Encrypt LDAP bind user password RabbitMQ 3.6.9 RHEL7.7
449 views
Skip to first unread message
Thomas Oliw
Jan 27, 2020, 9:53:39 AM1/27/20
to rabbitmq-users
Hello,
I am struggling encrypting the LDAP bind user password in rabbitmq.config.
I read the documentation on https://www.rabbitmq.com/configure.html#configuration-encryption, but cannot get it to work.
This is our rabbitmq.config:
%% -*- mode: erlang -*-
%% ----------------------------------------------------------------------------
%% RabbitMQ Configuration File.
%%
%% See http://www.rabbitmq.com/configure.html for details.
%% ----------------------------------------------------------------------------
[
{rabbit,
[
{tcp_listeners, [5672]},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "/dummy/path/cert"},
{certfile, "/dummy/path/cert"},
{keyfile, "/dummy/path/cert"},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]},
{auth_backends, [rabbit_auth_backend_internal,rabbit_auth_backend_ldap]},
{default_user_tags, [management]},
{loopback_users, []},
{background_gc_enabled, true},
{background_gc_target_interval, 60000},
{vm_memory_high_watermark, 0.6},
{disk_free_limit, 50000000},
{collect_statistics_interval, 60000},
{queue_index_embed_msgs_below, 1024},
{rates_mode, basic}
]
},
%% ----------------------------------------------------------------------------
%% RabbitMQ Management Plugin
%%
%% See http://www.rabbitmq.com/management.html for details
%% ----------------------------------------------------------------------------
{rabbitmq_management,
[
{load_definitions, "/dummy/path/dist"},
{listener, [{port, 8443},
{ssl, true},
{ssl_opts, [{cacertfile, "/dummy/path/cert"},
{certfile, "/dummy/path/cert"},
{keyfile, "/dummy/path/cert"}]}
]}
]
},
%% ----------------------------------------------------------------------------
%% RabbitMQ LDAP Plugin
%%
%% See http://www.rabbitmq.com/ldap.html for details
%% ----------------------------------------------------------------------------
{rabbitmq_auth_backend_ldap,
[ {servers, ["ldap.server.com"]},
{dn_lookup_attribute, "sAMAccountName"},
{dn_lookup_base, "OU=ID,OU=Data,DC=acme,DC=com"},
{dn_lookup_bind, {"CN=ldapbind,OU=CA,OU=func,OU=P001,OU=ID,OU=Data,DC=acme,DC=com", {encrypted,<<"1GHudDW/BHcPQqg8oxBS2fwCjVkePhivHPeC6z+B7sh6BGg0+DfawCfE9XrYu1OmL1Fn+03xjTb3rtsdhAHzpQ==">>}}},
{use_ssl, true},
{port, 3269},
{log, true},
{vhost_access_query, {'or', [
{in_group, "CN=ADMIN,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acme,DC=com"},
{in_group, "CN=USERS,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acme,DC=com"}]}},
{resource_access_query,
{for, [{permission, configure, {'or',
[{'and',
[{in_group, "CN=USERS,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acme,DC=com"}, {match, {string, "${name}"}, {string, "^myrabbit\.ext\.${username}\..*"}}]},
{in_group, "CN=ADMIN,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acme,DC=com"}]
}
},
{permission, write, {'or',
[{'and',
[{in_group, "CN=USERS,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acme,DC=com"}, {match, {string, "${name}"}, {string, "^myrabbit\.ext\.${username}\..*|^myrabbit1$"}}]},
{in_group, "CN=ADMIN,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acme,DC=com"}]
}
},
{permission, read, {'or',
[{'and',
[{in_group, "CN=USERS,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acme,DC=com"}, {match, {string, "${name}"}, {string, "^myrabbit\.ext\.${username}\..*|^myrabbit1"}}]},
{in_group, "CN=ADMIN,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acme,DC=com"}]
}
}
]
}
},
{tag_queries, [{administrator, {in_group, "CN=ADMIN,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acme,DC=com"}},
{management, {in_group, "CN=USERS,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acme,DC=com"}}]}
]
},
{config_entry_decoder, [
{passphrase, <<"gummigurka">>}]}
].
Putting the LDAP bind user in cleartext works fine, but trying to encrypt the password fails.
From the instructions, I cannot really tell if I can use an encrypted password in this way.
The sensitive data is in the "LDAP Plugin" section, so maybe the "config_entry_decoder" has to be in that section too?
Or maybe the LDAP plugin does not have support for hiding passwords in this fashion?
I can successfully decode the password using rabbitmqctl:
rabbitmqctl encode --decode '{encrypted,<<"1GHudDW/BHcPQqg8oxBS2fwCjVkePhivHPeC6z+B7sh6BGg0+DfawrandomjunksdhAHzpQ==">>}' gummigurka
"mysecretpw"
Best Regards,
Thomas Oliw
Michael Klishin
Jan 29, 2020, 3:01:30 AM1/29/20
to rabbitmq-users
I'm pretty sure config entry encryption is not available in RabbitMQ 3.6.9. The doc guides cover 3.8.
In fact, 3.6 has been out of support since May 2018 [1]. Please upgrade [2][3].
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/568b2570-6182-46fe-908e-29b578d87736%40googlegroups.com.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Thomas Oliw
Jan 29, 2020, 6:58:25 AM1/29/20
to rabbitmq-users
Hi Michael,
We have the same problem on RabbitMQ 3.8.0.
A large part of our installed base is stuck on 3.6.9, but we are working to lift those to 3.8.2.
The fact that we cannot use encryption of passwords is actually good, gives us more leverage to force upgrades.. :-)
So, would you say that we should be able to encrypt the LDAP plugin configuration parameter "dn_lookup_bind" password on 3.8.0?
If so, what is required?
Do we need to put the"config_entry_decoder" part inside the LDAP Plugin configuration directly after the "{encrypted, XXX}" tuple?
Does it matter if we use a binary <<"passhprase">> or a string "passphrase"?
End goal is to point to a file that contains the passphrase. Does that file have to be written in any special way?
For instance:
'<<"passphrase">>'
"passphrase"
passphrase
Thanks!
Best Regards,
Thomas
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitm...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/568b2570-6182-46fe-908e-29b578d87736%40googlegroups.com.
Michael Klishin
Jan 29, 2020, 11:09:06 AM1/29/20
to rabbitmq-users
Can we please confirm that your config file is actually loaded [1][2]?
Indeed there should be no need for the LDAP plugin to support config value encryption.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/b444d358-4a6c-47b6-8491-a65186bf8797%40googlegroups.com.
Arnaud Cogoluègnes
Jan 29, 2020, 11:12:56 AM1/29/20
to rabbitm...@googlegroups.com
The config_entry_decoder block is misplaced, it should be in the
rabbit configuration block, see [1] for an example.
[1] https://www.rabbitmq.com/configure.html#configuration-encryption
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/CAGcLz6UAAQqGPnmkY867-3kkOqc_JSfSubg1xbrsk0Yp1_Y3zw%40mail.gmail.com.
rabbit configuration block, see [1] for an example.
[1] https://www.rabbitmq.com/configure.html#configuration-encryption
Luke Bakken
Jan 29, 2020, 12:30:19 PM1/29/20
to rabbitmq-users
Hi Thomas,
Even if the LDAP dn_lookup_bind password can be encrypted having the decryption passphrase in the same file only obfuscates the passphrase. It does not add security unless you plan to prompt for the passphrase when RabbitMQ starts.
I'm not sure if deeply-nested configuration values can be encrypted. Testing it out and then verifying the effective configuration like Michael suggested is what you should try.
Thanks,
LUke
Thomas Oliw
Jan 30, 2020, 7:46:19 AM1/30/20
to rabbitmq-users
Hi Micahael,
Sure, I ran the "rabbitmqctl environment" command and pasted it below.
Thank for your help!
Best Regards,
Thomas
Application environment of node mynode-123@myhost
[{amqp_client,[{prefer_ipv6,false},{ssl_options,[]}]},
{asn1,[]},
{aten,
[{detection_threshold,0.99},
{heartbeat_interval,100},
{poll_interval,1000}]},
{compiler,[]},
{cowboy,[]},
{cowlib,[]},
{credentials_obfuscation,
[{enabled,true},{ets_table_name,credentials_obfuscation}]},
{crypto,[{fips_mode,false},{rand_cache_size,896}]},
{eldap,[]},
{gen_batch_server,[]},
{goldrush,[]},
{inets,[]},
{jsx,[]},
{kernel,
[{inet_default_connect_options,[{nodelay,true}]},
{inet_dist_listen_max,25672},
{inet_dist_listen_min,25672},
{logger,
[{handler,default,logger_std_h,
#{config => #{type => standard_io},
formatter =>
{logger_formatter,
#{legacy_header => true,single_line => false}}}}]},
{logger_level,notice},
{logger_sasl_compatible,false}]},
{lager,
[{async_threshold,20},
{async_threshold_window,5},
{colored,false},
{colors,
[{debug,"\e[0;38m"},
{info,"\e[1;37m"},
{notice,"\e[1;36m"},
{warning,"\e[1;33m"},
{error,"\e[1;31m"},
{critical,"\e[1;35m"},
{alert,"\e[1;44m"},
{emergency,"\e[1;41m"}]},
{crash_log,"log/crash.log"},
{crash_log_count,5},
{crash_log_date,"$D0"},
{crash_log_msg_size,65536},
{crash_log_rotator,lager_rotator_default},
{crash_log_size,10485760},
{error_logger_format_raw,true},
{error_logger_hwm,50},
{error_logger_hwm_original,50},
{error_logger_redirect,true},
{extra_sinks,
[{error_logger_lager_event,
[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},
{rabbit_handlers,
[{lager_forwarder_backend,[lager_event,inherit]}]}]},
{rabbit_log_lager_event,
[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},
{rabbit_handlers,
[{lager_forwarder_backend,[lager_event,inherit]}]}]},
{rabbit_log_channel_lager_event,
[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},
{rabbit_handlers,
[{lager_forwarder_backend,[lager_event,inherit]}]}]},
{rabbit_log_connection_lager_event,
[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},
{rabbit_handlers,
[{lager_forwarder_backend,[lager_event,inherit]}]}]},
{rabbit_log_ldap_lager_event,
[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},
{rabbit_handlers,
[{lager_forwarder_backend,[lager_event,inherit]}]}]},
{rabbit_log_mirroring_lager_event,
[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},
{rabbit_handlers,
[{lager_forwarder_backend,[lager_event,inherit]}]}]},
{rabbit_log_queue_lager_event,
[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},
{rabbit_handlers,
[{lager_forwarder_backend,[lager_event,inherit]}]}]},
{rabbit_log_ra_lager_event,
[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},
{rabbit_handlers,
[{lager_forwarder_backend,[lager_event,inherit]}]}]},
{rabbit_log_federation_lager_event,
[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},
{rabbit_handlers,
[{lager_forwarder_backend,[lager_event,inherit]}]}]},
{rabbit_log_shovel_lager_event,
[{handlers,[{lager_forwarder_backend,[lager_event,inherit]}]},
{rabbit_handlers,
[{lager_forwarder_backend,[lager_event,inherit]}]}]},
{rabbit_log_upgrade_lager_event,
[{handlers,
[{lager_file_backend,
[{date,[]},
{file,
"/usr/acmecorp/mb/acmecorp2.mb94.380/dist/rabbitmq/var/log/rabbitmq/mb1s10-acmecorp995_upgrade.log"},
{formatter_config,
[date," ",time," ",color,"[",severity,"] ",
{pid,[]},
" ",message,"\n"]},
{level,info},
{size,0}]}]},
{rabbit_handlers,
[{lager_file_backend,
[{date,[]},
{file,
"/usr/acmecorp/mb/acmecorp2.mb94.380/dist/rabbitmq/var/log/rabbitmq/mb1s10-acmecorp995_upgrade.log"},
{formatter_config,
[date," ",time," ",color,"[",severity,"] ",
{pid,[]},
" ",message,"\n"]},
{level,info},
{size,0}]}]}]}]},
{handlers,
[{lager_file_backend,
[{date,[]},
{file,
"/usr/acmecorp/mb/acmecorp2.mb94.380/dist/rabbitmq/var/log/rabbitmq/mb1s10-acmecorp995.log"},
{formatter_config,
[date," ",time," ",color,"[",severity,"] ",
{pid,[]},
" ",message,"\n"]},
{level,info},
{size,0}]}]},
{log_root,
"/usr/acmecorp/mb/acmecorp2.mb94.380/dist/rabbitmq/var/log/rabbitmq"},
{rabbit_handlers,
[{lager_file_backend,
[{date,[]},
{file,
"/usr/acmecorp/mb/acmecorp2.mb94.380/dist/rabbitmq/var/log/rabbitmq/mb1s10-acmecorp995.log"},
{formatter_config,
[date," ",time," ",color,"[",severity,"] ",
{pid,[]},
" ",message,"\n"]},
{level,info},
{size,0}]}]}]},
{mnesia,[{dir,"/usr/acmecorp/mb/rabbitmq_db/mb1s10-acmecorp995"}]},
{observer_cli,[{plugins,[]}]},
{os_mon,
[{start_cpu_sup,false},
{start_disksup,false},
{start_memsup,false},
{start_os_sup,false}]},
{public_key,[]},
{ra,[{data_dir,"/usr/acmecorp/mb/rabbitmq_db/mb1s10-acmecorp995/quorum"},
{logger_module,rabbit_log_ra_shim},
{segment_max_entries,32768},
{wal_max_size_bytes,536870912}]},
{rabbit,
[{auth_backends,[rabbit_auth_backend_internal,rabbit_auth_backend_ldap]},
{auth_mechanisms,['PLAIN','AMQPLAIN']},
{autocluster,
[{peer_discovery_backend,rabbit_peer_discovery_classic_config}]},
{background_gc_enabled,true},
{background_gc_target_interval,60000},
{backing_queue_module,rabbit_priority_queue},
{channel_max,2047},
{channel_operation_timeout,15000},
{channel_tick_interval,60000},
{cluster_keepalive_interval,10000},
{cluster_nodes,{[],disc}},
{cluster_partition_handling,ignore},
{collect_statistics,fine},
{collect_statistics_interval,60000},
{config_entry_decoder,[{passphrase,<<"gummigurka">>}]},
{connection_max,infinity},
{credit_flow_default_credit,{400,200}},
{default_consumer_prefetch,{false,0}},
{default_permissions,[<<".*">>,<<".*">>,<<".*">>]},
{default_user,<<"guest">>},
{default_user_tags,[management]},
{default_vhost,<<"/">>},
{delegate_count,16},
{disk_free_limit,50000000},
{disk_monitor_failure_retries,10},
{disk_monitor_failure_retry_interval,120000},
{enabled_plugins_file,
"/usr/acmecorp/mb/acmecorp2.mb94.380/dist/rabbitmq/etc/rabbitmq/enabled_plugins"},
{feature_flags_file,
"/usr/acmecorp/mb/rabbitmq_db/mb1s10-acmecorp995-feature_flags"},
{fhc_read_buffering,false},
{fhc_write_buffering,true},
{frame_max,131072},
{halt_on_upgrade_failure,true},
{handshake_timeout,10000},
{heartbeat,60},
{hipe_compile,false},
{hipe_modules,
[rabbit_reader,rabbit_channel,gen_server2,rabbit_exchange,
rabbit_command_assembler,rabbit_framing_amqp_0_9_1,rabbit_basic,
rabbit_event,lists,queue,priority_queue,rabbit_router,rabbit_trace,
rabbit_misc,rabbit_binary_parser,rabbit_exchange_type_direct,
rabbit_guid,rabbit_net,rabbit_amqqueue_process,
rabbit_variable_queue,rabbit_binary_generator,rabbit_writer,
delegate,gb_sets,lqueue,sets,orddict,rabbit_amqqueue,
rabbit_limiter,gb_trees,rabbit_queue_index,
rabbit_exchange_decorator,gen,dict,ordsets,file_handle_cache,
rabbit_msg_store,array,rabbit_msg_store_ets_index,rabbit_msg_file,
rabbit_exchange_type_fanout,rabbit_exchange_type_topic,mnesia,
mnesia_lib,rpc,mnesia_tm,qlc,sofs,proplists,credit_flow,pmon,
ssl_connection,tls_connection,ssl_record,tls_record,gen_fsm,ssl]},
{lager_default_file,
"/usr/acmecorp/mb/acmecorp2.mb94.380/dist/rabbitmq/var/log/rabbitmq/mb1s10-acmecorp995.log"},
{lager_extra_sinks,
[rabbit_log_lager_event,rabbit_log_channel_lager_event,
rabbit_log_connection_lager_event,rabbit_log_ldap_lager_event,
rabbit_log_mirroring_lager_event,rabbit_log_queue_lager_event,
rabbit_log_ra_lager_event,rabbit_log_federation_lager_event,
rabbit_log_shovel_lager_event,rabbit_log_upgrade_lager_event]},
{lager_log_root,
"/usr/acmecorp/mb/acmecorp2.mb94.380/dist/rabbitmq/var/log/rabbitmq"},
{lager_upgrade_file,
"/usr/acmecorp/mb/acmecorp2.mb94.380/dist/rabbitmq/var/log/rabbitmq/mb1s10-acmecorp995_upgrade.log"},
{lazy_queue_explicit_gc_run_operation_threshold,1000},
{log,
[{file,
[{file,
"/usr/acmecorp/mb/acmecorp2.mb94.380/dist/rabbitmq/var/log/rabbitmq/mb1s10-acmecorp995.log"}]},
{categories,
[{upgrade,
[{file,
"/usr/acmecorp/mb/acmecorp2.mb94.380/dist/rabbitmq/var/log/rabbitmq/mb1s10-acmecorp995_upgrade.log"}]}]}]},
{loopback_users,[]},
{max_message_size,134217728},
{memory_monitor_interval,2500},
{mirroring_flow_control,true},
{mirroring_sync_batch_size,4096},
{mnesia_table_loading_retry_limit,10},
{mnesia_table_loading_retry_timeout,30000},
{msg_store_credit_disc_bound,{4000,800}},
{msg_store_file_size_limit,16777216},
{msg_store_index_module,rabbit_msg_store_ets_index},
{msg_store_io_batch_size,4096},
{num_ssl_acceptors,10},
{num_tcp_acceptors,10},
{password_hashing_module,rabbit_password_hashing_sha256},
{plugins_dir,"/usr/acmecorp/mb/acmecorp2.mb94.380/dist/rabbitmq/plugins"},
{plugins_expand_dir,
"/usr/acmecorp/mb/rabbitmq_db/mb1s10-acmecorp995-plugins-expand"},
{proxy_protocol,false},
{queue_explicit_gc_run_operation_threshold,1000},
{queue_index_embed_msgs_below,1024},
{queue_index_max_journal_entries,32768},
{quorum_cluster_size,5},
{quorum_commands_soft_limit,256},
{rates_mode,basic},
{reverse_dns_lookups,false},
{server_properties,[]},
{ssl_allow_poodle_attack,false},
{ssl_apps,[asn1,crypto,public_key,ssl]},
{ssl_cert_login_from,distinguished_name},
{ssl_handshake_timeout,5000},
{ssl_listeners,[5671]},
{ssl_options,
[{cacertfile,"/random/cert/path/intermediate.pem"},
{certfile,"/random/cert/path/cert.pem"},
{keyfile,"/random/cert/path/private/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]},
{tcp_listen_options,
[{backlog,128},
{nodelay,true},
{linger,{true,0}},
{exit_on_close,false}]},
{tcp_listeners,[5672]},
{trace_vhosts,[]},
{vhost_restart_strategy,continue},
{vm_memory_calculation_strategy,rss},
{vm_memory_high_watermark,0.6},
{vm_memory_high_watermark_paging_ratio,0.5}]},
{rabbit_common,[]},
{rabbitmq_auth_backend_ldap,
[{anon_auth,false},
{dn_lookup_attribute,"sAMAccountName"},
{dn_lookup_base,"OU=ID,OU=Data,DC=acmecorp,DC=com"},
{dn_lookup_bind,
{"CN=ldapbind,OU=CA,OU=SvcAccount,OU=P001,OU=ID,OU=Data,DC=acmecorp,DC=com",
{encrypted,
<<"AEfWPkJltJ0QsVNX4EONDFPkUfg4QFFZWjRandomGC6PNKAM0BlrwpxQYYM4IQ9uVUaBcjNDgAFH2lhNVocDqQ==">>}}},
{group_lookup_base,none},
{idle_timeout,300000},
{log,true},
{other_bind,as_user},
{pool_size,64},
{port,3269},
{resource_access_query,
{for,
[{permission,configure,
{'or',
[{'and',
[{in_group,
"CN=acmecorp-mb-lab,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acmecorp,DC=com"},
{match,
{string,"${name}"},
{string,
"^acmecorp995.ext.${username}..*|fem.*"}}]},
{in_group,
"CN=INT_GLOBAL_ACME_OPS,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acmecorp,DC=com"}]}},
{permission,write,
{'or',
[{'and',
[{in_group,
"CN=acmecorp-mb-lab,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acmecorp,DC=com"},
{match,
{string,"${name}"},
{string,
"^acmecorp995.ext.${username}..*|^mb1s10-acmecorp995$"}}]},
{in_group,
"CN=INT_GLOBAL_ACME_OPS,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acmecorp,DC=com"}]}},
{permission,read,
{'or',
[{'and',
[{in_group,
"CN=acmecorp-mb-lab,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acmecorp,DC=com"},
{match,
{string,"${name}"},
{string,
"^acmecorp995.ext.${username}..*|^mb1s10-acmecorp995"}}]},
{in_group,
"CN=INT_GLOBAL_ACME_OPS,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acmecorp,DC=com"}]}}]}},
{servers,["ldap-egad.internal.acmecorp.com"]},
{ssl_options,[]},
{tag_queries,
[{administrator,
{in_group,
"CN=INT_GLOBAL_ACME_OPS,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acmecorp,DC=com"}},
{management,
{in_group,
"CN=acmecorp-mb-lab,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acmecorp,DC=com"}}]},
{timeout,infinity},
{topic_access_query,{constant,true}},
{use_ssl,true},
{use_starttls,false},
{user_bind_pattern,none},
{user_dn_pattern,"${username}"},
{vhost_access_query,
{'or',
[{in_group,
"CN=INT_GLOBAL_ACME_OPS,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acmecorp,DC=com"},
{in_group,
"CN=acmecorp-mb-lab,OU=IDM,OU=P001,OU=GRP,OU=Data,DC=acmecorp,DC=com"}]}}]},
{rabbitmq_federation,
[{internal_exchange_check_interval,30000},
{pgroup_name_cluster_id,false}]},
{rabbitmq_federation_management,[]},
{rabbitmq_management,
[{content_security_policy,"default-src 'self'"},
{cors_allow_origins,[]},
{cors_max_age,1800},
{http_log_dir,none},
{listener,
[{port,8443},
{ssl,true},
{ssl_opts,
[{cacertfile,"/random/cert/path/intermediate.pem"},
{certfile,"/random/cert/path/cert.pem"},
{keyfile,"/random/cert/path/private/key.pem"}]}]},
{load_definitions,
"/usr/acmecorp/mb/acmecorp2.mb94.380/dist/rabbitmq/etc/rabbitmq/rabbitmq_load_definitions.json"},
{management_db_cache_multiplier,5},
{process_stats_gc_timeout,300000},
{stats_event_max_backlog,250}]},
{rabbitmq_management_agent,
[{rates_mode,basic},
{sample_retention_policies,
[{global,[{605,5},{3660,60},{29400,600},{86400,1800}]},
{basic,[{605,5},{3600,60}]},
{detailed,[{605,5}]}]}]},
{rabbitmq_web_dispatch,[]},
{ranch,[]},
{recon,[]},
{sasl,[{errlog_type,error},{sasl_error_logger,false}]},
{ssl,[{dtls_protocol_version,['dtlsv1.2']},{protocol_version,['tlsv1.2']}]},
{stdlib,[]},
{stdout_formatter,[]},
{syntax_tools,[]},
{sysmon_handler,
[{busy_dist_port,true},
{busy_port,false},
{gc_ms_limit,0},
{heap_word_limit,0},
{port_limit,100},
{process_limit,100},
{schedule_ms_limit,0}]},
{tools,[{file_util_search_methods,[{[],[]},{"ebin","esrc"},{"ebin","src"}]}]},
{xmerl,[]}]
>> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitm...@googlegroups.com.
>> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/568b2570-6182-46fe-908e-29b578d87736%40googlegroups.com.
>
>
>
> --
> MK
>
> Staff Software Engineer, Pivotal/RabbitMQ
>
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitm...@googlegroups.com.
Thomas Oliw
Jan 30, 2020, 7:50:19 AM1/30/20
to rabbitmq-users
Hi Arnaud,
I had the same suspicion and have moved the "config_entry_decoder" block around.
I get the same error (ldap bind errors) regardless of where I put it.
Thanks for your help!
Best Regards,
Thomas
[
{rabbit,
[
{tcp_listeners, [5672]},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "/random/cert/path/somecacert.pem"},
{certfile, "/random/path/somecert.pem"},
{keyfile, "/random/path/somekey.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]},
{auth_backends, [rabbit_auth_backend_internal,rabbit_auth_backend_ldap]},
{default_user_tags, [management]},
{loopback_users, []},
{background_gc_enabled, true},
{background_gc_target_interval, 60000},
{vm_memory_high_watermark, 0.6},
{disk_free_limit, 50000000},
{collect_statistics_interval, 60000},
{queue_index_embed_msgs_below, 1024},
{rates_mode, basic},
{config_entry_decoder, [{passphrase, <<"gummigurka">>}]}
]
},
Den onsdag 29 januari 2020 kl. 17:12:56 UTC+1 skrev Arnaud Cogoluègnes:
>> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitm...@googlegroups.com.
>> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/568b2570-6182-46fe-908e-29b578d87736%40googlegroups.com.
>
>
>
> --
> MK
>
> Staff Software Engineer, Pivotal/RabbitMQ
>
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitm...@googlegroups.com.
Thomas Oliw
Jan 30, 2020, 7:56:57 AM1/30/20
to rabbitmq-users
Hi Luke,
I know that you can question what security this adds, but we have security breathing down our neck and are not allowed to have passwords in cleartext in any config files.
Encrypting this way is not an optimal solution, but at least we fulfill the requirements of not having passwords in cleartext.
End goal for us is to have the passphrase in a file that will be put on a secure location and locked down with restrictive permissions.
Far from perfect, but you can only build with what you have.
Thanks for helping!
Kind Regards,
Thomas
Luke Bakken
Jan 30, 2020, 10:49:15 AM1/30/20
to rabbitmq-users
Hi Thomas,
The decoder only looks at the top-level application settings for encrypted values so you have to encrypt the entire dn_lookup_bind value in this manner:
rabbitmqctl encode '{"CN=ldapbind,OU=CA,OU=func,OU=P001,OU=ID,OU=Data,DC=acme,DC=com", "PASSWORD"}' gummigurka
Encrypting value ...
{encrypted,<<"A8I2Z7WV1bp1BIoIn40YKJkA05mjxe96oIoZA3I0nGlPzXOFcdZ3oXw9NyzOzvi0KnXrz1ZWpUH21W6CbqJcye8LCmi8t89lmpwqY8zhv0MnYgHzwakybn6hRogobpDAzbttelWNX3ovZgqepH4FAQ==">>}
Then, use that as the second term:
rabbitmqctl encode '{"CN=ldapbind,OU=CA,OU=func,OU=P001,OU=ID,OU=Data,DC=acme,DC=com", "PASSWORD"}' gummigurka
Encrypting value ...
{encrypted,<<"A8I2Z7WV1bp1BIoIn40YKJkA05mjxe96oIoZA3I0nGlPzXOFcdZ3oXw9NyzOzvi0KnXrz1ZWpUH21W6CbqJcye8LCmi8t89lmpwqY8zhv0MnYgHzwakybn6hRogobpDAzbttelWNX3ovZgqepH4FAQ==">>}
Then, use that as the second term:
{dn_lrookup_bind, {encrypted, <<"...">>}},
Let us know how that works.
Thanks,
Luke
Thomas Oliw
Jan 31, 2020, 7:12:03 AM1/31/20
to rabbitmq-users
Hi Luke,
Excellent! That works!! :-)
This is the working configuration:
"config_entry_decoder" block in the "rabbit" section and the whole LDAP path encoded like you suggested.
Thanks a million!
Best Regards,
Thomas
Reply all
Reply to author
Forward
0 new messages