RabbitMQ LDAP Authentication issue
322 views
Skip to first unread message
Roberto Pesce
May 27, 2020, 7:59:47 AM5/27/20
to rabbitmq-users
Hi,
I have configured my RabbitMQ server to use LDAP authentication and tag users using advanced.config file.
I have configured my RabbitMQ server to use LDAP authentication and tag users using advanced.config file.
my current config is something like:
Rabbitmq.conf
-------------------------------------------------------------------
auth_ldap.servers.1 = DC001.mydomain.net
auth_ldap.servers.2 = DC002.mydomain.net
auth_ldap.use_ssl = true
auth_ldap.port = 636
auth_ldap.dn_lookup_attribute = userPrincipalName
auth_ldap.dn_lookup_base = DC=mydomain,DC=net
advanced.config
-------------------------------------------------------------------
[{rabbitmq_auth_backend_ldap,
[
{vhost_access_query, {in_group, "cn=RabbitUsers-${vhost},OU=Security Groups,DC=mydomain,DC=net"}},
{tag_queries, [ {administrator, {in_group, "CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net"}},
{management, {in_group, "CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net"}}]}
]
}].
this works, but I must login users in the form or myu...@mydomain.net and password.
if I change the dn_lookup_attribute to SAMAccountName I can login using the form mydomain\myuser, but authorization with tag_queries doesn't work; my guess is that it tries to match the fully qualified username (domain\user) with the list of usernames only that are members of those groups.
I've read in the documentation, and I see in the logs, that there are two new variables ad_domain and ad_user that can be used instead of username, but I don't get where I should indicate those in order to have the ldap_plugin to use them...
could anyone provide some sample?
Thank you
Roberto
2020-05-22 08:56:06.207 [info] <0.527.0> LDAP filling template "${username}" with
[{username,<<"MYDOMAIN\\myuser">>},{ad_domain,<<"mydomain">>},{ad_user,<<"myuser">>}]
2020-05-22 08:56:06.207 [info] <0.527.0> LDAP template result: "MYDOMAIN\myuser"
2020-05-22 08:56:06.207 [info] <0.1105.0> LDAP network traffic: search request = {'SearchRequest',"DC=mydomain,DC=net",wholeSubtree,derefAlways,0,0,false,{equalityMatch,{'AttributeValueAssertion',"SAMAccountName","MYDOMAIN\\myuser"}},["distinguishedName"]}
2020-05-22 08:56:06.207 [info] <0.1105.0> LDAP network traffic: search reply = {ok,{'LDAPMessage',2,{searchResRef,["ldaps://...,DC=mydomain,DC=net"]},asn1_NOVALUE}}
2020-05-22 08:56:06.207 [info] <0.1105.0> LDAP network traffic: search reply = {ok,{'LDAPMessage',2,{searchResRef,["ldaps://...,DC=mydomain,DC=net"]},asn1_NOVALUE}}
2020-05-22 08:56:06.207 [info] <0.1105.0> LDAP network traffic: search reply = {ok,{'LDAPMessage',2,{searchResRef,["ldaps://...,DC=mydomain,DC=net"]},asn1_NOVALUE}}
2020-05-22 08:56:06.207 [info] <0.1105.0> LDAP network traffic: search reply = {ok,{'LDAPMessage',2,{searchResDone,{'LDAPResult',success,[],[],asn1_NOVALUE}},asn1_NOVALUE}}
2020-05-22 08:56:06.207 [info] <0.1105.0> LDAP network traffic: search reply = searchResDone
2020-05-22 08:56:06.207 [warning] <0.527.0> Searching for DN for MYDOMAIN\myuser, got back []
2020-05-22 08:56:06.207 [info] <0.527.0> LDAP CHECK: does MYDOMAIN\myuser have tag administrator?
2020-05-22 08:56:06.207 [info] <0.527.0> LDAP evaluating query: {in_group,"CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net"}
2020-05-22 08:56:06.207 [info] <0.527.0> LDAP evaluating query: {in_group,"CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net","member"}
2020-05-22 08:56:06.207 [info] <0.527.0> LDAP filling template "CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net" with
[{username,<<"MYDOMAIN\\myuser">>},{user_dn,"MYDOMAIN\\myuser"},{ad_domain,<<"mydomain">>},{ad_user,<<"myuser">>}]
2020-05-22 08:56:06.207 [info] <0.527.0> LDAP template result: "CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net"
2020-05-22 08:56:06.207 [info] <0.1105.0> LDAP network traffic: search request = {'SearchRequest',"CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net",baseObject,derefAlways,0,0,false,{equalityMatch,{'AttributeValueAssertion',"member","MYDOMAIN\\myuser"}},["objectClass"]}
2020-05-22 08:56:06.207 [info] <0.1105.0> LDAP network traffic: search reply = {ok,{'LDAPMessage',3,{searchResDone,{'LDAPResult',success,[],[],asn1_NOVALUE}},asn1_NOVALUE}}
2020-05-22 08:56:06.223 [info] <0.1105.0> LDAP network traffic: search reply = searchResDone
2020-05-22 08:56:06.223 [info] <0.527.0> LDAP evaluated in_group for "CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net": false
2020-05-22 08:56:06.223 [info] <0.527.0> LDAP DECISION: does MYDOMAIN\myuser have tag administrator? false
2020-05-22 08:56:06.223 [info] <0.527.0> LDAP CHECK: does MYDOMAIN\myuser have tag management?
2020-05-22 08:56:06.223 [info] <0.527.0> LDAP evaluating query: {in_group,"CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net"}
2020-05-22 08:56:06.223 [info] <0.527.0> LDAP evaluating query: {in_group,"CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net","member"}
2020-05-22 08:56:06.223 [info] <0.527.0> LDAP filling template "CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net" with
[{username,<<"MYDOMAIN\\myuser">>},{user_dn,"MYDOMAIN\\myuser"},{ad_domain,<<"mydomain">>},{ad_user,<<"myuser">>}]
2020-05-22 08:56:06.223 [info] <0.527.0> LDAP template result: "CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net"
2020-05-22 08:56:06.223 [info] <0.1105.0> LDAP network traffic: search request = {'SearchRequest',"CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net",baseObject,derefAlways,0,0,false,{equalityMatch,{'AttributeValueAssertion',"member","MYDOMAIN\\myuser"}},["objectClass"]}
2020-05-22 08:56:06.223 [info] <0.1105.0> LDAP network traffic: search reply = {ok,{'LDAPMessage',4,{searchResDone,{'LDAPResult',success,[],[],asn1_NOVALUE}},asn1_NOVALUE}}
2020-05-22 08:56:06.223 [info] <0.1105.0> LDAP network traffic: search reply = searchResDone
2020-05-22 08:56:06.223 [info] <0.527.0> LDAP evaluated in_group for "CN=RabbitAdmins,OU=Security Groups,DC=mydomain,DC=net": false
2020-05-22 08:56:06.223 [info] <0.527.0> LDAP DECISION: does MYDOMAIN\myuser have tag management? false
2020-05-22 08:56:06.223 [info] <0.1104.0> LDAP DECISION: login for MYDOMAIN\myuser: ok
Luke Bakken
May 28, 2020, 12:35:29 PM5/28/20
to rabbitmq-users
Hi Roberto,
You can see in the output that the LDAP plugin tries to find the Distinguished Name for user MYDOMAIN\\myuser via that record's sAMAccountName value, but can't:
2020-05-22 08:56:06.207 [info] <0.1105.0> LDAP network traffic: search request = {'SearchRequest',"DC=mydomain,DC=net",wholeSubtree,derefAlways,0,0,false,{equalityMatch,{'AttributeValueAssertion',"SAMAccountName","MYDOMAIN\\myuser"}},["distinguishedName"]}
2020-05-22 08:56:06.207 [warning] <0.527.0> Searching for DN for MYDOMAIN\myuser, got back []
Since the DN can't be retrieved, the in_group queries won't work.
I suggest using a tool like ldp.exe to do the same sort of search that the LDAP plugin attempts to debug why the DN isn't found.
Thanks,
Luke
Roberto Pesce
May 28, 2020, 1:39:35 PM5/28/20
to rabbitm...@googlegroups.com
Hi Luke,
Yes... I had noticed that and supposed that the problem was there.
In fact the sAMAccountName contains only the username without domain name.
I found in the rabbitmq ldap documentation the two variables ad_user and ad_domain that should help to solve this kind of issues, but I don’t understand how (or if) I could modify the in_group operator to use ad_user instead of username to match the sAMAccountName.
Can you please post a sample configuration using such variables?
Can you please post a sample configuration using such variables?
Thank you
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/30aff9f2-f279-47c3-8832-997c61562fa1%40googlegroups.com.
Luke Bakken
May 28, 2020, 2:22:16 PM5/28/20
to rabbitmq-users
Hi Roberto,
You're in luck. I added ad_user and ad_domain in response to this mailing list discussion:
I found the configuration files that I sent to the user, who appears to have exactly the same scenario as you. I've taken all of your settings and put them into the attached advanced.config file. You can remove the ldap settings from rabbitmq.conf, or you can apply the changes I made to your own files.
Let me know how it goes
Thanks,
Luke
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
Roberto Pesce
May 29, 2020, 5:38:51 AM5/29/20
to rabbitm...@googlegroups.com
Thank you Luke,
that was exactly what I needed.
I tried your config in my mirror system and it works perfectly.
thanks
Roberto
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/30aff9f2-f279-47c3-8832-997c61562fa1%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/797dbde5-659b-4145-a3fd-b135fab0bae4%40googlegroups.com.
Michael Klishin
May 29, 2020, 1:24:35 PM5/29/20
to rabbitm...@googlegroups.com
Variables are used in queries, much like string-interpolated variables are used in many programming languages, e.g. C# and Python.
[1] has some examples of how other variables are used.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit
https://groups.google.com/d/msgid/rabbitmq-users/a70b5d33-22c8-4937-aa13-4da179d6c6f6%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages