RabbitMQ LDAP Active Directory in_group not evaluating to true for me, can someone help me figure out what I'm screwing up?

[Nvrnight]

Thanks very much in advance for any time looking at this for me.

I'm trying to use in_group after authentication for authorization against an AD group. The logs show it searching the searching the "member" attribute of the group using the value sent in in the username field on the login page, but this obviously doesn't exist, the only thing that exists in this member field is a collection of DN's which are something like "CN=<User's Full Name>,OU=foo,OU=baz,DC=foobar,DC=com".

relevant lines from rabbitmq.conf

auth_backends.1 = ldap
auth_ldap.servers.1  = <redacted-LDAP-server-DNS-entry>
auth_ldap.dn_lookup_base = CN=Users,DC=<REDACTED-DOMAIN>,DC=com
auth_ldap.dn_lookup_attribute = sAMAccountName
auth_ldap.user_bind_pattern = <REDACTED-DOMAIN>\${username}
auth_ldap.user_dn_pattern = <REDACTED-DOMAIN>\${username}
auth_ldap.use_ssl    = true
auth_ldap.port       = 636
auth_ldap.log        = network_unsafe

query in advanced.config

{in_group, "CN=<REDACTED-GROUPNAME>,OU=<REDACTED>,OU=<REDACTED>,OU=<REDACTED>,OU=<REDACTED>,OU=<REDACTED>,OU=<REDACTED>,OU=<REDACTED>,OU=<REDACTED>,DC=<REDACTED-DOMAIN>,DC=com"}

I'm sure I'm screwing up some configuration somewhere, but I'm just not sure since I've never setup an LDAP integration before with RabbitMQ. I've wasted a couple of days trying to get this to work correctly and I've run out of options of things to try; I've tried many many different combinations of the different dn_ configuration settings. I've also confirmed my user is in the AD group, if I set the DN of the AD group as the authentication CN/OU, I can authenticate fine which means it does find me in the group during an authentication check. 

If I hardcode the user_dn_pattern to my user's DN in_group will return true, but this isn't actually a solution for me because the DN includes CN = <User's Full Name>, which I won't have access to anywhere and I don't want users to have to put their name as it is spelled out in AD into the username field.

In the logs below there's a row with a warning which leads me to believe may be part of the problem, it not being able to lookup the DN for the account that it is binding to during authentication:

2020-06-20 22:48:14.826 [warning] <0.1582.0> Searching for DN for <REDACTED-DOMAIN>\<REDACTED-USERNAME>, got back []

Most of the authorization are set to {constant, true} or {constant, false} for testing, I only have the read permissions on a queue set to actually querying an AD group. I login to the management interface then try to pull a message from a queue and receive an authorization error instead of the contents of the message.

Logs

2:48:14.726 [info] <0.1810.0> LDAP CHECK: login for <REDACTED-USERNAME>
2020-06-20 22:48:14.726 [info] <0.1810.0>         LDAP filling template "<REDACTED-DOMAIN>\${username}" with
            [{username,<<"<REDACTED-USERNAME>">>}]
2020-06-20 22:48:14.726 [info] <0.1810.0>         LDAP template result: "<REDACTED-DOMAIN>\<REDACTED-USERNAME>"
2020-06-20 22:48:14.726 [info] <0.1810.0>     LDAP connecting to servers: ["<REDACTED-LDAP-SERVER-DNS>.<REDACTED-DOMAIN>.com"]
2020-06-20 22:48:14.726 [info] <0.1704.0>     LDAP network traffic: bind request = {'BindRequest',3,"<REDACTED-DOMAIN>\\<REDACTED-USERNAME>",{simple,<<"<REDACTED-PASSWORD>">>}}
2020-06-20 22:48:14.781 [info] <0.1704.0>     LDAP network traffic: bind reply = {ok,{'LDAPMessage',49,{bindResponse,{'BindResponse',success,[],[],asn1_NOVALUE,asn1_NOVALUE}},asn1_NOVALUE}}
2020-06-20 22:48:14.781 [info] <0.1582.0>     LDAP bind succeeded: <REDACTED-DOMAIN>\<REDACTED-USERNAME>
2020-06-20 22:48:14.781 [info] <0.1582.0>         LDAP filling template "<REDACTED-DOMAIN>\${username}" with
            [{username,<<"<REDACTED-USERNAME>">>}]
2020-06-20 22:48:14.781 [info] <0.1582.0>         LDAP template result: "<REDACTED-DOMAIN>\<REDACTED-USERNAME>"
2020-06-20 22:48:14.781 [info] <0.1704.0>     LDAP network traffic: search request = {'SearchRequest',"CN=Users,DC=<REDACTED-DOMAIN>,DC=com",wholeSubtree,derefAlways,0,0,false,{equalityMatch,{'AttributeValueAssertion',"sAMAccountName","<REDACTED-DOMAIN>\\<REDACTED-USERNAME>"}},["distinguishedName"]}
2020-06-20 22:48:14.826 [info] <0.1704.0>     LDAP network traffic: search reply = {ok,{'LDAPMessage',50,{searchResDone,{'LDAPResult',success,[],[],asn1_NOVALUE}},asn1_NOVALUE}}
2020-06-20 22:48:14.826 [info] <0.1704.0>     LDAP network traffic: search reply = searchResDone
2020-06-20 22:48:14.826 [warning] <0.1582.0> Searching for DN for <REDACTED-DOMAIN>\<REDACTED-USERNAME>, got back []
2020-06-20 22:48:14.826 [info] <0.1582.0>     LDAP CHECK: does <REDACTED-USERNAME> have tag administrator?
2020-06-20 22:48:14.826 [info] <0.1582.0>     LDAP evaluating query: {constant,true}
2020-06-20 22:48:14.826 [info] <0.1582.0>     LDAP evaluated constant: true
2020-06-20 22:48:14.826 [info] <0.1582.0>     LDAP DECISION: does <REDACTED-USERNAME> have tag administrator? true
2020-06-20 22:48:14.826 [info] <0.1582.0>     LDAP CHECK: does <REDACTED-USERNAME> have tag management?
2020-06-20 22:48:14.826 [info] <0.1582.0>     LDAP evaluating query: {constant,false}
2020-06-20 22:48:14.826 [info] <0.1582.0>     LDAP evaluated constant: false
2020-06-20 22:48:14.826 [info] <0.1582.0>     LDAP DECISION: does <REDACTED-USERNAME> have tag management? false
2020-06-20 22:48:14.826 [info] <0.1810.0> LDAP DECISION: login for <REDACTED-USERNAME>: ok
2020-06-20 22:48:14.826 [info] <0.1810.0> LDAP CHECK: access to vhost "/" for "<REDACTED-USERNAME>"
2020-06-20 22:48:14.826 [info] <0.1810.0>     LDAP connecting to servers: ["<REDACTED-LDAP-SERVER-DNS>.<REDACTED-DOMAIN>.com"]
2020-06-20 22:48:14.826 [info] <0.1704.0>     LDAP network traffic: bind request = {'BindRequest',3,"<REDACTED-DOMAIN>\\<REDACTED-USERNAME>",{simple,<<"<REDACTED-PASSWORD>">>}}
2020-06-20 22:48:14.872 [info] <0.1704.0>     LDAP network traffic: bind reply = {ok,{'LDAPMessage',51,{bindResponse,{'BindResponse',success,[],[],asn1_NOVALUE,asn1_NOVALUE}},asn1_NOVALUE}}
2020-06-20 22:48:14.872 [info] <0.1582.0>     LDAP bind succeeded: <REDACTED-DOMAIN>\<REDACTED-USERNAME>
2020-06-20 22:48:14.872 [info] <0.1582.0>     LDAP evaluating query: {constant,true}
2020-06-20 22:48:14.872 [info] <0.1582.0>     LDAP evaluated constant: true
2020-06-20 22:48:14.872 [info] <0.1810.0> LDAP DECISION: access to vhost "/" for "<REDACTED-USERNAME>": ok (ok)
2020-06-20 22:48:14.888 [info] <0.1819.0> LDAP CHECK: read permission for queue "<REDACTED-QueueName>" in "/" for "<REDACTED-USERNAME>"
2020-06-20 22:48:14.888 [info] <0.1819.0>     LDAP connecting to servers: ["<REDACTED-LDAP-SERVER-DNS>.<REDACTED-DOMAIN>.com"]
2020-06-20 22:48:14.888 [info] <0.1704.0>     LDAP network traffic: bind request = {'BindRequest',3,"<REDACTED-DOMAIN>\\<REDACTED-USERNAME>",{simple,<<"<REDACTED-PASSWORD>">>}}
2020-06-20 22:48:14.935 [info] <0.1704.0>     LDAP network traffic: bind reply = {ok,{'LDAPMessage',52,{bindResponse,{'BindResponse',success,[],[],asn1_NOVALUE,asn1_NOVALUE}},asn1_NOVALUE}}
2020-06-20 22:48:14.935 [info] <0.1582.0>     LDAP bind succeeded: <REDACTED-DOMAIN>\<REDACTED-USERNAME>
2020-06-20 22:48:14.935 [info] <0.1582.0>     LDAP evaluating query: {for,[{permission,configure,{constant,true}},{permission,write,{for,[{resource,queue,{constant,true}},{resource,exchange,{constant,true}}]}},{permission,read,{for,[{resource,exchange,{in_group,"CN=<REDACTED-GroupName>,OU=<REDACTED-OUs>,DC=<REDACTED-DOMAIN>,DC=com"}},{resource,queue,{in_group,"CN=<REDACTED-GroupName>,OU=<REDACTED-OUs>,DC=<REDACTED-DOMAIN>,DC=com"}}]}}]}
2020-06-20 22:48:14.935 [info] <0.1582.0>     LDAP selecting subquery permission = read
2020-06-20 22:48:14.935 [info] <0.1582.0>     LDAP evaluating query: {for,[{resource,exchange,{in_group,"CN=<REDACTED-GroupName>,OU=<REDACTED-OUs>,DC=<REDACTED-DOMAIN>,DC=com"}},{resource,queue,{in_group,"CN=<REDACTED-GroupName>,OU=<REDACTED-OUs>,DC=<REDACTED-DOMAIN>,DC=com"}}]}
2020-06-20 22:48:14.935 [info] <0.1582.0>     LDAP selecting subquery resource = queue
2020-06-20 22:48:14.935 [info] <0.1582.0>     LDAP evaluating query: {in_group,"CN=<REDACTED-GroupName>,OU=<REDACTED-OUs>,DC=<REDACTED-DOMAIN>,DC=com"}
2020-06-20 22:48:14.935 [info] <0.1582.0>     LDAP evaluating query: {in_group,"CN=<REDACTED-GroupName>,OU=<REDACTED-OUs>,DC=<REDACTED-DOMAIN>,DC=com","member"}
2020-06-20 22:48:14.935 [info] <0.1582.0>         LDAP filling template "CN=<REDACTED-GroupName>,OU=<REDACTED-OUs>,DC=<REDACTED-DOMAIN>,DC=com" with
            [{username,<<"<REDACTED-USERNAME>">>},{user_dn,"<REDACTED-DOMAIN>\\<REDACTED-USERNAME>"},{vhost,<<"/">>},{resource,queue},{name,<<"<REDACTED-QueueName>">>},{permission,read}]
2020-06-20 22:48:14.935 [info] <0.1582.0>         LDAP template result: "CN=<REDACTED-GroupName>,OU=<REDACTED-OUs>,DC=<REDACTED-DOMAIN>,DC=com"
2020-06-20 22:48:14.935 [info] <0.1704.0>     LDAP network traffic: search request = {'SearchRequest',"CN=<REDACTED-GroupName>,OU=<REDACTED-OUs>,DC=<REDACTED-DOMAIN>,DC=com",baseObject,derefAlways,0,0,false,{equalityMatch,{'AttributeValueAssertion',"member","<REDACTED-DOMAIN>\\<REDACTED-USERNAME>"}},["objectClass"]}
2020-06-20 22:48:14.982 [info] <0.1704.0>     LDAP network traffic: search reply = {ok,{'LDAPMessage',53,{searchResDone,{'LDAPResult',success,[],[],asn1_NOVALUE}},asn1_NOVALUE}}
2020-06-20 22:48:14.982 [info] <0.1704.0>     LDAP network traffic: search reply = searchResDone
2020-06-20 22:48:14.982 [info] <0.1582.0>     LDAP evaluated in_group for "CN=<REDACTED-GroupName>,OU=<REDACTED-OUs>,DC=<REDACTED-DOMAIN>,DC=com": false
2020-06-20 22:48:14.982 [info] <0.1819.0> LDAP DECISION: read permission for queue "<REDACTED-QueueName>" in "/" for "<REDACTED-USERNAME>": denied (denied)
2020-06-20 22:48:14.982 [error] <0.1819.0> Channel error on connection <0.1810.0> (<rabbit@<REDACTED-ServerName>>, vhost: '/', user: '<REDACTED-USERNAME>'), channel 1:
operation basic.get caused a channel exception access_refused: access to queue '<REDACTED-QueueName>' in vhost '/' refused for user '<REDACTED-USERNAME>'

[Nvrnight]

I've also tried the solution mentioned in this Stackoverflow post by using a user DN and password bind configuration but it didn't work either. https://stackoverflow.com/questions/56208101/rabbitmq-ldap-authorization-for-groups-with-inconsistent-user-dns/56209575#56209575

[Luke Bakken]

In the logs below there's a row with a warning which leads me to believe may be part of the problem, it not being able to lookup the DN for the account that it is binding to during authentication:

2020-06-20 22:48:14.826 [warning] <0.1582.0> Searching for DN for <REDACTED-DOMAIN>\<REDACTED-USERNAME>, got back []

 Yes, that is most likely the issue. The user account used for the bind request does not have permission to search for the DN.

I suggest using a tool like ldp.exe to "mimic" the LDAP queries that the plugin is doing. You want to bind with the same user, then do a recursive search of CN=Users,DC=<REDACTED-DOMAIN>,DC=com for an entry whose sAMAccountName value matches <REDACTED-DOMAIN>\\<REDACTED-USERNAME>

Good luck and let us know how it goes.

Luke