Problems with ldap authentication and internal rabbitmq authorizations

[Adil Benjelloun]

Hi,

I have a problem authenticating in management interface with this configuration :

Firstly I enabled the ldap cahce module and in my config file I have this config. :

auth_backends.1 = cache

auth_cache.cached_backend.authn = ldap

auth_cache.cached_backend.authz = internal

auth_backends.2 = rabbit_auth_backend_internal

I have removed everything in advanced,config as if I understand well with this config the authorization part should be done by rabbitmq internal permissions.

The problem is when I try to login with a ldap user I get this :

LDAP DECISION: login for usr 'username': ok

and then under this line :

HTTP access denied: user 'username' - Not management user

In my rabbitmq interface I have my user username with the administrator tag and full access and all the vhost.

Could you please tell me if I am doing something wrong ?

Regards,

Adil

[Adil Benjelloun]

I forgot to mention that we have RabbitMQ 3.8.3 and erlang 22.3

[Luke Bakken]

Hi Adil,

Start diagnosing this by using a simpler configuration that does not use any custom authn or authz settings, only the internal auth backend.

With only the internal backend, can the "username" user log into the management UI? You will have to set a password for the user, but that's OK.

If that works, then re-add the LDAP backend this way:

auth_backends.1.authn = ldap

auth_backends.1.authz = internal

Does it work?

Finally, re-add add the caching backend.

We can assist but only if more information is provided, like LDAP logging at the network_unsafe level or debug-level RabbitMQ logs. Or, ideally, 

Thanks,

Luke

[Adil Benjelloun]

Hi Luke,

Thank you for your help it seems that it is the cache module which is causing some problems because with this config :

auth_backends.1.authn = ldap

auth_backends.1.authz = internal

It seems to work do you know if there is a known bug or if there is a special config to apply to have the cache module working this way ?

[Adil Benjelloun]

2020-04-17 23:10:11.662 [info] <0.387.0>         LDAP filling template "${username}" with

            [{username,<<"administrator">>}]

2020-04-17 23:10:11.662 [info] <0.387.0>         LDAP template result: "administrator"

2020-04-17 23:10:11.662 [info] <0.903.0>     LDAP network traffic: search request = {'SearchRequest',"OU=ITUSRs,DC=gva,DC=tld",wholeSubtree,derefAlways,0,0,false,{equalityMatch,{'AttributeValueAssertion',"sAMAccountName","administrator"}},["distinguishedName"]}

2020-04-17 23:10:11.662 [info] <0.903.0>     LDAP network traffic: search reply = {ok,{'LDAPMessage',18,{searchResEntry,{'SearchResultEntry',"CN=administrator,OU=ITUSRs,DC=gva,DC=tld",[{'PartialAttribute',"distinguishedName",["CN=administrator,OU=ITUSRs,DC=gva,DC=tld"]}]}},asn1_NOVALUE}}

2020-04-17 23:10:11.662 [info] <0.903.0>     LDAP network traffic: search reply = {ok,{'LDAPMessage',18,{searchResDone,{'LDAPResult',success,[],[],asn1_NOVALUE}},asn1_NOVALUE}}

2020-04-17 23:10:11.662 [info] <0.903.0>     LDAP network traffic: search reply = searchResDone 

2020-04-17 23:10:11.662 [info] <0.387.0>     LDAP DN lookup: administrator -> CN=administrator,OU=ITUSRs,DC=gva,DC=tld

2020-04-17 23:10:11.662 [info] <0.1458.0>     LDAP connecting to servers: ["ag-ti-dc04.gva.tld","ag-ti-dc03.gva.tld"]

2020-04-17 23:10:11.662 [info] <0.903.0>     LDAP network traffic: bind request = {'BindRequest',3,"CN=administrator,OU=OU,DC=DOMAIN,DC=NET",{simple,<<"">>}}

2020-04-17 23:10:11.678 [info] <0.903.0>     LDAP network traffic: bind reply = {ok,{'LDAPMessage',19,{bindResponse,{'BindResponse',success,[],[],asn1_NOVALUE,asn1_NOVALUE}},asn1_NOVALUE}}

2020-04-17 23:10:11.678 [info] <0.387.0>     LDAP bind succeeded: CN=administrator,OU=ITUSRs,DC=gva,DC=tld

2020-04-17 23:10:11.678 [info] <0.387.0>     LDAP CHECK: does administrator have tag administrator?

2020-04-17 23:10:11.678 [info] <0.387.0>     LDAP evaluating query: {constant,false}

2020-04-17 23:10:11.678 [info] <0.387.0>     LDAP evaluated constant: false

2020-04-17 23:10:11.678 [info] <0.387.0>     LDAP DECISION: does administrator have tag administrator? false

2020-04-17 23:10:11.678 [info] <0.1458.0> LDAP DECISION: login for administrator: ok

2020-04-17 23:10:11.678 [warning] <0.1458.0> HTTP access denied: user 'administrator' - Not management user

2020-04-17 23:10:12.662 [warning] <0.1462.0> HTTP access denied: user 'administrator' - Not management user

[Adil Benjelloun]

Here is the end of the generated config file :

{auth_backends,[rabbit_auth_backend_cache,rabbit_auth_backend_internal]},

      {disk_free_limit,{mem_relative,1.5}}]},

 {rabbitmq_auth_backend_cache,

     [{cached_backend,

          {rabbit_auth_backend_ldap,rabbit_auth_backend_internal}}]}].

[Adil Benjelloun]

It seems that it the cache module is not taking into account the authorization settings which should be internal and not LDAP are you aware of this type of problem ?

[Luke Bakken]

Hi Adil,

Could you please attach your complete configuration files? You've only provided part of them so far. Attach your original file, as well as the one that works without caching.

Run RabbitMQ with each configuration file, and then run rabbitmqctl environment so I can see exactly how the configuration is being applied. Re-direct the output to a file and attach it.

I need to be 100% sure of your environment before I spend time trying to reproduce.

Thanks,

Luke

[Luke Bakken]

Hi Adil,

I was able to reproduce this issue using the HTTP and internal backends - https://github.com/rabbitmq/rabbitmq-server/issues/2322

I've submitted a fix which will ship in version 3.8.4 (https://github.com/rabbitmq/rabbitmq-server/pull/2323)

Thanks for reporting this issue and being patient with my requests.

Luke

[Adil Benjelloun]

Hi Luke,

Thank you very much, sorry for the long time to answer :), do you already know when the 3.8.4 will be available ?

Regards,

Adil