RabbitMQ in pure IPV6 windows environment and LDAP
58 views
Skip to first unread message
Mark
Dec 3, 2025, 6:54:04 AM (11 days ago) Dec 3
to rabbitmq-users
Hey,
as a proof of concept to see if our software works in a full ipv6 environement we attempted to configure rabbitmq for ipv6 as well. Now we are running into issues with getting LDAP to work. In a further step we would also use LDAPS but just LDAP first.
We are using rabbitmq 4.1.4 and Erlang 27.3.4.3 on Windows Server 2022 Standard
We are using rabbitmq 4.1.4 and Erlang 27.3.4.3 on Windows Server 2022 Standard
To configure the rabbitmq environment for ipv6 we followed the rabbitmq documentation.
When trying to launch the server via rabbitmq-server.bat start it seems to launch fine. However it is only available via https://localhost:15671 and not the configured nodename e.g https://rmqnode01.domain.dev:15671. Also be aware that the nodename is different than the hostname in our environment. They are configured via the environment variable RABBITMQ_NODENAME. In addition to that when trying to login via the configured LDAP user we get the following error:
2025-12-03 12:22:26.428000+01:00 [notice] <0.780.0> TLS server: In state wait_cert received CLIENT ALERT: Fatal - Certificate Unknown
2025-12-03 12:22:26.428000+01:00 [notice] <0.780.0>
2025-12-03 12:22:26.480000+01:00 [notice] <0.784.0> TLS server: In state wait_cert received CLIENT ALERT: Fatal - Certificate Unknown
2025-12-03 12:22:26.480000+01:00 [notice] <0.784.0>
2025-12-03 12:22:26.792000+01:00 [info] <0.790.0> LDAP CHECK: login for admin01
2025-12-03 12:22:26.792000+01:00 [info] <0.790.0> LDAP filling template "${username}" with
2025-12-03 12:22:26.792000+01:00 [info] <0.790.0> [{username,<<"admin01">>}]
2025-12-03 12:22:26.792000+01:00 [info] <0.790.0> LDAP template result: "admin01"
2025-12-03 12:22:26.792000+01:00 [info] <0.790.0> LDAP connecting to servers: ["fc00::2","dc01.domain.dev"]
2025-12-03 12:22:26.806000+01:00 [info] <0.795.0> LDAP network traffic: Connect: "fc00::2" failed {error,nxdomain}
2025-12-03 12:22:26.806000+01:00 [info] <0.795.0>
2025-12-03 12:22:26.811000+01:00 [info] <0.795.0> LDAP network traffic: Connect: "dc01.domain.dev" failed {error,
2025-12-03 12:22:26.811000+01:00 [info] <0.795.0> nxdomain}
2025-12-03 12:22:26.811000+01:00 [info] <0.795.0>
2025-12-03 12:22:26.811000+01:00 [info] <0.445.0> LDAP connect error: {error,"connect failed"}
2025-12-03 12:22:26.811000+01:00 [info] <0.790.0> LDAP DECISION: login for admin01: {error,ldap_connect_error}
2025-12-03 12:22:26.811000+01:00 [warning] <0.790.0> HTTP access denied: rabbit_auth_backend_ldap failed authenticating admin01: ldap_connect_error
2025-12-03 12:22:26.428000+01:00 [notice] <0.780.0>
2025-12-03 12:22:26.480000+01:00 [notice] <0.784.0> TLS server: In state wait_cert received CLIENT ALERT: Fatal - Certificate Unknown
2025-12-03 12:22:26.480000+01:00 [notice] <0.784.0>
2025-12-03 12:22:26.792000+01:00 [info] <0.790.0> LDAP CHECK: login for admin01
2025-12-03 12:22:26.792000+01:00 [info] <0.790.0> LDAP filling template "${username}" with
2025-12-03 12:22:26.792000+01:00 [info] <0.790.0> [{username,<<"admin01">>}]
2025-12-03 12:22:26.792000+01:00 [info] <0.790.0> LDAP template result: "admin01"
2025-12-03 12:22:26.792000+01:00 [info] <0.790.0> LDAP connecting to servers: ["fc00::2","dc01.domain.dev"]
2025-12-03 12:22:26.806000+01:00 [info] <0.795.0> LDAP network traffic: Connect: "fc00::2" failed {error,nxdomain}
2025-12-03 12:22:26.806000+01:00 [info] <0.795.0>
2025-12-03 12:22:26.811000+01:00 [info] <0.795.0> LDAP network traffic: Connect: "dc01.domain.dev" failed {error,
2025-12-03 12:22:26.811000+01:00 [info] <0.795.0> nxdomain}
2025-12-03 12:22:26.811000+01:00 [info] <0.795.0>
2025-12-03 12:22:26.811000+01:00 [info] <0.445.0> LDAP connect error: {error,"connect failed"}
2025-12-03 12:22:26.811000+01:00 [info] <0.790.0> LDAP DECISION: login for admin01: {error,ldap_connect_error}
2025-12-03 12:22:26.811000+01:00 [warning] <0.790.0> HTTP access denied: rabbit_auth_backend_ldap failed authenticating admin01: ldap_connect_error
Which sounds like a DNS problem. However the DNS server has the relevant entries for the RabbitMQ servers as well
as the nodenames and they can be resolved from the servers.
The used certificate also works fine in an IPV4 environment.
In the attached erl_inetrc file there are a few more options that we tried to resolve the issues but none of them worked.
When we enabled ipv4 for the domain controller and dns server as well as the rabbitmq server again, name resolution for https://nodename:15671 worked but login via LDAP was still not possible. We tested this config, excluding the changes for ipv6, on a normal ipv4 environment before and LDAP worked fine.
After doing some googling we found https://www.erlang.org/doc/apps/kernel/inet.html
and the relevant part:
"The behavior of a socket with this option set to true is the only portable
one. The original idea when IPv6 was new of using IPv6 for all traffic is now
not recommended by FreeBSD (you can use {ipv6_v6only,false} to override the
recommended system default value), forbidden by OpenBSD (the supported GENERIC
kernel), and impossible on Windows (which has separate IPv4 and IPv6 protocol
stacks). Most Linux distros still have a system default value of false. This
policy shift among operating systems to separate IPv6 from IPv4 traffic has
evolved, as it gradually proved hard and complicated to get a dual stack
implementation correct and secure."
Do we understand correctly that a pure ipv6 rabbitmq environment is not possible at this point?
Hope you can assist us.
Regards
Mark
Luke Bakken
Dec 3, 2025, 3:31:27 PM (11 days ago) Dec 3
to rabbitmq-users
Hi Mark,
It is possible to run RabbitMQ in an IPv6-only environment. In fact, I was just assisting an AWS user trying to do so - https://github.com/rabbitmq/rabbitmq-server/issues/14974
It's not easy, however, and the fact you're on Windows complicates things, I'm sure.
The fact that nxdomain is being returned when trying to connect via LDAP suggests that the code is interpreting fc00::2 as a hostname (it's a very odd IPv6 address to see as well). I checked the eldap library documentation and, sure enough, you must explicitly tell it to use IPv6 when a connection is made (https://www.erlang.org/doc/apps/eldap/eldap.html#open/2 - see tcpopts)
There's no support, as of yet, to configure the LDAP plugin to use IPv6 for all connections. If you would like to make a feature request, start a discussion here:
Thanks,
Luke
Reply all
Reply to author
Forward
0 new messages