LDAP integration issue
163 views
Skip to first unread message
GC
Mar 15, 2024, 6:30:46 AM3/15/24
to rabbitmq-users
I have been trying to integrate LDAP with RabbitMQ for the last two days but no luck. I can connect to LDAP using `ldapsearch` CLI:
```
ldapsearch -x -w somepassword -H ldaps://ipa.company.com:636 -b "cn=groups,cn=accounts,dc=company,dc=com" -D "uid=myaccount,cn=sysaccounts,cn=etc,dc=company,dc=com"
```
I am using RabbitMQ `rabbitmq:3.13-management` image. After starting the container, I exec into the container and run `rabbitmq-plugins enable rabbitmq_auth_backend_ldap`.
```
ldapsearch -x -w somepassword -H ldaps://ipa.company.com:636 -b "cn=groups,cn=accounts,dc=company,dc=com" -D "uid=myaccount,cn=sysaccounts,cn=etc,dc=company,dc=com"
```
I am using RabbitMQ `rabbitmq:3.13-management` image. After starting the container, I exec into the container and run `rabbitmq-plugins enable rabbitmq_auth_backend_ldap`.
I do not have `advanced.config`. I am only using `rabbitmq.conf` with following content:
```
auth_backends.1 = ldap
auth_ldap.port = 636
#auth_ldap.use_ssl = true
auth_ldap.servers.1 = ipa.company.com
auth_ldap.dn_lookup_bind.user_dn = uid=myaccount,cn=sysaccounts,cn=etc,dc=company,dc=com
auth_ldap.dn_lookup_bind.password = somepassword
auth_ldap.dn_lookup_attribute = sAMAccountName
auth_ldap.dn_lookup_base = dc=company,dc=com
auth_ldap.other_bind = as_user
auth_ldap.user_dn_pattern = uid=${username},cn=users,cn=accounts
auth_ldap.log = network
```
When I provide my LDAP credential on the login page and hit enter, the login page freezes. In the logs, the following messages keep showing up:
```
2024-03-15 09:41:08.724476+00:00 [info] <0.307.0> Starting worker pool 'ldap_pool' with 64 processes in it
2024-03-15 09:41:08.725919+00:00 [info] <0.897.0> Plugins changed; enabled [rabbitmq_auth_backend_ldap]
2024-03-15 09:41:58.406768+00:00 [info] <0.1002.0> LDAP CHECK: login for john.doe
2024-03-15 09:41:58.406818+00:00 [info] <0.1002.0> LDAP connecting to servers: ["ipa.company.com"]
2024-03-15 09:41:59.120500+00:00 [info] <0.1003.0> LDAP network traffic: bind request = {'BindRequest',3,
2024-03-15 09:41:59.120500+00:00 [info] <0.1003.0> "uid=xxxx,cn=xxxx,cn=xxxx,dc=xxxx,dc=xxxx",
2024-03-15 09:41:59.120500+00:00 [info] <0.1003.0> {simple,"xxxx"}}
2024-03-15 09:41:59.120500+00:00 [info] <0.1003.0>
2024-03-15 09:42:49.686315+00:00 [warning] <0.906.0> TCP connection to a LDAP server was closed or otherwise defunct.
2024-03-15 09:42:49.686533+00:00 [warning] <0.906.0> LDAP will purge an already closed or defunct LDAP server connection from the pool
2024-03-15 09:42:49.686733+00:00 [warning] <0.906.0> LDAP will retry with a new connection.
2024-03-15 09:42:50.228194+00:00 [info] <0.1027.0> LDAP network traffic: bind request = {'BindRequest',3,
2024-03-15 09:42:50.228194+00:00 [info] <0.1027.0> "uid=xxxx,cn=xxxx,cn=xxxx,dc=xxxx,dc=xxxx",
2024-03-15 09:42:50.228194+00:00 [info] <0.1027.0> {simple,"xxxx"}}
```
I will really appreciate any help.
```
auth_backends.1 = ldap
auth_ldap.port = 636
#auth_ldap.use_ssl = true
auth_ldap.servers.1 = ipa.company.com
auth_ldap.dn_lookup_bind.user_dn = uid=myaccount,cn=sysaccounts,cn=etc,dc=company,dc=com
auth_ldap.dn_lookup_bind.password = somepassword
auth_ldap.dn_lookup_attribute = sAMAccountName
auth_ldap.dn_lookup_base = dc=company,dc=com
auth_ldap.other_bind = as_user
auth_ldap.user_dn_pattern = uid=${username},cn=users,cn=accounts
auth_ldap.log = network
```
When I provide my LDAP credential on the login page and hit enter, the login page freezes. In the logs, the following messages keep showing up:
```
2024-03-15 09:41:08.724476+00:00 [info] <0.307.0> Starting worker pool 'ldap_pool' with 64 processes in it
2024-03-15 09:41:08.725919+00:00 [info] <0.897.0> Plugins changed; enabled [rabbitmq_auth_backend_ldap]
2024-03-15 09:41:58.406768+00:00 [info] <0.1002.0> LDAP CHECK: login for john.doe
2024-03-15 09:41:58.406818+00:00 [info] <0.1002.0> LDAP connecting to servers: ["ipa.company.com"]
2024-03-15 09:41:59.120500+00:00 [info] <0.1003.0> LDAP network traffic: bind request = {'BindRequest',3,
2024-03-15 09:41:59.120500+00:00 [info] <0.1003.0> "uid=xxxx,cn=xxxx,cn=xxxx,dc=xxxx,dc=xxxx",
2024-03-15 09:41:59.120500+00:00 [info] <0.1003.0> {simple,"xxxx"}}
2024-03-15 09:41:59.120500+00:00 [info] <0.1003.0>
2024-03-15 09:42:49.686315+00:00 [warning] <0.906.0> TCP connection to a LDAP server was closed or otherwise defunct.
2024-03-15 09:42:49.686533+00:00 [warning] <0.906.0> LDAP will purge an already closed or defunct LDAP server connection from the pool
2024-03-15 09:42:49.686733+00:00 [warning] <0.906.0> LDAP will retry with a new connection.
2024-03-15 09:42:50.228194+00:00 [info] <0.1027.0> LDAP network traffic: bind request = {'BindRequest',3,
2024-03-15 09:42:50.228194+00:00 [info] <0.1027.0> "uid=xxxx,cn=xxxx,cn=xxxx,dc=xxxx,dc=xxxx",
2024-03-15 09:42:50.228194+00:00 [info] <0.1027.0> {simple,"xxxx"}}
```
I will really appreciate any help.
GC
Mar 15, 2024, 8:30:25 AM3/15/24
to rabbitm...@googlegroups.com
Just a few mins after sending this email, I came across a SO post. Enabling the following parameters helped me with logging in:
```
auth_ldap.timeout = 10000
auth_ldap.idle_timeout = 300000
auth_ldap.use_ssl = true
auth_ldap.ssl_options.verify = verify_none
auth_ldap.idle_timeout = 300000
auth_ldap.use_ssl = true
auth_ldap.ssl_options.verify = verify_none
```
Still, I was not able to login but the error was helpful enough to troubleshoot now.
advanced.config was required to finally login.
```
[
{rabbit, [
{auth_backends, [rabbit_auth_backend_ldap]}
]},
{rabbitmq_auth_backend_ldap, [
{servers, ["ipa.company.com"]},
{user_dn_pattern, "uid=${username},cn=users,cn=accounts,dc=company,dc=com"},
{tag_queries, [
{administrator, {in_group, "cn=xxxxx,cn=groups,cn=accounts,dc=company,dc=com", "uniqueMember"}},
{management, {constant, true}}
]}
]}
].
{rabbit, [
{auth_backends, [rabbit_auth_backend_ldap]}
]},
{rabbitmq_auth_backend_ldap, [
{servers, ["ipa.company.com"]},
{user_dn_pattern, "uid=${username},cn=users,cn=accounts,dc=company,dc=com"},
{tag_queries, [
{administrator, {in_group, "cn=xxxxx,cn=groups,cn=accounts,dc=company,dc=com", "uniqueMember"}},
{management, {constant, true}}
]}
]}
].
```
--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/ytdX76vye-8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/cd7a1753-a2e3-4e3e-ba14-c9a1b7afb92bn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages