RabbitMQ LDAP not monitoring user
42 views
Skip to first unread message
Joe Taylor
Jun 6, 2024, 11:27:55 AMJun 6
to rabbitmq-users
Hi,
I've been stuck on this for the past week or so. I'm trying to login to the Rabbit management UI, but I get user isn't a member of the management group.
WIndows LDAP
I've did a LDAP query test using ldapsearch and it does come back with a list of users in the group.
The RabbitMQ logs shows this when logging in, however the user in question is a member of the Admin and management security groups.
[info] <0.1328.0> LDAP CHECK: login for joe-...@example.dev
[info] <0.409.0> LDAP bind succeeded: CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=xxxx,DC=xxxx
[info] <0.409.0> LDAP filling template "${username}" with
[info] <0.409.0> [{username,<<“joe-...@example.dev">>}]
[info] <0.409.0> LDAP template result: “joe-...@example.dev"
[info] <0.409.0> LDAP DN lookup: joe-...@example.dev -> CN=Joe Test,OU=Infra,OU=Users,OU=Cloud,DC=example,DC=dev
[info] <0.409.0> LDAP bind succeeded: CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=xxxx,DC=xxxx
[info] <0.409.0> LDAP CHECK: does joe-...@example.dev have tag administrator?
[info] <0.409.0> LDAP evaluating query: {constant,false}
[info] <0.409.0> LDAP evaluated constant: false
[info] <0.409.0> LDAP DECISION: does joe-...@example.dev have tag administrator? false
[info] <0.1328.0> LDAP DECISION: login for joe-...@example.dev: ok
[debug] <0.1328.0> User ‘joe-...@example.dev' authenticated successfully by backend rabbit_auth_backend_ldap
[warning] <0.1328.0> HTTP access denied: user ‘joe-...@example.dev' - Not management user
rabbitmq.conf
cluster_name = nonprod-rabbitmq
auth_backends.3 = rabbit_auth_backend_internal
auth_backends.1 = rabbit_auth_backend_ldap
auth_backends.2 = internal
auth_ldap.dn_lookup_base = OU=Users,OU=Cloud,DC=example,DC=dev
auth_ldap.connection_pool_size = 256
auth_ldap.idle_timeout = 30000
auth_ldap.use_ssl = false
auth_ldap.use_starttls = false
auth_ldap.servers.1 = example.dev
log.file.level = debug
auth_ldap.dn_lookup_bind.user_dn = CN=svc.ldap,OU=Service Accounts,OU=Users,OU=Cloud,DC=example,DC=dev
auth_ldap.dn_lookup_bind.password = secure
auth_ldap.dn_lookup_attribute = userPrincipalName
auth_ldap.log = true
advanced.conf
[
{rabbit_auth_backend_ldap, [
,{group_lookup_base, "OU=Users,OU=Cloud,DC=example,DC=dev"}
,{tag_queries, [
{administrator, { in_group, "CN=RabbitMQ_Administrators,OU=Groups,OU=Users,OU=Cloud,DC=example,DC=dev","member" }},
{management, { in_group, "CN=RabbitMQ_Management,OU=Groups,OU=Users,OU=Cloud,DC=example,DC=dev","member"}}
]}
]}
}].
I've been stuck on this for the past week or so. I'm trying to login to the Rabbit management UI, but I get user isn't a member of the management group.
WIndows LDAP
I've did a LDAP query test using ldapsearch and it does come back with a list of users in the group.
The RabbitMQ logs shows this when logging in, however the user in question is a member of the Admin and management security groups.
[info] <0.1328.0> LDAP CHECK: login for joe-...@example.dev
[info] <0.409.0> LDAP bind succeeded: CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=xxxx,DC=xxxx
[info] <0.409.0> LDAP filling template "${username}" with
[info] <0.409.0> [{username,<<“joe-...@example.dev">>}]
[info] <0.409.0> LDAP template result: “joe-...@example.dev"
[info] <0.409.0> LDAP DN lookup: joe-...@example.dev -> CN=Joe Test,OU=Infra,OU=Users,OU=Cloud,DC=example,DC=dev
[info] <0.409.0> LDAP bind succeeded: CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=xxxx,DC=xxxx
[info] <0.409.0> LDAP CHECK: does joe-...@example.dev have tag administrator?
[info] <0.409.0> LDAP evaluating query: {constant,false}
[info] <0.409.0> LDAP evaluated constant: false
[info] <0.409.0> LDAP DECISION: does joe-...@example.dev have tag administrator? false
[info] <0.1328.0> LDAP DECISION: login for joe-...@example.dev: ok
[debug] <0.1328.0> User ‘joe-...@example.dev' authenticated successfully by backend rabbit_auth_backend_ldap
[warning] <0.1328.0> HTTP access denied: user ‘joe-...@example.dev' - Not management user
rabbitmq.conf
cluster_name = nonprod-rabbitmq
auth_backends.3 = rabbit_auth_backend_internal
auth_backends.1 = rabbit_auth_backend_ldap
auth_backends.2 = internal
auth_ldap.dn_lookup_base = OU=Users,OU=Cloud,DC=example,DC=dev
auth_ldap.connection_pool_size = 256
auth_ldap.idle_timeout = 30000
auth_ldap.use_ssl = false
auth_ldap.use_starttls = false
auth_ldap.servers.1 = example.dev
log.file.level = debug
auth_ldap.dn_lookup_bind.user_dn = CN=svc.ldap,OU=Service Accounts,OU=Users,OU=Cloud,DC=example,DC=dev
auth_ldap.dn_lookup_bind.password = secure
auth_ldap.dn_lookup_attribute = userPrincipalName
auth_ldap.log = true
advanced.conf
[
{rabbit_auth_backend_ldap, [
,{group_lookup_base, "OU=Users,OU=Cloud,DC=example,DC=dev"}
,{tag_queries, [
{administrator, { in_group, "CN=RabbitMQ_Administrators,OU=Groups,OU=Users,OU=Cloud,DC=example,DC=dev","member" }},
{management, { in_group, "CN=RabbitMQ_Management,OU=Groups,OU=Users,OU=Cloud,DC=example,DC=dev","member"}}
]}
]}
}].
Joe Taylor
Jun 6, 2024, 11:29:43 AMJun 6
to rabbitmq-users
Title is meant to be Not management user
Luke Bakken
Jun 6, 2024, 12:02:08 PMJun 6
to rabbitmq-users
Hello,
The advanced configuration must be in a file named advanced.config, NOT advanced.conf
In addition, the correct key name should be
rabbitmq_auth_backend_ldap
When RabbitMQ starts, it logs the log files that it finds, and should state that both rabbitmq.conf and advanced.config have been found.
Documentation - https://www.rabbitmq.com/docs/ldap
Thanks,
Luke
Reply all
Reply to author
Forward
0 new messages