LDAP Connect error in RMQ 3.13.0 and Erlang 26.1
307 views
Skip to first unread message
Sravani Cheruvu
Mar 4, 2024, 7:21:56 AM3/4/24
to rabbitm...@googlegroups.com
Hi Team,
We have installed Erlang 26.1 and RMQ 3.13.0 . We have installed successfully , but we are not able to connect to ldap as we are seeing below error in rabbitmq logs.
2024-03-04 03:32:36.337913-08:00 [info] <0.757.0> LDAP CHECK: login for xx
2024-03-04 03:32:36.338058-08:00 [info] <0.757.0> LDAP filling template "uid=${username},ou=people,dc=xxx,dc=com" with
2024-03-04 03:32:36.338058-08:00 [info] <0.757.0> [{username,<<"xx">>}]
2024-03-04 03:32:36.338208-08:00 [info] <0.757.0> LDAP template result: "uid=xx,ou=people,dc=xxx,dc=com"
2024-03-04 03:32:36.338289-08:00 [info] <0.757.0> LDAP connecting to servers: ["ldapservername"]
2024-03-04 03:32:36.338571-08:00 [info] <0.758.0> LDAP network traffic: Connect: "ldapservername" failed {error,
2024-03-04 03:32:36.338571-08:00 [info] <0.758.0> {options,
2024-03-04 03:32:36.338571-08:00 [info] <0.758.0> incompatible,
2024-03-04 03:32:36.338571-08:00 [info] <0.758.0> [{verify,
2024-03-04 03:32:36.338571-08:00 [info] <0.758.0> verify_peer},
2024-03-04 03:32:36.338571-08:00 [info] <0.758.0> {cacerts,
2024-03-04 03:32:36.338571-08:00 [info] <0.758.0> undefined}]}}
2024-03-04 03:32:36.338571-08:00 [info] <0.758.0>
2024-03-04 03:32:36.338750-08:00 [info] <0.403.0> LDAP connect error: {error,"connect failed"}
2024-03-04 03:32:36.338834-08:00 [info] <0.757.0> LDAP DECISION: login for xx: {error,ldap_connect_error}
2024-03-04 03:32:36.338905-08:00 [warning] <0.757.0> HTTP access denied: rabbit_auth_backend_ldap failed authenticating xx: ldap_connect_error
Below is our configuration file .
[
{rabbit, [
{tcp_listeners, [{"127.0.0.1", 1672}]},
{ssl_listeners, [1671]}, % This needs to be unique on each node
{log_levels, [{connection, debug}]},
{heartbeat, 30},
{handshake_timeout, 20000},
{consumer_timeout, 86400000},
{ssl_handshake_timeout, 20000},
{default_vhost, <<"default">>},
{cluster_partition_handling, autoheal},
{ssl_options, [
{cacertfile, "sslroot.pem"},
{certfile,SignedCert.pem"},
{keyfile, "key.pem"},
{verify, verify_peer}]},
{auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_ldap]}]
},
{rabbitmq_management, [
{listener, [
{port, 1673}, % This needs to be unique on each node.
{ssl, false},
{ssl_opts, [
{cacertfile, "sslroot.pem"},
{certfile, "SignedCert.pem"},
{keyfile, "key.pem"},
{verify, verify_peer}]}]}]
},
{lager, [
{error_logger_hwm, 1024},
{handlers, [
{lager_file_backend,
[{file, "../logs/npd.log"},
{level,debug},
{formatter_config,
[date," ",time," ",color,"[",severity,"] ",
{pid,[]},
" ",message,"\n"]},
{date,""},
{size,1073741824},
{count,5}]}
]}
]},
{rabbitmq_auth_backend_ldap, [
{servers, ["ldapservername"]},
{dn_lookup_attribute, "userPrincipalName"},
{dn_lookup_base, "DC=xxx,DC=com"},
{user_dn_pattern, "uid=${username},ou=people,dc=xxx,dc=com"},
{use_ssl, true},
{port, 636},
{timeout, 60000},
{log, network},
{other_bind, as_user},
{vhost_access_query,
{in_group, "cn=xx,ou=groups,dc=xxx,dc=com"}},
{resource_access_query,
{for, [
{permission, configure,
{for, [
{resource, queue,
{in_group, "cn=rmq-${vhost}-queue,ou=groups,dc=xxx,dc=com"}},
{resource, exchange,
{in_group, "cn=rmq-${vhost}-exch,ou=groups,dc=xxx,dc=com"}}]}},
{permission, write,
{for, [
{resource, queue,
{in_group, "cn=rmq-${vhost}-write,ou=groups,dc=xxx,dc=com"}},
{resource, exchange,
{in_group, "cn=rmq-${vhost}-write,ou=groups,dc=xxx,dc=com"}}]}},
{permission, read,
{for, [
{resource, exchange,
{in_group, "cn=rmq-${vhost}-read,ou=groups,dc=xxx,dc=com"}},
{resource, queue,
{in_group, "cn=rmq-${vhost}-read,ou=groups,dc=xxx,dc=com"}}]}}]}},
{tag_queries, [
{administrator,
{in_group, "cn=admin,ou=groups,dc=xxx,dc=com"}},
{monitor,
{in_group, "cn=monitor,ou=groups,dc=xxx,dc=com"}},
{management,
{in_group, "cn=mgmt,ou=groups,dc=xxx,dc=com"}}]}]
}
].
Also , we have installed open ssl 3.0 before installing erlang and rabbit mq
And we dont have any other advanced config files .
Upon checking erlang otp 26 highlights , it is mentioned that there are certain changes in the way ssl parameters should be configured but there is no sample config file for the same.
Could you please analyse the above config file and point out if there is anything to be changed. Please note , we see the same error with the Erlang 26.2.2 version as well.
Luke Bakken
Mar 4, 2024, 9:16:08 PM3/4/24
to rabbitmq-users
Hello,
You need to set
ssl_options in the
rabbitmq_auth_backend_ldap section in a similar manner as the rabbit section.
Thanks,
Luke
Sravani Cheruvu
Mar 6, 2024, 12:33:15 PM3/6/24
to rabbitm...@googlegroups.com
Hi Luke ,
I have configured the conf with the suggested settings. But I still see the same issue.
Here is the conf file :
[
{rabbit, [
{tcp_listeners, [{"127.0.0.1", 1672}]},
{ssl_listeners, [1671]}, % This needs to be unique on each node
{log_levels, [{connection, debug}]},
{heartbeat, 30},
{handshake_timeout, 20000},
{consumer_timeout, 86400000},
{ssl_handshake_timeout, 20000},
{default_vhost, <<"default">>},
{cluster_partition_handling, autoheal},
{ssl_options, [
{cacertfile, "root.pem"},
{certfile, "server.pem"},
{keyfile, "key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]},
{auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_ldap]}]
},
{rabbitmq_management, [
{listener, [
{port, 1673}, % This needs to be unique on each node.
{ssl, true},
{ssl_opts, [
{cacertfile, "root.pem"},
{certfile, "server.pem"},
{keyfile, "key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]}]}]
},
{lager, [
{error_logger_hwm, 1024},
{handlers, [
{lager_file_backend,
[{file, "../logs/npd.log"},
{level,debug},
{formatter_config,
[date," ",time," ",color,"[",severity,"] ",
{pid,[]},
" ",message,"\n"]},
{date,""},
{size,1073741824},
{count,5}]}
]}
]},
{rabbitmq_auth_backend_ldap, [
{servers, ["ldapserver.org.com"]},
{dn_lookup_attribute, "userPrincipalName"},
{dn_lookup_base, "DC=org,DC=com"},
{user_dn_pattern, "uid=${username},ou=people,dc=org,dc=com"},
{use_ssl, true},
{port, 636},
{ssl_opts, [
{cacertfile, "root.pem"},
{certfile, "server.pem"},
{keyfile, "key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]},
{timeout, 60000},
{log, network},
{other_bind, as_user},
{vhost_access_query,
{in_group, "cn=rmq-${vhost}-access-dev,ou=groups,dc=org,dc=com"}},
{resource_access_query,
{for, [
{permission, configure,
{for, [
{resource, queue,
{in_group, "cn=rmq-${vhost}-${prefix}-queue,ou=groups,dc=org,dc=com"}},
{resource, exchange,
{in_group, "cn=rmq-${vhost}-${prefix}-exch,ou=groups,dc=org,dc=com"}}]}},
{permission, write,
{for, [
{resource, queue,
{in_group, "cn=rmq-${vhost}-${prefix}-write,ou=groups,dc=org,dc=com"}},
{resource, exchange,
{in_group, "cn=rmq-${vhost}-${prefix}-write,ou=groups,dc=org,dc=com"}}]}},
{permission, read,
{for, [
{resource, exchange,
{in_group, "cn=rmq-${vhost}-${prefix}-read,ou=groups,dc=org,dc=com"}},
{resource, queue,
{in_group, "cn=rmq-${vhost}-${prefix}-read,ou=groups,dc=org,dc=com"}}]}}]}},
{tag_queries, [
{administrator,
{in_group, "cn=rmq-adm,ou=groups,dc=org,dc=com"}},
{monitor,
{in_group, "cn=rmq-monitor,ou=groups,dc=org,dc=com"}},
{management,
{in_group, "cn=rmq-mgmt,ou=groups,dc=org,dc=com"}}]}]
}
].
Attached is the log file , when I try to login to RMQ Management UI with the above config file.
Also , if i change the above configuration to {fail_if_no_peer_cert, true} , i see below error :
2024-03-06 09:13:17.811982-08:00 [notice] <0.769.0> TLS server: In state wait_cert at tls_handshake_1_3.erl:443 generated SERVER ALERT: Fatal - Certificate required
2024-03-06 09:13:17.811982-08:00 [notice] <0.769.0> - certificate_required
2024-03-06 09:13:18.052803-08:00 [notice] <0.773.0> TLS server: In state wait_cert at tls_handshake_1_3.erl:443 generated SERVER ALERT: Fatal - Certificate required
2024-03-06 09:13:18.052803-08:00 [notice] <0.773.0> - certificate_required
Could you please check and help us here.
Issue is : we are not able to login with LDAP User to RMQ Management UI.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/c7c9c039-4fb9-4670-85ad-92b019f06d84n%40googlegroups.com.
Luke Bakken
Mar 6, 2024, 12:36:56 PM3/6/24
to rabbitmq-users
Hello,
Any time you provide a file, please attach it rather than pasting it to your message, or share it via something like a GitHub gist (https://gist.github.com/).
That way I can be certain I am looking at the same file as you.
Sravani Cheruvu
Mar 6, 2024, 1:23:16 PM3/6/24
to rabbitm...@googlegroups.com
Hi Luken ,
Here is the attached config file
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/2aaa162c-503b-468f-be18-250ecf622749n%40googlegroups.com.
Luke Bakken
Mar 6, 2024, 4:25:07 PM3/6/24
to rabbitmq-users
Hello,
Please see the following gist:
You were using configuration key ssl_opts for the LDAP plugin. The correct name is ssl_options, the same as for rabbit
I realize that the management plugin uses ssl_opts, which is inconsistent, so I opened this issue - https://github.com/rabbitmq/rabbitmq-server/issues/10691
Also note that you are using {verify, verify_peer}, which means the CA certificate that signed your LDAP server certificate MUST be present in the root.pem file.
Thanks,
Luke
Michael Klishin
Mar 6, 2024, 6:26:19 PM3/6/24
to rabbitmq-users
The ssl_opts key is pre-2018 [1]. The docs were not updated at first and then it's been forgotten.
However, there is no reason to configure management plugin settings via advanced.config.
However, there is no reason to configure management plugin settings via advanced.config.
The OP is making their life unnecessarily complicated by trying to do everything via advanced.config
instead of using `rabbitmq.conf` where it can be used — which is the majority of places, including TLS listener configuration in the management plugin [2].
Michael Klishin
Mar 6, 2024, 8:10:42 PM3/6/24
to rabbitmq-users
I have updated the advanced.config example (which, again, you don't have to use for management plugin configuration) [1][2].
1. https://www.rabbitmq.com/docs/management#single-listener-https
1. https://www.rabbitmq.com/docs/management#single-listener-https
Sravani Cheruvu
Mar 9, 2024, 12:11:10 AM3/9/24
to rabbitm...@googlegroups.com
Thank you so much Luken.
I am able to solve the ldap authentication issue and am able to login to UI with LDAP user.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/68facb03-ee95-4957-8e5f-c295c86f35f5n%40googlegroups.com.
thameem ansari
Mar 11, 2024, 9:00:45 AM3/11/24
to rabbitm...@googlegroups.com
try change to verify_none, i am using new config
## TLS configuration.
listeners.ssl.1 = 5671
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
ssl_options.cacertfile = /var/lib/rabbitmq/ssl/CAfile.pem
ssl_options.certfile = /var/lib/rabbitmq/ssl/server.crt
ssl_options.keyfile = /var/lib/rabbitmq/ssl/private.key
ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order = true
ssl_options.client_renegotiation = false
ssl_options.secure_renegotiate = true
ssl_options.versions.1 = tlsv1.2
## TLS configuration.
listeners.ssl.1 = 5671
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
ssl_options.cacertfile = /var/lib/rabbitmq/ssl/CAfile.pem
ssl_options.certfile = /var/lib/rabbitmq/ssl/server.crt
ssl_options.keyfile = /var/lib/rabbitmq/ssl/private.key
ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order = true
ssl_options.client_renegotiation = false
ssl_options.secure_renegotiate = true
ssl_options.versions.1 = tlsv1.2
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/CADuF7jW_R7kP%2B-C3MWw1ZsqXHdmUFpOeS_nd6Q2t4P%3D5tg-Qcw%40mail.gmail.com.
-
Black Pepper
Reply all
Reply to author
Forward
0 new messages