Active Directory LDAP in_group Help
446 views
Skip to first unread message
Jason Finch
May 30, 2016, 11:30:51 PM5/30/16
to rabbitmq-users
Trying to get LDAP membership working against a Windows 2012R2 domain, using RabbitMQ 3.6.1
Authentication works, but I cannot figure out the correct configuration to get in_group membership working.
The LDAP Search for In_group looks wrong, instead of passing the username@domain I'm guessing it should pass the DN "CN=LAST First,OU=Testing-Users,OU=Users,OU=Department,DC=domain,DC=com,DC=au" but I don't know how to change it to do that. Reading the Rabbit docs I assumed the plugin authenticated and then received the correct DN for the user, which would then be used for the in-group search template.
A user logs into RabbitMQ as: first.last
When I query with an ldap tool for the group, here is the member attribute:
member = CN=LAST First,OU=Testing-Users,OU=Users,OU=Department,DC=domain,DC=com,DC=au
Here is the rabbitmq.config section for ldap:
Here is the rabbitmq log:
Authentication works, but I cannot figure out the correct configuration to get in_group membership working.
The LDAP Search for In_group looks wrong, instead of passing the username@domain I'm guessing it should pass the DN "CN=LAST First,OU=Testing-Users,OU=Users,OU=Department,DC=domain,DC=com,DC=au" but I don't know how to change it to do that. Reading the Rabbit docs I assumed the plugin authenticated and then received the correct DN for the user, which would then be used for the in-group search template.
A user logs into RabbitMQ as: first.last
When I query with an ldap tool for the group, here is the member attribute:
member = CN=LAST First,OU=Testing-Users,OU=Users,OU=Department,DC=domain,DC=com,DC=au
Here is the rabbitmq.config section for ldap:
{servers,["ldap.domain.com.au"]},
{user_dn_pattern, "${username}@domain.com.au" },
%%Also tried SamAccountName
{dn_lookup_atribute, "userPrincipalName"},
{dn_lookup_base, "DC=domain,DC=com,DC=au"},
{log, network},
{tag_queries, [
{administrator, {in_group, "CN=RabbitAdmins,OU=Distribution Groups,OU=Groups,OU=Department,DC=domain,DC=com,DC=au"}
]
}Here is the rabbitmq log:
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP network traffic: search reply = {ok,
{'LDAPMessage',5,
{searchResDone,
{'LDAPResult',success,[],[],
asn1_NOVALUE}},
asn1_NOVALUE}}
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP network traffic: search reply = searchResDone
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP evaluated in_group for "CN=RabbitAdmins,OU=Distribution Groups,OU=Groups,OU=Department,DC=domain,DC=com,DC=au": false
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP DECISION: does first.last have tag administrator? false
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP CHECK: does first.last have tag management?
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP evaluating query: {in_group,"CN=RabbitAdmins,OU=Distribution Groups,OU=Groups,OU=Department,DC=domain,DC=com,DC=au"}
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP evaluating query: {in_group,"CN=RabbitAdmins,OU=Distribution Groups,OU=Groups,OU=Department,DC=domain,DC=com,DC=au",
"member"}
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP filling template "CN=RabbitAdmins,OU=Distribution Groups,OU=Groups,OU=Department,DC=domain,DC=com,DC=au" with
[{username,<<"first.last">>},
{user_dn,"first...@domain.com.au"}]
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP template result: "CN=RabbitAdmins,OU=Distribution Groups,OU=Groups,OU=Department,DC=domain,DC=com,DC=au"
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP network traffic: search request = {'SearchRequest',
"CN=RabbitAdmins,OU=Distribution Groups,OU=Groups,OU=Department,DC=domain,DC=com,DC=au",
baseObject,derefAlways,0,0,false,
{equalityMatch,
{'AttributeValueAssertion',
"member",
"first...@domain.com.au"}},
["objectClass"]}
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP network traffic: search reply = {ok,
{'LDAPMessage',6,
{searchResDone,
{'LDAPResult',success,[],[],
asn1_NOVALUE}},
asn1_NOVALUE}}
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP network traffic: search reply = searchResDone
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP evaluated in_group for "CN=RabbitAdmins,OU=Distribution Groups,OU=Groups,OU=Department,DC=domain,DC=com,DC=au": false
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP DECISION: does first.last have tag management? false
=INFO REPORT==== 31-May-2016::11:35:05 ===
LDAP DECISION: login for first.last: ok
=WARNING REPORT==== 31-May-2016::11:35:05 ===
HTTP access denied: user 'first.last' - Not management user
Michael Klishin
May 31, 2016, 7:48:29 AM5/31/16
to rabbitm...@googlegroups.com
Since you run 3.6.1, take a look at
In particular, group nesting or a missing group can trip up the plugin in 3.6.1.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
MK
Staff Software Engineer, Pivotal/RabbitMQ
Jason Finch
May 31, 2016, 7:30:41 PM5/31/16
to rabbitm...@googlegroups.com
Thanks Michael,
I read through those tickets and don't think we align to any of them.I did find that if I make the user login as "LAST First" (rather than username or user...@domain.com.au)
and change user_dn_pattern to:
I get a successful match to the in_group query.
--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/wZZcMTQhMdI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages