LDAP / Active Directory
Authenticate users against an LDAP directory (e.g., OpenLDAP, AD-LDS).
MAPS can use a native LDAP identity provider (configured via AuthManager.config) or a JAAS module. Choose one approach per realm.
The native provider reads users and groups from LDAP; it does not write to the directory.
Option A — Native LDAP identity provider (AuthManager)
Configure LDAP under AuthManager.config and select the provider by name.
AuthManager:
authenticationEnabled: true
authorizationEnabled: false
config:
identityProvider: "ldap" # <- use MAPS LDAP provider
java.naming.provider.url: "ldap://ldap.example.com:389"
java.naming.security.principal: "cn=admin,dc=example,dc=com"
java.naming.security.credentials: "CHANGE_ME"
java.naming.security.authentication: "simple" # default; use 'none' or SASL as required
# java.naming.factory.initial is defaulted to com.sun.jndi.ldap.LdapCtxFactory
# Search bases
searchBase: "ou=people,dc=example,dc=com"
groupSearchBase: "ou=groups,dc=example,dc=com"
# Password attribute to read (binary OK). '{crypt}' prefix is handled.
passwordKeyName: "userPassword"
How it works (MAPS LDAP provider):
- Establishes a JNDI context using the provided
java.naming.*properties. - Loads users from
searchBase(initial discovery uses(cn=*); user lookup uses(uid=<username>)). - Reads password from
passwordKeyName(supports binary values and{crypt}prefix stripping). - Loads groups from
groupSearchBasevia the filter(memberUid=<username>); group names fromcn. - Populates in-memory maps of users and groups for authentication & group checks.
Read-only
MAPS binds to LDAP and reads users/passwords/groups. It does not modify entries. Manage users and group membership in your directory tools.
Realm mapping (SecurityManager)
SecurityManager:
- private: LdapAuthRealm # name the realm you will reference on listeners
Name your realm (
privatehere) to match your deployment. If your realm is created via JAAS (Option B), map that name instead.
Option B — JAAS LDAP module
Alternatively, use the standard JAAS LDAP login module (as you showed earlier).
PrivateAuthConfig {
com.sun.security.auth.module.LdapLoginModule Required
userProvider="ldap://ldap.example.com:389"
authIdentity="uid={USERNAME},OU=people,DC=example,DC=com"
useSSL=false
debug=false;
};
Realm mapping (SecurityManager)
SecurityManager:
- private: PrivateAuthConfig
Listener example (either option)
- name: "AMQP with LDAP"
url: "tcp://0.0.0.0:5672/"
protocol: amqp
auth: private
Field Reference (native provider)
| Key | Required | Description |
|---|---|---|
identityProvider | Yes | Must be "ldap" to activate the MAPS LDAP provider. |
java.naming.provider.url | Yes | LDAP URL (e.g., ldap://host:389, ldaps://host:636). |
java.naming.security.principal | Yes | Bind DN for the service account. |
java.naming.security.credentials | Yes | Password for the bind DN. |
java.naming.security.authentication | No | JNDI auth mode (simple default). |
searchBase | Yes | Base DN for user search. |
groupSearchBase | Yes | Base DN for group search. |
passwordKeyName | Yes | Attribute holding password (e.g., userPassword). Supports binary and {crypt} prefix. |
Notes
- For LDAPS, use
ldaps://...:636and ensure JVM truststore contains the LDAP server CA. - Group membership is discovered with
(memberUid=<username>)and group namecn. - Initial discovery enumerates users with
(cn=*)and later resolves byuidfor login.
Troubleshooting
- Cannot bind: verify
java.naming.*properties and network reachability; check TLS trust forldaps://. - User not found: ensure
uid=<username>exists undersearchBase; confirm case-sensitivity in your directory. - Password mismatch: confirm the correct
passwordKeyNameand hash format;{crypt}prefixed hashes are supported. - Groups empty: ensure groups hold
memberUid=<username>andcnattributes; verifygroupSearchBase.