LDAP Settings not working after upgrade to 3.7.4

[Zookie P]

Hello,

I was wondering if I could get some advice on my current configuration file for LDAP authentication.  I recently updated from 3.5.X to 3.7.4, I updated my Erlang version to 20.3 as well.  The server comes up fine with all my queues and virtual hosts; however, I am unable to login via LDAP which I was previously able to.  I then took a look at the rabbitmq.conf and LDAP documentation: https://www.rabbitmq.com/ldap.html.  I'm not super familiar with how LDAP works, so I am just messing around with the config file based upon the documentation.

So here is the configuration that worked previously, but does not work now (created by someone else):

[

{rabbit,

   [

    {auth_backends,

     [

       rabbit_auth_backend_internal,

       {rabbit_auth_backend_ldap, rabbit_auth_backend_internal}

     ]

    }

   ]

},

{rabbitmq_auth_backend_ldap,

  [

   {servers, ["my.ip.add.ress"]},

   {dn_lookup_attribute, "userPrincipalName"},

   {dn_lookup_base, "DC=mydc1,DC=com"},

   {use_ssl, true},

   {port, myport}

  ]

}

].

I am trying to use get the following configuration to work.  Note that with this config I can't even start up the rabbitmq service.  I was hoping someone could take a look at it and see what may be wrong with it:

auth_backends.2.authz = internal

auth_backends.2.authn = ldap

auth_backends.1 = internal

auth_ldap.servers.1 = my.ip.add.ress

auth_ldap.port = myport

auth_ldap.use_ssl = true

auth_ldap.dn_lookup_attribute = userPrincipalName

auth_ldap.dn_lookup_base = DC=mydc1,DC=com

I don't think order should matter?  

Thank you!

[Michael Klishin]

Order of entries should not matter.

Please start with http://www.rabbitmq.com/configure.html#verify-configuration-config-file-location

and compare the effective configuration of both versions.

Server logs at debug level would help a lot, too:

http://www.rabbitmq.com/ldap.html#troubleshooting

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Zookie P]

Thank you for the quick response.  I've followed your suggestions and do see some differences between the two:

3.7.4

{rabbitmq_auth_backend_ldap,

     [{anon_auth,false},

      {dn_lookup_attribute,"userPrincipalName"},

      {dn_lookup_base,"DC=mydc1,DC=com"},

      {dn_lookup_bind,as_user},

      {group_lookup_base,none},

      {idle_timeout,infinity},

      {log,false},

      {other_bind,as_user},

      {pool_size,64},

      {port,myport},

      {resource_access_query,{constant,true}},

      {servers,["myipaddress"]},

      {ssl_options,[]},

      {tag_queries,[{administrator,{constant,false}}]},

      {timeout,infinity},

      {topic_access_query,{constant,true}},

      {use_ssl,true},

      {use_starttls,false},

      {user_dn_pattern,"${username}"},

      {vhost_access_query,{constant,true}}]},

3.5.7

{rabbitmq_auth_backend_ldap,

     [{dn_lookup_attribute,"userPrincipalName"},

      {dn_lookup_base,"DC=dc1,DC=com"},

      {dn_lookup_bind,as_user},

      {log,false},

      {other_bind,as_user},

      {port,myport},

      {resource_access_query,{constant,true}},

      {servers,["myipaddress"]},

      {ssl_options,[]},

      {tag_queries,[{administrator,{constant,false}}]},

      {timeout,infinity},

      {use_ssl,true},

      {use_starttls,false},

      {user_dn_pattern,"${username}"},

      {vhost_access_query,{constant,true}}]},

3.7.4 introduced the following parameters:

[{anon_auth,false},

{group_lookup_base,none},

{idle_timeout,infinity},

{pool_size,64},

{topic_access_query,{constant,true}},

Do you know if I can just leave these as they are?  Looking into the log when trying to log in I am getting the following ldap error:

2018-04-25 18:32:18.552 [info] <0.17565.2> TLS client: In state certify at tls_connection.erl:739 generated CLIENT ALERT: Fatal - Handshake Failure - malformed_handshake_data

2018-04-25 18:32:18.553 [warning] <0.17563.2> HTTP access denied: rabbit_auth_backend_ldap failed authenticating user.email.com: ldap_connect_error

Do I need to enable the rabbitmq_auth_backend_http plugin?

Thanks!

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Luke Bakken]

Hello,

There is a problem establishing the TLS/SSL connection which is why you see "Handshake Failure" in the log. Is that the only log message you are seeing? Did anything change with the LDAP server at the same time?

What version of Erlang were you previously using?

Thanks -

Luke

[Zookie P]

Sorry for the late reply Luke.  Yes that is the only log message I was seeing over and over when trying to login.  Nothing has changed on the LDAP server.  I think we were using 17.3 version of Erlang.

Thanks,

Zielke

[Michael Klishin]

RabbitMQ 3.7.4 does not run on Erlang 17.x: http://www.rabbitmq.com/which-erlang.html.

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Zookie P]

Yes, I think Luke was asking what version I was running with 3.5.7 maybe, and even then I was wrong with 17.3.  We were running 18.3 Erlang with RabbitMQ 3.5.7.  We are currently on 3.7.4 with 20.3.

Thank you

On Tuesday, May 8, 2018 at 3:10:50 PM UTC-5, Michael Klishin wrote:

RabbitMQ 3.7.4 does not run on Erlang 17.x: http://www.rabbitmq.com/which-erlang.html.

On Tue, May 8, 2018 at 8:42 AM, Zookie P <zielk...@gmail.com> wrote:

Sorry for the late reply Luke.  Yes that is the only log message I was seeing over and over when trying to login.  Nothing has changed on the LDAP server.  I think we were using 17.3 version of Erlang.

Thanks,

Zielke

On Wednesday, April 25, 2018 at 5:38:29 PM UTC-5, Luke Bakken wrote:

Hello,

There is a problem establishing the TLS/SSL connection which is why you see "Handshake Failure" in the log. Is that the only log message you are seeing? Did anything change with the LDAP server at the same time?

What version of Erlang were you previously using?

Thanks -

Luke

On Wednesday, April 25, 2018 at 11:53:55 AM UTC-7, Zookie P wrote:

3.7.4 introduced the following parameters:

[{anon_auth,false},

{group_lookup_base,none},

{idle_timeout,infinity},

{pool_size,64},

{topic_access_query,{constant,true}},

Do you know if I can just leave these as they are?  Looking into the log when trying to log in I am getting the following ldap error:

2018-04-25 18:32:18.552 [info] <0.17565.2> TLS client: In state certify at tls_connection.erl:739 generated CLIENT ALERT: Fatal - Handshake Failure - malformed_handshake_data

2018-04-25 18:32:18.553 [warning] <0.17563.2> HTTP access denied: rabbit_auth_backend_ldap failed authenticating user.email.com: ldap_connect_error

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.