LDAP lookups using ActiveDircetory credentials

[bo.bell...@gmail.com]

Hi,

Anyone knows if its possible to do LDAP query matching when logged on with an ActiveDirectory id ( DomanName\UserName ) ?

I have found old responses (2015/2016) to similar questions referring to anonymous bind or a separate bind read only account. In our environment this is against policy.

The consequence is using user logon binding sets the ${username} variable to "MyDomain\MyUserId"; hence a match against an LDAP entry like  sAMAccountName=MyUserId, DC=MyDomaminName fails :-(
So currently we may use the LDAP for logon but no group based authorization.

Any suggestions  ?

/bo.

email: bo.bell...@gmail.com

 

[Luke Bakken]

Hello,

Could you share your full RabbitMQ configuration as well as share output when network_unsafe is the log level? https://www.rabbitmq.com/ldap.html#logging

Feel free to scrub sensitive data, if there is any.

This will help get a picture of what is currently happening.

Thanks,

Luke

[bo.bell...@gmail.com]

I've provided an example below, operatin is :

1. Logged on as user MyDomain\MyUser
2. Tried to create a new queue on vhost = MyVhost
3. Result in the management console is "Access refused"

I've included :

• advanced.config where config access is tied to group membership of RabbitMqAdmin
• open ldap serach operations displaying the content of the group and the logged on user 
• rabbitMq log of the relevant log entries

As far as I can understand the problem is the lookup of DN ,   the user record does not contain any member attribute equal to ${username}. Currently i try to compare sAMAccontName attribute with ${username} - in this case its "MyUser" and "MyDomain\MyUser" .

/bo.

##########################################

=====>  Output from open ldap search:    <=======

=====>  GROUP   <=========

PS C:\openldap\ClientTools> .\ldapsearch -D MyDomain\MyUser -w MyPassord -b "ou=Access, ou=Groups,ou=MyDepartment,dc=MyDomain,dc=acme,dc=net" -h "MyLdapServer" "CN=MyAdminGroup" member

ldap_connect_to_host: TCP MyLdapServer:389

ldap_new_socket: 412

ldap_prepare_socket: 412

ldap_connect_to_host: Trying 10.54.224.20:389

ldap_pvt_connect: fd: 412 tm: -1 async: 0

attempting to connect:

connect success

# extended LDIF

#

# LDAPv3

# base <ou=Access, ou=Groups,ou=MyDepartment,dc=MyDomain,dc=acme,dc=net> with scope subtree

# filter: CN=RabbitMqAdmin

# requesting: member

#

# RabbitMqAdmin, Access, Groups, MyDepartment, MyDomain.acme.net

dn: CN=RabbitMqAdmin,OU=Access,OU=Groups,OU=Mydepartment,DC=MyDomain,DC=acme,DC=net

member: CN=Olsen\, Ole,OU=Users,OU=MyDepartment,DC=MyDomain,DC=acme,DC=net sREM9Tk8sREM9TVlBVEVBLERDPU5FVA==

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

=======> USER <=============

PS C:\openldap\ClientTools> .\ldapsearch -D MyDomain\MyUser -w MyPassord -b "dc=MyDomain,dc=acme,dc=net" -h "MyLdapServer" "sAMAccountName=MyUser" name cn memberOf sAMAccountName 

ldap_connect_to_host: TCP MyLdapServer:389

ldap_new_socket: 784

ldap_prepare_socket: 784

ldap_connect_to_host: Trying 10.54.224.20:389

ldap_pvt_connect: fd: 784 tm: -1 async: 0

attempting to connect:

connect success

# extended LDIF

#

# LDAPv3

# base <dc=MyDomain,dc=acme,dc=net> with scope subtree

# filter: sAMAccountName=MyUser

# requesting: name

#

# Olsen\2C Ole, Users, MyDepartment, MyDomain.acme.net

dn: CN=Olsen\, Ole,OU=Users,OU=MyDepartment,DC=MyDomain,DC=acme,DC=net

cn: Olsen, Ole

memberOf: CN=RabbitMqAdmin,OU=Access,OU=Groups,OU=MyDepartment,DC=MyDomain,DC=acme,DC=net

memberOf: CN=MailUser, OU= ....

name: Olsen, Ole

sAMAccountName: MyUser

# search result

search: 2

result: 0 Success

###########################################

=======> RabbitMQ log - try to create a new queue  <===============

2018-10-25 11:17:14.659 [info] <0.766.0> LDAP CHECK: login for MyDomain\MyUser

2018-10-25 11:17:14.659 [info] <0.766.0>         LDAP filling template "${username}" with [{username,<<"MyDomain\\MyUser">>}]

2018-10-25 11:17:14.660 [info] <0.766.0>         LDAP template result: "MyDomain\MyUser"

2018-10-25 11:17:14.660 [info] <0.766.0>     LDAP connecting to servers: ["MyLdapServer"]

2018-10-25 11:17:14.683 [info] <0.767.0>     LDAP network traffic: bind request = {'BindRequest',3,"MyDomain\\MyUser",{simple,<<"MyPassword">>}}

2018-10-25 11:17:14.691 [info] <0.767.0>     LDAP network traffic: bind reply = {ok,{'LDAPMessage',1,{bindResponse,{'BindResponse',success,[],[],asn1_NOVALUE,asn1_NOVALUE}},asn1_NOVALUE}}

2018-10-25 11:17:14.691 [info] <0.295.0>     LDAP bind succeeded: MyDomain\MyUser

2018-10-25 11:17:14.691 [info] <0.295.0>         LDAP filling template "${username}" with [{username,<<"MyDomain\\MyUser">>}]

2018-10-25 11:17:14.691 [info] <0.295.0>         LDAP template result: "MyDomain\MyUser"

2018-10-25 11:17:14.691 [info] <0.767.0>     LDAP network traffic: search request = {'SearchRequest',"dc=MyDomain,dc=acme,dc=net",wholeSubtree,derefAlways,0,0,false,{equalityMatch,{'AttributeValueAssertion',"sAMAccountName","MyDomain\\MyUser"}},["distinguishedName"]}

2018-10-25 11:17:14.698 [info] <0.767.0>     LDAP network traffic: search reply = {ok,{'LDAPMessage',2,{searchResRef,["ldap://MyDomain.acme.net/CN=Configuration,dc=MyDomain,dc=acme,dc=net"]},asn1_NOVALUE}}

2018-10-25 11:17:14.698 [info] <0.767.0>     LDAP network traffic: search reply = {ok,{'LDAPMessage',2,{searchResDone,{'LDAPResult',success,[],[],asn1_NOVALUE}},asn1_NOVALUE}}

2018-10-25 11:17:14.698 [info] <0.767.0>     LDAP network traffic: search reply = searchResDone 

2018-10-25 11:17:14.698 [warning] <0.295.0> Searching for DN for MyDomain\MyUser, got back []

....

2018-10-25 11:26:45.482 [info] <0.791.0> LDAP CHECK: configure permission for queue "test" in "MyVhost" for "MyDomain\MyUser"

2018-10-25 11:26:45.482 [info] <0.791.0>     LDAP connecting to servers: ["MyLdapServer"]

2018-10-25 11:26:45.482 [info] <0.767.0>     LDAP network traffic: bind request = {'BindRequest',3,"MyDomain\\MyUser",{simple,<<"MyPassword">>}}

2018-10-25 11:26:45.490 [info] <0.767.0>     LDAP network traffic: bind reply = {ok,{'LDAPMessage',29,{bindResponse,{'BindResponse',success,[],[],asn1_NOVALUE,asn1_NOVALUE}},asn1_NOVALUE}}

2018-10-25 11:26:45.490 [info] <0.295.0>     LDAP bind succeeded: MyDomain\MyUser

2018-10-25 11:26:45.490 [info] <0.295.0>     LDAP evaluating query: {for,[{permission,configure,{in_group,"cn=RabbitMqAdmin"}},{permission,write,{constant,true}},{permission,read,{constant,true}}]}

2018-10-25 11:26:45.490 [info] <0.295.0>     LDAP selecting subquery permission = configure

2018-10-25 11:26:45.490 [info] <0.295.0>     LDAP evaluating query: {in_group,"cn=RabbitMqAdmin"}

2018-10-25 11:26:45.490 [info] <0.295.0>     LDAP evaluating query: {in_group,"cn=RabbitMqAdmin","member"}

2018-10-25 11:26:45.490 [info] <0.295.0>         LDAP filling template "cn=RabbitMqAdmin" with [{username,<<"MyDomain\\MyUser">>},{user_dn,"MyDomain\\MyUser"},{vhost,<<"MyVhost">>},{resource,queue},{name,<<"test">>},{permission,configure}]

2018-10-25 11:26:45.490 [info] <0.295.0>         LDAP template result: "cn=RabbitMqAdmin"

2018-10-25 11:26:45.490 [info] <0.767.0>     LDAP network traffic: search request = {'SearchRequest',"cn=RabbitMqAdmin",baseObject,derefAlways,0,0,false,{equalityMatch,{'AttributeValueAssertion',"member","MyDomain\\MyUser"}},["objectClass"]}

2018-10-25 11:26:45.497 [info] <0.767.0>     LDAP network traffic: search reply = {ok,{'LDAPMessage',30,{searchResDone,{'LDAPResult',operationsError,[],[48,48,48,48,50,48,68,54,58,32,83,118,99,69,114,114,58,32,68,83,73,68,45,48,51,49,48,48,56,49,66,44,32,112,114,111,98,108,101,109,32,53,48,49,50,32,40,68,73,82,95,69,82,82,79,82,41,44,32,100,97,116,97,32,48,10,0],asn1_NOVALUE}},asn1_NOVALUE}}

2018-10-25 11:26:45.497 [info] <0.295.0>     LDAP evaluated in_group for "cn=RabbitMqAdmin": {error,operationsError}

2018-10-25 11:26:45.497 [info] <0.295.0>     LDAP evaluate error: MyDomain\MyUser operationsError

2018-10-25 11:26:45.497 [info] <0.791.0> LDAP DECISION: configure permission for queue "test" in "MyVhost" for "MyDomain\MyUser": {error,ldap_evaluate_error}

2018-10-25 11:26:45.497 [error] <0.791.0> access to queue 'test' in vhost 'MyVhost' refused for user 'MyDomain\MyUser', backend rabbit_auth_backend_ldap returned an error: ldap_evaluate_error

2018-10-25 11:26:45.497 [warning] <0.791.0> Declare queue error: access to queue 'test' in vhost 'MyVhost' refused for user 'MyDomain\MyUser', backend rabbit_auth_backend_ldap returned an error: ldap_evaluate_error

##############################################

=======> Rabbit MQ advanced.config <===============

...

{rabbitmq_auth_backend_ldap, [ 

                              {log, network_unsafe},

  {servers, ["MyLdapServer"] },

  {dn_lookup_attribute,"sAMAccountName"},

  {dn_lookup_base,"dc=MyDomain,dc=acme,dc=net"},

  {group_lookup_base,"ou=Access,ou=Groups,ou=MyDepartment,dc=MyDomain,dc=acme,dc=net"},

  {tag_queries,    

        [ { administrator, {constant, false}},

          { management,    {constant, true}},

  { monitoring,    {constant, false}}

]

  },

  {vhost_access_query, 

        { 'not', 

          {equals,{string,"${vhost}"},

          {string,"/"}

  }

}

  },

  {resource_access_query,

        {for, [ {permission, configure, {in_group,"cn=RabbitMqAdmin"}},

        {permission, write,     {constant, true }},

{permission, read,      {constant, true }}

  ]

    }

  }

                                ]

   }

...

[Luke Bakken]

Hello,

Thank you for the complete set of data I needed to check out your issue. Unfortunately, there's no way to translate a username of MyDomain\MyUser into just MyUser for doing the DN lookup necessary to establish group membership. All the LDAP testing I've done and use I've seen on this mailing list use usernames in user@domain format or just username format, which can be used for the simple bind operation then be searched via the sAMAccountName attribute.

I'm not an Active Directory DS expert by any means so in your case, what configuration is used to limit logging in to only usernames in Domain\User format? Is this a common scenario? If so, we may consider tokenizing the passed-in username and make additional substitution variables available.

I do all of my LDAP plugin testing using either OpenLDAP or Active Directory LDS.

Thanks,

Luke

[bo.bell...@gmail.com]

I'm no Active Directory expert either, but I do think this is a rather common scenario. At least , in every Microsoft shop I've be working they use this type of logon users. In most situations end users do not enter the domain name, its part of your computer setup and is only required if you try to connect to a server not member of your domain. 

I've done some more test and one of our domains worked by using email address , this was added to a UserPrincipalName attribute on the user record. Unfortunately the others did not work that way - and changing the AD configuration is not an option :-(

This blog article ( http://blog.schertz.name/2012/08/understanding-active-directory-naming-formats/ )  gives some insight into the history of AD login names (old netbios limitations).

If its possible to create "split" usernames  this would be very helpful for most AD installations (e.g ${AdDomain} and ${AdAccountName}  )

/bo.

[Luke Bakken]

Thanks for the information. I'll see what's involved in tokenizing usernames that contain a single backslash.

Luke

[Luke Bakken]

Hello again -

I've implemented tokenizing the passed-in username on the backslash character to allow the use of ad_domain and ad_user within templates:

https://github.com/rabbitmq/rabbitmq-auth-backend-ldap/pull/99

What version of RabbitMQ are you using? I can build that plugin for your version for you to test. I have no way to test this myself.

Thanks,

Luke

[bo.bell...@gmail.com]

I've got 2 different version running  3.7.4 and 3.7.6 , both running erlang 20.3

A build off the ldap plugin would be wonderful, I'll test and give you feedback.

Thanks !

/bo.

[Michael Klishin]

We hope to produce a 3.7.9 RC in the next day or two, stay tuned.

It would be easier for you to try (and the safest since newer plugin versions won't always work with older server versions even in case of patch releases).

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ