, select the Create entry from scratch radiobutton. Click Next.
- In the Object Classes pane, select
groupOfNames
from the list of Available object classes on the left and then click Add to populate the list of Selected object classes. Click Next. - In the Distinguished Name pane, complete the RDN field, putting
cn
in front andusers
after the equals sign. Click Next. - You are now prompted to provide a value for the mandatory
member
attribute, through the DN Editor dialog. In the text field, enter the last part of the DN for thejdoe
user,uid=jdoe
. Click Ok. - Click Finish, to close the New Entry wizard.
- You should now be able to see the following tree in the LDAP Browser window:
Figure 13. Complete Tree of User Entries and Group Entries