RabbitMQ LDAP on the Management Plugin
459 views
Skip to first unread message
David Perry
May 29, 2019, 8:52:47 AM5/29/19
to rabbitmq-users
I am new to RabbitMQ. I have it installed on Windows 10 Enterpise for development purposes. We have Active Directory running. Trying to set up LDAP for the management plugin, so that any user with the right password can login as administrator.
Here is my latest config:
[
{
rabbit,
[
{
auth_backends, [
{rabbit_auth_backend_ldap, rabbit_auth_backend_internal},
rabbit_auth_backend_internal
]
}
]
},
{
rabbitmq_auth_backend_ldap,
[
{
servers, [
"WLNC0DS23N.na.mycompany.com","WBRD0DS21N.na.mycompany.com"
]
},
{
dn_lookup_attribute, "userPrincipalName"
},
{
dn_lookup_base, "DC=na,DC=mycompany,DC=com"
},
{
user_dn_pattern, "${username}@mycompany.com"
},
{
use_ssl, false
},
{
port, 389
},
{
log, true
},
{
vhost_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
resource_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
topic_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
tag_queries, [
{
administrator, {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
}
]
}
]
}
].
LDAP query seems successful, but I am getting an "HTTP Access Denied" error, as shown here in the log:
2019-05-28 16:04:14.662 [info] <0.678.0> LDAP CHECK: login for perryda
2019-05-28 16:04:14.663 [info] <0.678.0> LDAP filling template "${username}@mycompany.com" with
[{username,<<"perryda">>}]
2019-05-28 16:04:14.663 [info] <0.678.0> LDAP template result: "per...@mycompany.com"
2019-05-28 16:04:14.750 [info] <0.317.0> LDAP bind succeeded: xxxx
2019-05-28 16:04:14.750 [info] <0.317.0> LDAP filling template "${username}@mycompany.com" with
[{username,<<"perryda">>}]
2019-05-28 16:04:14.751 [info] <0.317.0> LDAP template result: "per...@mycompany.com"
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP DN lookup: perryda -> CN=Perry\, David,OU=Users,OU=WLNC-Wilmington,OU=OC,OU=IT-SD,DC=na,DC=mycompany,DC=com
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP CHECK: does perryda have tag administrator?
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP evaluating query: {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP evaluating query: {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member",subtree}
2019-05-28 16:04:14.754 [info] <0.317.0> LDAP filling template "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com" with
[{username,<<"perryda">>},{user_dn,"CN=Perry\\, David,OU=Users,OU=WLNC-Wilmington,OU=OC,OU=IT-SD,DC=na,DC=mycompany,DC=com"}]
2019-05-28 16:04:14.754 [info] <0.317.0> LDAP template result: "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com"
2019-05-28 16:04:14.759 [info] <0.317.0> LDAP DECISION: does perryda have tag administrator? true
2019-05-28 16:04:14.759 [info] <0.678.0> LDAP DECISION: login for perryda: ok
2019-05-28 16:04:14.759 [warning] <0.678.0> HTTP access denied: user 'perryda' - invalid credentials
Any help would be greatly appreciated. :)
Daniil Fedotov
May 29, 2019, 9:42:25 AM5/29/19
to rabbitmq-users
Hi,
Your auth backend configuration line "{rabbit_auth_backend_ldap, rabbit_auth_backend_internal}," means that the LDAP backend is used only for authentication (checking that the user exists) but not authorization (checking that the user has access to resources), and internal backend is used for authorization.
This means that you should have permissions and tags configured for the internal user.
If you want authorization to happen via LDAP you should replace this tuple: "{rabbit_auth_backend_ldap, rabbit_auth_backend_internal}" with: "rabbit_auth_backend_ldap".
Or create user permissions in the internal database, but I guess that's not what you're trying to achieve.
On Wednesday, 29 May 2019 13:52:47 UTC+1, David Perry wrote:
I am new to RabbitMQ. I have it installed on Windows 10 Enterpise for development purposes. We have Active Directory running. Trying to set up LDAP for the management plugin, so that any user with the right password can login as administrator.Here is my latest config:
[
{
rabbit,
[
{
auth_backends, [
{rabbit_auth_backend_ldap, rabbit_auth_backend_internal},
rabbit_auth_backend_internal
]
}
]
},
{
rabbitmq_auth_backend_ldap,
[
{
servers, [
"WLNC0DS23N.na.mycompany.com","WBRD0DS21N.na.mycompany.com"
]
},
{
dn_lookup_attribute, "userPrincipalName"
},
{
dn_lookup_base, "DC=na,DC=mycompany,DC=com"
},
{
user_dn_pattern, "${user...@mycompany.com"
},
{
use_ssl, false
},
{
port, 389
},
{
log, true
},
{
vhost_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
resource_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
topic_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
tag_queries, [
{
administrator, {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
}
]
}
]
}
].
LDAP query seems successful, but I am getting an "HTTP Access Denied" error, as shown here in the log:
2019-05-28 16:04:14.662 [info] <0.678.0> LDAP CHECK: login for perryda
2019-05-28 16:04:14.663 [info] <0.678.0> LDAP filling template "${user...@mycompany.com" with
[{username,<<"perryda">>}]
2019-05-28 16:04:14.663 [info] <0.678.0> LDAP template result: "per...@mycompany.com"
2019-05-28 16:04:14.750 [info] <0.317.0> LDAP bind succeeded: xxxx
2019-05-28 16:04:14.750 [info] <0.317.0> LDAP filling template "${user...@mycompany.com" with
[{username,<<"perryda">>}]
2019-05-28 16:04:14.751 [info] <0.317.0> LDAP template result: "per...@mycompany.com"
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP DN lookup: perryda -> CN=Perry\, David,OU=Users,OU=WLNC-Wilmington,OU=OC,OU=IT-SD,DC=na,DC=mycompany,DC=com
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP CHECK: does perryda have tag administrator?
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP evaluating query: {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP evaluating query: {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member",subtree}
2019-05-28 16:04:14.754 [info] <0.317.0> LDAP filling template "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com" with
[{username,<<"perryda">>},{user_dn,"CN=Perry\\, David,OU=Users,OU=WLNC-Wilmington,OU=OC,OU=IT-SD,DC=na,DC=mycompany,DC=com"}]
2019-05-28 16:04:14.754 [info] <0.317.0> LDAP template result: "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com"
2019-05-28 16:04:14.759 [info] <0.317.0> LDAP DECISION: does perryda have tag administrator? true
2019-05-28 16:04:14.759 [info] <0.678.0> LDAP DECISION: login for perryda: ok
2019-05-28 16:04:14.759 [warning] <0.678.0> HTTP access denied: user 'perryda' - invalid credentials
Sundar Raj Kothandan
May 29, 2019, 11:31:59 PM5/29/19
to rabbitmq-users
I have a similar problem , i wanted the management console to be a single sign on, i have http auth backend , it authenticates the users connected to the rabbit mq , but the management console still shows user name password screen, how do remove the screen and use the ssl certificate.
David Perry
May 30, 2019, 9:35:35 AM5/30/19
to rabbitmq-users
And it was that easy! Thank you!!! It worked. Hairpulling to now cease.
:) David
On Wednesday, May 29, 2019 at 9:42:25 AM UTC-4, Daniil Fedotov wrote:
Reply all
Reply to author
Forward
0 new messages