LDAP woes
108 views
Skip to first unread message
Gary B
Nov 20, 2017, 9:30:22 AM11/20/17
to rabbitmq-users
I've been trying for some time to setup LDAP on a RabbitMQ cluster, but I keep running into issues. It seems some of the issues have been solved by others, but their actual solutions in various forums were not posted.
Here is my rabbitmq.config file
[
{rabbitmq_management, [
{listener, [{port, 15671},
{ssl, true}
]}
]},
{rabbit, [
{tcp_listeners, []},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/etc/rabbitmq/ssl/cacert.pem"},
{certfile,"/etc/rabbitmq/ssl/cert.pem"},
{keyfile,"/etc/rabbitmq/ssl/key.pem"},
{verify,verify_none},
{fail_if_no_peer_cert,false}]},
{auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_ldap]}
]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ldap01","ldap02"]},
{user_dn_pattern, "uid=${username},ou=people,dc=company,dc=com"},
%% {dn_lookup_attribute, "uid"},
%% {dn_lookup_base, "DC=company,DC=com"},
{use_ssl, true},
{port, 636},
{log, network_unsafe},
{vhost_access_query, {'or', [{in_group, "cn=group1,ou=groups,dc=company,dc=com","memberuid"},
{in_group, "cn=group2,ou=groups,dc=company,dc=com","memberuid"}
]
}
},
{resource_access_query, {'or', [{in_group, "cn=group1,ou=groups,dc=company,dc=com","memberuid"},
{in_group, "cn=group2,ou=groups,dc=company,dc=com","memberuid"}
]
}
},
{tag_queries, [{administrator, {'or', [{in_group, "cn=group1,ou=groups,dc=company,dc=com", "memberuid"},
{in_group, "cn=group2,ou=groups,dc=company,dc=com","memberuid"}
]
}
}
]
}
]
}
].
enabled plugins is
[rabbitmq_auth_backend_ldap,rabbitmq_management].
When I login through the admin interface my username and password are accepted. However the dn becomes uid=myuser,ou=people,dc=company,dc=com and this value is looked up against the groups membership on the memberuid value. memberuid in the group contains just the list of uid values, so this lookup fails. (as is my understanding).
=INFO REPORT==== 20-Nov-2017::14:04:07 ===
LDAP network traffic: search request = {'SearchRequest',
"cn=group1,ou=groups,dc=company,dc=com",
baseObject,derefAlways,0,0,false,
{equalityMatch,
{'AttributeValueAssertion',
"memberuid",
"uid=myuser,ou=people,dc=company,dc=com"}},
["objectClass"]}
I've tried adding the {dn_lookup_attribute, "uid"} but this causes an error in the logs:
=ERROR REPORT==== 20-Nov-2017::13:42:55 ===
** Generic server <0.301.0> terminating
** Last message in was {submit,#Fun<rabbit_auth_backend_ldap.14.94440766>,
<0.618.0>,reuse}
** When Server state == {from,<0.618.0>,#Ref<0.2132095093.3561750529.105122>}
** Reason for termination ==
** {error,
{{badmatch,
{error,
{asn1,
{function_clause,
[{'ELDAPv3',encode_restricted_string,
[none,[<<4>>]],
[{file,
"/tmp/build/8979955e/erlang-rpm-src/BUILD/otp-OTP-20.1.5/lib/eldap/src/../ebin/ELDAPv3.erl"},
{line,3438}]},
{'ELDAPv3',enc_SearchRequest,2,
[{file,
"/tmp/build/8979955e/erlang-rpm-src/BUILD/otp-OTP-20.1.5/lib/eldap/src/../ebin/ELDAPv3.erl"},
{line,1634}]},
{'ELDAPv3',enc_LDAPMessage_protocolOp,2,
[{file,
"/tmp/build/8979955e/erlang-rpm-src/BUILD/otp-OTP-20.1.5/lib/eldap/src/../ebin/ELDAPv3.erl"},
{line,334}]},
{'ELDAPv3',enc_LDAPMessage,2,
[{file,
"/tmp/build/8979955e/erlang-rpm-src/BUILD/otp-OTP-20.1.5/lib/eldap/src/../ebin/ELDAPv3.erl"},
{line,305}]},
{'ELDAPv3',encode,2,
[{file,
"/tmp/build/8979955e/erlang-rpm-src/BUILD/otp-OTP-20.1.5/lib/eldap/src/../ebin/ELDAPv3.erl"},
{line,143}]},
{eldap,send_the_LDAPMessage,3,
[{file,"eldap.erl"},{line,994}]},
{eldap,collect_search_responses,4,
[{file,"eldap.erl"},{line,767}]},
{eldap,do_search,3,
[{file,"eldap.erl"},{line,719}]}]}}}},
[{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},
{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},
{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]},
{eldap,loop,2,[{file,"eldap.erl"},{line,521}]}]}}
=ERROR REPORT==== 20-Nov-2017::13:42:55 ===
Ranch listener rabbit_web_dispatch_sup_15671 had connection process started with cowboy_protocol:start_link/4 at <0.618.0> exit with reason: [{reason,{{error,{{badmatch,{error,{asn1,{function_clause,[{'ELDAPv3',encode_restricted_string,[none,[<<4>>]],[{file,"/tmp/build/8979955e/erlang-rpm-src/BUILD/otp-OTP-20.1.5/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,3438}]},{'ELDAPv3',enc_SearchRequest,2,[{file,"/tmp/build/8979955e/erlang-rpm-src/BUILD/otp-OTP-20.1.5/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,1634}]},{'ELDAPv3',enc_LDAPMessage_protocolOp,2,[{file,"/tmp/build/8979955e/erlang-rpm-src/BUILD/otp-OTP-20.1.5/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,334}]},{'ELDAPv3',enc_LDAPMessage,2,[{file,"/tmp/build/8979955e/erlang-rpm-src/BUILD/otp-OTP-20.1.5/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,305}]},{'ELDAPv3',encode,2,[{file,"/tmp/build/8979955e/erlang-rpm-src/BUILD/otp-OTP-20.1.5/lib/eldap/src/../ebin/ELDAPv3.erl"},{line,143}]},{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]}]}}}},[{eldap,send_the_LDAPMessage,3,[{file,"eldap.erl"},{line,994}]},{eldap,collect_search_responses,4,[{file,"eldap.erl"},{line,767}]},{eldap,do_search,3,[{file,"eldap.erl"},{line,719}]},{eldap,loop,2,[{file,"eldap.erl"},{line,521}]}]}},{gen_server2,call,[<0.301.0>,{submit,#Fun<rabbit_auth_backend_ldap.14.94440766>,<0.618.0>,reuse},infinity]}}},{mfa,{rabbit_mgmt_wm_whoami,is_authorized,2}},{stacktrace,[{gen_server2,call,3,[{file,"src/gen_server2.erl"},{line,327}]},{rabbit_auth_backend_ldap,user_login_authentication,2,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,79}]},{rabbit_access_control,try_authenticate,3,[{file,"src/rabbit_access_control.erl"},{line,88}]},{rabbit_access_control,'-check_user_login/2-fun-0-',4,[{file,"src/rabbit_access_control.erl"},{line,74}]},{lists,foldl,3,[{file,"lists.erl"},{line,1263}]},{rabbit_mgmt_util,is_authorized,6,[{file,"src/rabbit_mgmt_util.erl"},{line,161}]},{cowboy_rest,call,3,[{file,"src/cowboy_rest.erl"},{line,976}]},{cowboy_rest,is_authorized,2,[{file,"src/cowboy_rest.erl"},{line,150}]}]},{req,[{socket,{sslsocket,{gen_tcp,#Port<0.21348>,tls_connection,<0.504.0>},<0.617.0>}},{transport,ranch_ssl},{connection,keepalive},{pid,<0.618.0>},{method,<<"GET">>},{version,'HTTP/1.1'},{peer,{{10,105,64,53},59845}},{host,<<"dubdc2testldaprabbitmq01.cmdb.inhouse.company.com">>},{host_info,undefined},{port,15671},{path,<<"/api/whoami">>},{path_info,undefined},{qs,<<>>},{qs_vals,[]},{bindings,[]},{headers,[{<<"host">>,<<"dubdc2testldaprabbitmq01.cmdb.inhouse.company.com:15671">>},{<<"connection">>,<<"keep-alive">>},{<<"user-agent">>,<<"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36">>},{<<"authorization">>,<<"Basic Z2J1cmtlOkFzYVMuXjIz">>},{<<"content-type">>,<<"application/json">>},{<<"accept">>,<<"*/*">>},{<<"referer">>,<<"https://dubdc2testldaprabbitmq01.cmdb.inhouse.company.com:15671/">>},{<<"accept-encoding">>,<<"gzip, deflate, br">>},{<<"accept-language">>,<<"en-GB,en-US;q=0.9,en;q=0.8">>},{<<"cookie">>,<<"m=2258:Z2J1cmtlOkFzYVMuXjIz">>}]},{p_headers,[{<<"connection">>,[<<"keep-alive">>]}]},{cookies,undefined},{meta,[]},{body_state,waiting},{buffer,<<>>},{multipart,undefined},{resp_compress,true},{resp_state,waiting},{resp_headers,[{<<"vary">>,<<"origin">>}]},{resp_body,<<>>},{onresponse,#Fun<rabbit_cowboy_middleware.onresponse.4>}]},{state,{context,undefined,none,undefined}}]
Adding {dn_lookup_base, "DC=company,DC=com"} removes that error, but I get the same result as without either dn_lookup entry:
=INFO REPORT==== 20-Nov-2017::14:20:01 ===
LDAP template result: "cn=group1,ou=groups,dc=company,dc=com"
=INFO REPORT==== 20-Nov-2017::14:20:01 ===
LDAP network traffic: search request = {'SearchRequest',
"cn=group1,ou=groups,dc=company,dc=com",
baseObject,derefAlways,0,0,false,
{equalityMatch,
{'AttributeValueAssertion',
"memberuid",
"uid=myuser,ou=people,dc=company,dc=com"}},
["objectClass"]}
=INFO REPORT==== 20-Nov-2017::14:20:01 ===
LDAP network traffic: search reply = searchResDone
=INFO REPORT==== 20-Nov-2017::14:20:01 ===
LDAP evaluated in_group for "cn=group1,ou=groups,dc=company,dc=com": false
What am I doing wrong?
Doing some LDAP lookups, for completeness:
$ ldapsearch -H ldaps://ldap01:636 -x -b "uid=myuser,ou=People,dc=company,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=myuser,ou=People,dc=company,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# myuser, People, company.com
dn: uid=myuser,ou=People,dc=company,dc=com
mail: my.ac...@company.com
uidNumber: 501
gidNumber: 100
givenName: My
sn: User
loginShell: /bin/bash
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: myuser
cn: My User
homeDirectory: /home/myuser
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
$ ldapsearch -H ldaps://ldap01:636 -x -b 'cn=group1,ou=groups,dc=company,dc=com'
# extended LDIF
#
# LDAPv3
# base <cn=group1,ou=groups,dc=company,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# group1, Groups, company.com
dn: cn=group1,ou=Groups,dc=company,dc=com
memberUid: myuser
memberUid: myuser1
memberUid: myuser2
memberUid: myuser3
memberUid: myuser4
memberUid: myuser5
gidNumber: 70001
objectClass: top
objectClass: groupofuniquenames
objectClass: posixgroup
cn: group1
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Installed RPMs on CentOS 6:
rabbitmq-server-3.6.14-1.el6.noarch
erlang-20.1.5-1.el6.x86_64
Help, please.
Michael Klishin
Nov 20, 2017, 11:17:46 AM11/20/17
to rabbitm...@googlegroups.com
The error says that Erlang's ASN.1 library fails to encode a "restricted string" when invoked
by Erlang's LDAP client. Neither is maintained by our team.
Feel free to try e.g. 19.3.6.3 to compare.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
MK
Staff Software Engineer, Pivotal/RabbitMQ
Gary
Nov 20, 2017, 12:51:05 PM11/20/17
to rabbitm...@googlegroups.com
I tried Erlang 19 also. I upgraded Erlang and rabbit and got the same error.
To be honest, in not bothered by the error. I just want to get LDAP working, so at my settings in rabbitmq.config correct?
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--MKStaff Software Engineer, Pivotal/RabbitMQ
--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/jHlH5P--bAM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
Gary B
Nov 22, 2017, 4:28:50 AM11/22/17
to rabbitmq-users
Anyone got any other suggestions, please?
dfed...@pivotal.io
Nov 23, 2017, 4:42:43 AM11/23/17
to rabbitmq-users
Hi,
Unfortunately what you want to do is not possible. `in_group` queries can only run with DN, not with pattern strings.
You can change memberUid to be a user DN or add an additional attribute with a user DN as its value.
Without changing the LDAP layout, you can try using `attribute` query. In your case instead of `{in_group, "cn=group1,ou=groups,dc=company,dc=com","memberuid"}` you can use `{equals, {attribute, "cn=group1,ou=groups,dc=company,dc=com", "memberuid"}, {string, "${username}"}}`. I'm not sure if it's going to work though.
Gary
Nov 23, 2017, 9:02:07 AM11/23/17
to rabbitm...@googlegroups.com
Thanks. I'll give this a try and let you know how I get on.
--
Gary
Nov 23, 2017, 9:36:45 AM11/23/17
to rabbitm...@googlegroups.com
I get an error:
=ERROR REPORT==== 23-Nov-2017::14:32:27 ===
** Generic server <0.229.0> terminating
** Last message in was {submit,#Fun<rabbit_auth_backend_ldap.14.94440766>,
<0.546.0>,reuse}
** When Server state == {from,<0.546.0>,#Ref<0.4188487545.1554251777.143019>}
** Reason for termination ==
** {function_clause,
[{rabbit_auth_backend_ldap,'-do_tag_queries/5-lc$^0/1-0-',
[{equals,
{attribute,"cn=group1,ou=groups,dc=company,dc=com",
"memberuid"},
{string,"${username}"}}],
[{file,"src/rabbit_auth_backend_ldap.erl"},{line,612}]},
{rabbit_auth_backend_ldap,do_tag_queries,5,
[{file,"src/rabbit_auth_backend_ldap.erl"},{line,612}]},
{rabbit_auth_backend_ldap,do_login,5,
[{file,"src/rabbit_auth_backend_ldap.erl"},{line,603}]},
{rabbit_auth_backend_ldap,'-with_ldap/3-fun-2-',4,
[{file,"src/rabbit_auth_backend_ldap.erl"},{line,422}]},
{worker_pool_worker,handle_call,3,
[{file,"src/worker_pool_worker.erl"},{line,105}]},
{gen_server2,handle_msg,2,[{file,"src/gen_server2.erl"},{line,1026}]},
{proc_lib,wake_up,3,[{file,"proc_lib.erl"},{line,257}]}]}
plus the big block above
{vhost_access_query,{equals, {attribute, "cn=group1,ou=groups,dc=company,dc=com", "memberuid"}, {string, "${username}"}}},
{resource_access_query,{equals, {attribute, "cn=group1,ou=groups,dc=company,dc=com", "memberuid"}, {string, "${username}"}}},
{tag_queries,{equals, {attribute, "cn=group1,ou=groups,dc=company,dc=com", "memberuid"}, {string, "${username}"}}}
I also removed these 2 lines, but got the same error:
%% {dn_lookup_attribute, "uid"},
%% {dn_lookup_base, "DC=company,DC=com"},
Thanks
dfed...@pivotal.io
Nov 23, 2017, 10:46:21 AM11/23/17
to rabbitmq-users
Hi,
It seems like `do_tag_queries` function fails because `tag_queries` should be a tuple list with tag name (e.g. administrator) as a first element in the tuples. Just like in your original post.
Gary
Nov 23, 2017, 10:51:58 AM11/23/17
to rabbitm...@googlegroups.com
Which basically means I still can't do this. Without either a change in the LDAP setup, which is out of my control, or someone changes the RabbitMQ LDAP plugin...
Reply all
Reply to author
Forward
0 new messages