I am trying to achieve passwordless authentication / group authorization withe the rabbitmq_auth_mechanism_ssl and rabbitmq_auth_backend_ldap plugins, but cannot seem to find the right configuration that will do this.
I can get Certificate Authenticate / SSL working by itself with the rabbitmq_auth_mechanism_ssl plugin
and I can get the LDAP working by itself with the rabbitmq_auth_backend_ldap plugin.
But I cannot seem to get them to work together to achieve passwordless authentication and authorization.
I use the following code in a test app to select the Users certificate and make a connection to RabbitMQ server:
X509Certificate2 certSelected = null;
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var selectedCertificate = X509Certificate2UI.SelectFromCollection(store.Certificates,"Title", "MSG", X509SelectionFlag.SingleSelection);
if (selectedCertificate.Count > 0)
{
X509Certificate2Enumerator en = selectedCertificate.GetEnumerator();
en.MoveNext();
certSelected = en.Current;
}
store.Close();
var cf = new ConnectionFactory();
cf.HostName = "199.168.1.23";
cf.Port = AmqpTcpEndpoint.UseDefaultPort;
cf.VirtualHost = "/";
cf.AuthMechanisms = new AuthMechanismFactory[] { new ExternalMechanismFactory() };
cf.Ssl.ServerName = "rabbitmq.dev.server";
cf.Ssl.Enabled = true;
cf.Ssl.Version = SslProtocols.Tls12;
cf.Ssl.Certs = new X509CertificateCollection(new X509Certificate[] { certSelected });
using (IConnection conn = cf.CreateConnection())
{
using (IModel ch = conn.CreateModel())
{
...... code .....
}
}
My RabbitMQ.conf files look like:
[
{ssl, [{versions, ['tlsv1.2']}]},
{rabbit,
[
{log_levels, [{connection, info}, {channel, info}]},
{password_hashing_module, rabbit_password_hashing_sha512},
{loopback_users, [ ] },
{tcp_listeners, [5672] },
{ssl_listeners, [5671]},
{auth_mechanisms, ['PLAIN', 'AMQPLAIN','EXTERNAL']},
{auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_ldap]},
{ssl_cert_login_from, common_name},
{ssl_options, [{cacertfile,"C:/WinCerts2/caroot.pem"},
{certfile,"C:/WinCerts2/server.pem"},
{keyfile,"C:/WinCerts2/server.key"},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["XXX.XXX.XX.XX"]},
{user_dn_pattern, "CN=${username},CN=Users,DC=dev,DC=servers"},
{other_bind, anon},
{use_ssl, true},
{port, 636},
{log, true},
{vhost_access_query, {constant, true}},
{resource_access_query, {constant, true}},
{tag_queries,
[{administrator, {in_group_nested, "CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers","member", subtree}},
{management, {in_group_nested, "CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers","member", subtree}},
{monitoring, {in_group_nested, "CN=RabbitMQUsers,CN=Users,DC=dev,DC=servers","member", subtree}}
]}
]}
].
The Tag queries is what keeps failing
Here is the results:
2018-01-29 07:59:09.296 [info] <0.747.0> accepting AMQP connection <0.747.0> (XXX.XXX.XX.XX:49932 -> XXX.XXX.XX.XX:5671)
2018-01-29 07:59:09.336 [info] <0.747.0> LDAP CHECK: passwordless login for John Doe
2018-01-29 07:59:09.353 [info] <0.293.0> LDAP anonymous bind
2018-01-29 07:59:09.353 [info] <0.293.0> LDAP filling template "CN=${username},CN=Users,DC=dev,DC=servers" with [{username,<<"John Doe">>}]
2018-01-29 07:59:09.353 [info] <0.293.0> LDAP template result: "CN=John Doe,CN=Users,DC=dev,DC=servers"
2018-01-29 07:59:09.354 [info] <0.293.0> LDAP anonymous bind
2018-01-29 07:59:09.354 [info] <0.293.0> LDAP CHECK: does John Doe have tag administrator?
2018-01-29 07:59:09.354 [info] <0.293.0> LDAP evaluating query: {in_group_nested,"CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers","member",subtree}
2018-01-29 07:59:09.354 [info] <0.293.0> LDAP filling template "CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers" with [{username,<<"John Doe">>},{user_dn,"CN=John Doe,CN=Users,DC=dev,DC=servers"}]
2018-01-29 07:59:09.354 [info] <0.293.0> LDAP template result: "CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers"
2018-01-29 07:59:09.355 [info] <0.293.0> LDAP error searching for parent groups for "CN=John Doe,CN=Users,DC=dev,DC=servers": {error,{{badmatch,{error,{asn1,{function_clause,[{'ELDAPv3',encode_restricted_string,[none,[<<4>>]],[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,3438}]},{'ELDAPv3',enc_SearchRequest,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,1634}]},{'ELDAPv3',enc_LDAPMessage_protocolOp,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,334}]},{'ELDAPv3',enc_LDAPMessage,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,305}]},{'ELDAPv3',encode,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,143}]},{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]}]}}}},[{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]},{eldap,loop,2,[{file,"eldap.erl"},{line,521}]}]}}
2018-01-29 07:59:09.355 [info] <0.293.0> LDAP DECISION: does John Doe have tag administrator? false
2018-01-29 07:59:09.355 [info] <0.293.0> LDAP CHECK: does John Doe have tag management?
2018-01-29 07:59:09.355 [info] <0.293.0> LDAP evaluating query: {in_group_nested,"CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers","member",subtree}
2018-01-29 07:59:09.355 [info] <0.293.0> LDAP filling template "CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers" with
[{username,<<"John Doe">>},{user_dn,"CN=John Doe,CN=Users,DC=dev,DC=servers"}]
2018-01-29 07:59:09.355 [info] <0.293.0> LDAP template result: "CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers"
2018-01-29 07:59:09.355 [info] <0.293.0> LDAP error searching for parent groups for "CN=John Doe,CN=Users,DC=dev,DC=servers": {error,{{badmatch,{error,{asn1,{function_clause,[{'ELDAPv3',encode_restricted_string,[none,[<<4>>]],[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,3438}]},{'ELDAPv3',enc_SearchRequest,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,1634}]},{'ELDAPv3',enc_LDAPMessage_protocolOp,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,334}]},{'ELDAPv3',enc_LDAPMessage,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,305}]},{'ELDAPv3',encode,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,143}]},{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]}]}}}},[{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]},{eldap,loop,2,[{file,"eldap.erl"},{line,521}]}]}}
2018-01-29 07:59:09.356 [info] <0.293.0> LDAP DECISION: does John Doe have tag management? false
2018-01-29 07:59:09.356 [info] <0.293.0> LDAP CHECK: does John Doe have tag monitoring?
2018-01-29 07:59:09.356 [info] <0.293.0> LDAP evaluating query: {in_group_nested,"CN=RabbitMQUsers,CN=Users,DC=dev,DC=servers","member",subtree}
2018-01-29 07:59:09.356 [info] <0.293.0> LDAP filling template "CN=RabbitMQUsers,CN=Users,DC=dev,DC=servers" with
[{username,<<"John Doe">>},{user_dn,"CN=John Doe,CN=Users,DC=dev,DC=servers"}]
2018-01-29 07:59:09.356 [info] <0.293.0> LDAP template result: "CN=RabbitMQUsers,CN=Users,DC=dev,DC=servers"
2018-01-29 07:59:09.356 [info] <0.293.0> LDAP error searching for parent groups for "CN=John Doe,CN=Users,DC=dev,DC=servers": {error,{{badmatch,{error,{asn1,{function_clause,[{'ELDAPv3',encode_restricted_string,[none,[<<4>>]],[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,3438}]},{'ELDAPv3',enc_SearchRequest,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,1634}]},{'ELDAPv3',enc_LDAPMessage_protocolOp,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,334}]},{'ELDAPv3',enc_LDAPMessage,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,305}]},{'ELDAPv3',encode,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,143}]},{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]}]}}}},[{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]},{eldap,loop,2,[{file,"eldap.erl"},{line,521}]}]}}
2018-01-29 07:59:09.356 [info] <0.293.0> LDAP DECISION: does John Doe have tag monitoring? false
2018-01-29 07:59:09.356 [info] <0.747.0> LDAP DECISION: passwordless login for John Doe: ok
2018-01-29 07:59:09.362 [info] <0.747.0> LDAP CHECK: access to vhost "/" for "John Doe"
2018-01-29 07:59:09.362 [info] <0.293.0> LDAP anonymous bind
2018-01-29 07:59:09.362 [info] <0.293.0> LDAP evaluating query: {constant,true}
2018-01-29 07:59:09.362 [info] <0.293.0> LDAP evaluated constant: true
2018-01-29 07:59:09.362 [info] <0.747.0> LDAP DECISION: access to vhost "/" for "John Doe": ok
2018-01-29 07:59:09.363 [info] <0.747.0> connection <0.747.0> (XXX.XXX.XX.XX:49932 -> XXX.XXX.XX.XX:5671): user 'John Doe' authenticated and granted access to vhost '/'
2018-01-29 07:59:57.065 [warning] <0.747.0> closing AMQP connection <0.747.0> (XXX.XXX.XX.XX:49932 -> XXX.XXX.XX.XX:5671, vhost: '/', user: 'John Doe'): client unexpectedly closed TCP connection
If I remove the {other_bind, anon}, then I get a message that PASSWORD is required. If I supply the UserName and PASSWORD then it will work fine. But that defeats the goal of a passwordless connection.
The goal is to use the Users Certification to Authenticate and use the users login to check groups for permissions without the user to have to put in a password and without having to add the users to the internal RabbitMq db.
Is there something I am missing in the configuration or certificate generation I need to do?
I have been struggling with this for a while and need to come up with a solution any help would be appreciated.
Thanks
Thanks