Chapter 7. User Authentication with MRG Messaging
MRG Messaging uses Simple Authentication and Security Layer (SASL) for identifying and authorizing incoming connections to the broker, as mandated in the AMQP specification. SASL provides a variety of authentication methods. While MRG Messaging clients primarily implement the “PLAIN” method, the broker uses the Cyrus SASL library to allow for a full SASL implementation.
To use the default SASL PLAIN authentication mechanism implemented by the MRG Messaging client libraries, either use the default username and password of guest, which are included in the database at /var/lib/qpidd/qpidd.sasldb on installation, or add your own accounts.
Add new users to the database by using the saslpasswd2 command:
# saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -uQPIDnew_user_name
Some Red Hat Enterprise MRG tools use the default guest account. If it is removed, those tools will fail to authenticate to the broker.
Existing user accounts can be listed by using the -f option:
# sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
The user database at /var/lib/qpidd/qpidd.sasldb is readable only by the qpidd user. If you start the broker from a user other than the qpidd user, you will need to either modify the configuration file, or turn authentication off.
To switch authentication on or off, use the auth yes|no option when you start the broker:
# /usr/sbin/qpidd --auth yes # /usr/sbin/qpidd --auth no
You can also set authentication to be on or off by adding the appropriate line to to the /etc/qpidd.conf configuration file:
auth=no auth=yes
The SASL configuration file is in /etc/sasl2/qpidd.conf for Red Hat Enterprise Linux 5 and /usr/lib/sasl2/qpidd.conf for Red Hat Enterprise Linux 4.
For information on using a different configuration, use your web browser to view the Cyrus SASL documentation at /usr/share/doc/cyrus-sasl-lib-2.1.22/index.html for Red Hat Enterprise Linux 5 or /usr/share/doc/cyrus-sasl-2.1.19/index.html for Red Hat Enterprise Linux 4.