Authentication of IoT devices with LDAP
Written by Margaretha Erber
Published: March 23, 2020
LDAP (Lightweight Directory Access Protocol) is a bullet-proof and mature protocol used for authentication and authorization. It is widely used among HiveMQ customers and often part of the already existing enterprise infrastructure. Until now, it has only been possible to integrate MQTT with LDAP through a custom HiveMQ extension. For all that do not want to develop and maintain their own HiveMQ extension, but want to combine MQTT and LDAP, we have very good news: HiveMQ Enterprise Security Extension is now able to handle LDAP authentication and authorization of IoT devices and HiveMQ Control Center users.
Authentication using existing LDAP infrastructure
Matching the highly configurable pipelining concept of ESE, the new LDAP feature is suitable for authentication and authorization of IoT devices as well as for users of the HiveMQ Control Center. Authentication and authorization can also be handled separately. For example, authentication via an LDAP service and authorization via an SQL database can be implemented.
HiveMQ Enterprise Security Extension supports existing LDAP object classes, so it is easy to integrate authentication with existing LDAP infrastructures. For authorization, predefined schemes for MQTT clients as LDIF files are provided with ESE. These are registered with IANA and can easily be integrated into any existing LDAP system.
LDAP Authentication and High Availability
For enterprise systems high availability is key. Authentication with a single external system can be challenging, especially if hundreds of thousands of MQTT clients try to authenticate themselves at once. LDAP supports distributed clustering, where multiple LDAP servers can take over the authentication requests. HiveMQ Enterprise Security Extension supports this kind of distributed authentication load balancing. By allowing to connect multiple LDAP servers, authentication requests can be accepted in a round-robin manner. Should the connection to one of the LDAP servers fail, ESE ensures that the remaining LDAP servers take over the load and thus keep HiveMQ and the entire infrastructure highly available.
HiveMQ ESE support for LDAP now means customers who are using LDAP services, like MS Active Directory, Open LDAP or Apache Directory Services can now easily integrate authentication and authorization with HiveMQ and MQTT.
All configuration options and how to use this new feature can be found in the documentation. For guidance on additional aspects of IoT security tailored to your specific needs, feel free to contact us.