Need help please with Certification Authentication and LDAP plugin

59 views
Skip to first unread message

Joseph Oravec

unread,
Jan 29, 2018, 8:13:25 AM1/29/18
to rabbitmq-users
I am trying to achieve passwordless authentication / group authorization withe the rabbitmq_auth_mechanism_ssl  and rabbitmq_auth_backend_ldap plugins, but cannot seem to find the right configuration that will do this.

I can get Certificate Authenticate / SSL working by itself with the rabbitmq_auth_mechanism_ssl plugin

and I can get the LDAP working by itself with the rabbitmq_auth_backend_ldap plugin.

But I cannot seem to get them to work together to achieve passwordless authentication and authorization.

I use the following code in a test app to select the Users certificate and make a connection to RabbitMQ server:

 X509Certificate2 certSelected = null;
 var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
 store.Open(OpenFlags.ReadOnly);
 var selectedCertificate = X509Certificate2UI.SelectFromCollection(store.Certificates,"Title", "MSG", X509SelectionFlag.SingleSelection);
 if (selectedCertificate.Count > 0)
 {
      X509Certificate2Enumerator en = selectedCertificate.GetEnumerator();
      en.MoveNext();
      certSelected = en.Current;
 }
 store.Close();

var cf = new ConnectionFactory();
cf.HostName = "199.168.1.23";
cf.Port = AmqpTcpEndpoint.UseDefaultPort;
cf.VirtualHost = "/";

cf.AuthMechanisms = new AuthMechanismFactory[] { new ExternalMechanismFactory() };
cf.Ssl.ServerName = "rabbitmq.dev.server";
cf.Ssl.Enabled = true;
cf.Ssl.Version = SslProtocols.Tls12;
cf.Ssl.Certs = new X509CertificateCollection(new X509Certificate[] { certSelected });

using (IConnection conn = cf.CreateConnection())
{
     using (IModel ch = conn.CreateModel())
     {
           ...... code .....
      }
}


My RabbitMQ.conf files look like:

[
  {ssl, [{versions, ['tlsv1.2']}]},
  {rabbit,
  [
     {log_levels, [{connection, info}, {channel, info}]},
     {password_hashing_module, rabbit_password_hashing_sha512},
     {loopback_users, [ ] },
     {tcp_listeners, [5672] },
     {ssl_listeners, [5671]},
     {auth_mechanisms, ['PLAIN', 'AMQPLAIN','EXTERNAL']},
     {auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_ldap]},
     {ssl_cert_login_from, common_name},
     {ssl_options, [{cacertfile,"C:/WinCerts2/caroot.pem"},
                    {certfile,"C:/WinCerts2/server.pem"},
                    {keyfile,"C:/WinCerts2/server.key"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,false}]}   
  ]},
  {rabbitmq_auth_backend_ldap,
  [ {servers,                ["XXX.XXX.XX.XX"]},
     {user_dn_pattern,       "CN=${username},CN=Users,DC=dev,DC=servers"},
     {other_bind,            anon},
     {use_ssl,               true},
     {port,                  636},
     {log,                   true},
     {vhost_access_query,    {constant, true}},
     {resource_access_query, {constant, true}},
     {tag_queries,
        [{administrator, {in_group_nested, "CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers","member", subtree}},
         {management,    {in_group_nested, "CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers","member", subtree}},
         {monitoring,    {in_group_nested, "CN=RabbitMQUsers,CN=Users,DC=dev,DC=servers","member", subtree}}
        ]}
  ]}
].

The Tag queries is what keeps failing

Here is the results:

2018-01-29 07:59:09.296 [info] <0.747.0> accepting AMQP connection <0.747.0> (XXX.XXX.XX.XX:49932 -> XXX.XXX.XX.XX:5671)
2018-01-29 07:59:09.336 [info] <0.747.0> LDAP CHECK: passwordless login for John Doe
2018-01-29 07:59:09.353 [info] <0.293.0>     LDAP anonymous bind
2018-01-29 07:59:09.353 [info] <0.293.0>         LDAP filling template "CN=${username},CN=Users,DC=dev,DC=servers" with [{username,<<"John Doe">>}]
2018-01-29 07:59:09.353 [info] <0.293.0>         LDAP template result: "CN=John Doe,CN=Users,DC=dev,DC=servers"
2018-01-29 07:59:09.354 [info] <0.293.0>     LDAP anonymous bind
2018-01-29 07:59:09.354 [info] <0.293.0>     LDAP CHECK: does John Doe have tag administrator?
2018-01-29 07:59:09.354 [info] <0.293.0>     LDAP evaluating query: {in_group_nested,"CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers","member",subtree}
2018-01-29 07:59:09.354 [info] <0.293.0>         LDAP filling template "CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers" with [{username,<<"John Doe">>},{user_dn,"CN=John Doe,CN=Users,DC=dev,DC=servers"}]
2018-01-29 07:59:09.354 [info] <0.293.0>         LDAP template result: "CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers"
2018-01-29 07:59:09.355 [info] <0.293.0> LDAP error searching for parent groups for "CN=John Doe,CN=Users,DC=dev,DC=servers": {error,{{badmatch,{error,{asn1,{function_clause,[{'ELDAPv3',encode_restricted_string,[none,[<<4>>]],[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,3438}]},{'ELDAPv3',enc_SearchRequest,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,1634}]},{'ELDAPv3',enc_LDAPMessage_protocolOp,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,334}]},{'ELDAPv3',enc_LDAPMessage,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,305}]},{'ELDAPv3',encode,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,143}]},{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]}]}}}},[{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]},{eldap,loop,2,[{file,"eldap.erl"},{line,521}]}]}}
2018-01-29 07:59:09.355 [info] <0.293.0>     LDAP DECISION: does John Doe have tag administrator? false

2018-01-29 07:59:09.355 [info] <0.293.0>     LDAP CHECK: does John Doe have tag management?
2018-01-29 07:59:09.355 [info] <0.293.0>     LDAP evaluating query: {in_group_nested,"CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers","member",subtree}
2018-01-29 07:59:09.355 [info] <0.293.0>         LDAP filling template "CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers" with
            [{username,<<"John Doe">>},{user_dn,"CN=John Doe,CN=Users,DC=dev,DC=servers"}]
2018-01-29 07:59:09.355 [info] <0.293.0>         LDAP template result: "CN=RabbitMQAdmins,CN=Users,DC=dev,DC=servers"
2018-01-29 07:59:09.355 [info] <0.293.0> LDAP error searching for parent groups for "CN=John Doe,CN=Users,DC=dev,DC=servers": {error,{{badmatch,{error,{asn1,{function_clause,[{'ELDAPv3',encode_restricted_string,[none,[<<4>>]],[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,3438}]},{'ELDAPv3',enc_SearchRequest,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,1634}]},{'ELDAPv3',enc_LDAPMessage_protocolOp,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,334}]},{'ELDAPv3',enc_LDAPMessage,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,305}]},{'ELDAPv3',encode,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,143}]},{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]}]}}}},[{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]},{eldap,loop,2,[{file,"eldap.erl"},{line,521}]}]}}
2018-01-29 07:59:09.356 [info] <0.293.0>     LDAP DECISION: does John Doe have tag management? false
2018-01-29 07:59:09.356 [info] <0.293.0>     LDAP CHECK: does John Doe have tag monitoring?
2018-01-29 07:59:09.356 [info] <0.293.0>     LDAP evaluating query: {in_group_nested,"CN=RabbitMQUsers,CN=Users,DC=dev,DC=servers","member",subtree}
2018-01-29 07:59:09.356 [info] <0.293.0>         LDAP filling template "CN=RabbitMQUsers,CN=Users,DC=dev,DC=servers" with
            [{username,<<"John Doe">>},{user_dn,"CN=John Doe,CN=Users,DC=dev,DC=servers"}]
2018-01-29 07:59:09.356 [info] <0.293.0>         LDAP template result: "CN=RabbitMQUsers,CN=Users,DC=dev,DC=servers"
2018-01-29 07:59:09.356 [info] <0.293.0> LDAP error searching for parent groups for "CN=John Doe,CN=Users,DC=dev,DC=servers": {error,{{badmatch,{error,{asn1,{function_clause,[{'ELDAPv3',encode_restricted_string,[none,[<<4>>]],[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,3438}]},{'ELDAPv3',enc_SearchRequest,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,1634}]},{'ELDAPv3',enc_LDAPMessage_protocolOp,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,334}]},{'ELDAPv3',enc_LDAPMessage,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,305}]},{'ELDAPv3',encode,2,[{file,"/net/isildur/ldisk/daily_build/20_prebuild_opu_o.2017-12-11_21/otp_src_20/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,143}]},{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]}]}}}},[{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]},{eldap,loop,2,[{file,"eldap.erl"},{line,521}]}]}}
2018-01-29 07:59:09.356 [info] <0.293.0>     LDAP DECISION: does John Doe have tag monitoring? false
2018-01-29 07:59:09.356 [info] <0.747.0> LDAP DECISION: passwordless login for John Doe: ok
2018-01-29 07:59:09.362 [info] <0.747.0> LDAP CHECK: access to vhost "/" for "John Doe"
2018-01-29 07:59:09.362 [info] <0.293.0>     LDAP anonymous bind
2018-01-29 07:59:09.362 [info] <0.293.0>     LDAP evaluating query: {constant,true}
2018-01-29 07:59:09.362 [info] <0.293.0>     LDAP evaluated constant: true
2018-01-29 07:59:09.362 [info] <0.747.0> LDAP DECISION: access to vhost "/" for "John Doe": ok
2018-01-29 07:59:09.363 [info] <0.747.0> connection <0.747.0> (XXX.XXX.XX.XX:49932 -> XXX.XXX.XX.XX:5671): user 'John Doe' authenticated and granted access to vhost '/'
2018-01-29 07:59:57.065 [warning] <0.747.0> closing AMQP connection <0.747.0> (XXX.XXX.XX.XX:49932 -> XXX.XXX.XX.XX:5671, vhost: '/', user: 'John Doe'): client unexpectedly closed TCP connection


If I remove the  {other_bind, anon},  then I get a message that PASSWORD is required.  If I supply the UserName and PASSWORD then it will work fine.  But that defeats the goal of a passwordless connection. 

The goal is to use the Users Certification to Authenticate and use the users login to check groups for permissions without the user to have to put in a password and without having to add the users to the internal RabbitMq db.


Is there something I am missing in the configuration or certificate generation I need to do?

I have been struggling with this for a while and need to come up with a solution any help would be appreciated.

Thanks


Thanks


Michael Klishin

unread,
Jan 29, 2018, 8:20:21 AM1/29/18
to rabbitm...@googlegroups.com
They are not supposed to work together for authentication.

When the EXTERNAL auth mechanism and the x509 Certificate Authentication plugin
are used, authN backends will be ignored. You therefore can use LDAP for authZ (authorization) only.

LDAP servers need to allow for that or you must use regular username/password authentication with TLS
instead of rabbitmq-auth-mechanism-ssl.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
MK

Staff Software Engineer, Pivotal/RabbitMQ

Joseph Oravec

unread,
Jan 29, 2018, 8:36:06 AM1/29/18
to rabbitmq-users
So I can use the combination (rabbitmq_auth_mechanism_ssl plugin/rabbitmq_auth_backend_ldap plugin) to Authenticate User without password, just can't use it check user against groups to set their Administrator / Management permissions for the Tag_queries?

(Most user will not need any access to the portal)

For user that need access to the RMQ portal, I would need to set up user in the internal RabbitMQ DB and have them  login with username / password there?

Is there a standard/recommended practice for what I am trying to achieve?

Thanks
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Michael Klishin

unread,
Jan 29, 2018, 8:53:57 AM1/29/18
to rabbitm...@googlegroups.com
You are conflating and confusion 3 unrelated things.

First there is authentication. It can be performed using a username/password pair plus 1 or N authN backends, or an external
mechanism such as x509 certificates.

Then there is authorization which takes place when an already authenticated client has to access a vhost or perform an operation in it.
This is performed using 1 or N authZ backends.

Both are involved any realistic client interaction. Authentication using x509 certificates can be used with authZ using any other way
but authZ backends can have assumptions about things, such as whether username/password are available and how they are used.
This is exactly why without anonymous binding LDAP refuses to accept connections on behalf of the clients that authenticated
using a x509 certificate (they only have a username but no password).

And then there is management UI access which is granted to successfully authenticated users who are also tagged as
monitoring/management/policymaker/administrator. How exactly authentication is performed, the plugin in theory doesn't care
but it currently requires a username/password pair because

1. It is relatively unusual for browser clients to provide a client x509 certificate/key pair.
2. OAuth 2 support is blocked for reasons that are not technical (and our team has only so many people)

See http://www.rabbitmq.com/authentication.html and http://www.rabbitmq.com/authentication.html and https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages