HTTP access denied: user 'LDAPUser' - Not management user

[VNA]

I see the AD connection is successful but after that when i try to login from the console I get this error message.

=WARNING REPORT==== 16-Aug-2018::00:17:43 ===

HTTP access denied: user 'LDAPUser' - Not management user

Please advise.

thank you,

Vinay Anumalla

[VNA]

Looks like the tag is not being set to administrator, so thats why is failing as Management user? Here are the full logs

=INFO REPORT==== 16-Aug-2018::00:44:01 ===

    LDAP CHECK: does USER have tag administrator?

=INFO REPORT==== 16-Aug-2018::00:44:01 ===

    LDAP evaluating query: {constant,false}

=INFO REPORT==== 16-Aug-2018::00:44:01 ===

    LDAP evaluated constant: false

=INFO REPORT==== 16-Aug-2018::00:44:01 ===

    LDAP DECISION: does USER have tag administrator? false

=INFO REPORT==== 16-Aug-2018::00:44:01 ===

LDAP DECISION: login for USER: ok

=WARNING REPORT==== 16-Aug-2018::00:44:01 ===

HTTP access denied: user 'USER' - Not management user

But when I do list_users I get this

Listing users

USER   [administrator]

Am I missing something or is this a bug?

thank you

[Michael Klishin]

You haven't posted your config and we do not guess on this list.

I highly doubt it is a bug. Most likely you haven't configured a tag_query for the LDAP

backend to use, or configured it correctly, so the tags returned for the user are empty

and therefore management UI/HTTP API access is denied.

See [1].

1. http://www.rabbitmq.com/ldap.html#authorisation-vhost-access

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[VNA]

Hello Michael, Here is my config

[

 {rabbit, [

     {ssl_listeners, [{"SERVERIPADDRESS", 5671}]},

     {loopback_users, []},

     {ssl_options, [{cacertfile,"/etc/rabbitmq/ca/cacert.pem"},

                    {certfile,"/etc/rabbitmq/server/cert.pem"},

                    {keyfile,"/etc/rabbitmq/server/key.pem"},

                    {verify,verify_peer},

                    {fail_if_no_peer_cert,false}]},

     {auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}

 ]},

 {rabbitmq_management, [

        {rates_mode, detailed},

        {sample_retention_policies, [

                {global,   [{60, 5}, {3600, 60}, {86400, 1200}]},

                {basic,    [{60, 5}, {3600, 60}]},

                {detailed, [{10, 5}]}

        ]}

 ]},

 {rabbitmq_auth_backend_ldap, [

   {servers, ["LDAPDOMAIN"]},

   {use_ssl, false},

   {port, 389},

   {timeout, 300000},

   {log, network},

   {dn_lookup_attribute, "userPrincipalName"},

   {dn_lookup_base, "DC=DOMAIN,DC=COM"},

   {dn_lookup_bind, {"LDAPBINDID","******"}}

  ]

 }

].

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Michael Klishin]

I don't see any LDAP queries configured in this file. The plugin won't be able to do anything meaningful

in order to authenticate clients, check their virtual host access permissions, and so on.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[VNA]

virtual host access is given at the root level and role assigned is administrator

[Michael Klishin]

How is virtual host access is "given at the root level"?

The LDAP plugin requires the user to configure several queries that it will execute
in order to implement the authN and authZ backend interface. Configuring LDAP credentials
and DN lookup properties is not enough.

The flow is explained in [1] and the queries are covered in [2][3].

1. https://www.rabbitmq.com/ldap.html#ldap-operation-flow
2. https://www.rabbitmq.com/ldap.html#authorisation
3. https://www.rabbitmq.com/ldap.html#query-types

On 16 August 2018 at 23:42:06, VNA (vanu...@gmail.com) wrote:
> virtual host access is given at the root level and role assigned is
> administrator
>
> On Thursday, August 16, 2018 at 4:10:59 PM UTC-4, Michael Klishin wrote:
> >
> > I don't see any LDAP queries configured in this file. The plugin won't be
> > able to do anything meaningful
> > in order to authenticate clients, check their virtual host access
> > permissions, and so on.
> >
> > On Thu, Aug 16, 2018 at 10:45 PM, VNA >

> >>>> *LDAP DECISION: does USER have tag administrator? false*

> To post to this group, send an email to rabbitm...@googlegroups.com.

[VNA]

Hello Michael, I am kind of confused because how was it working on our old Windows servers without any tag_queries option. Here is the Windows server config

[

 {rabbit, 

  [

   {ssl_listeners, [443]},

   {tcp_listeners, [{"HOSTNAME", 5672}]},

   {ssl_options, [

       {cacertfile,"D:/RabbitMQ Server/certificate/rabbitmq.crt"},

       {certfile, "D:/RabbitMQ Server/certificate/rabbitmq.crt"}, 

       {keyfile, "D:/RabbitMQ Server/certificate/rabbitmq.key"}

    ]},

    {auth_backends, [

       {rabbit_auth_backend_ldap, rabbit_auth_backend_internal}

    ]}

 ]},

 {rabbitmq_management, [

{rates_mode, detailed},

{sample_retention_policies, [

{global,   [{60, 5}, {3600, 60}, {86400, 1200}]},

{basic,    [{60, 5}, {3600, 60}]},

{detailed, [{10, 5}]}

]}

 ]},

 {rabbitmq_auth_backend_ldap,

  [

   {servers, ["LDAPDOMAIN"]},

   {use_ssl, false},

   {port, 389},

   {timeout, 300000},

   {log, network},

   {dn_lookup_attribute, "userPrincipalName"},

   {dn_lookup_base, "DC=DOMAIN,DC=COM"},

   {dn_lookup_bind, {"ADBINDID","******"}}

  ]

 }

].

Anyway as you suggested I added this to the new linux servers and now it goes back to the eacces error below

   {tag_queries, [{administrator, {constant, true}},

                  {management,    {constant, true}}]}

=INFO REPORT==== 17-Aug-2018::08:52:40 ===

    LDAP connecting to servers: ["LDAPDOMAIN"]

=INFO REPORT==== 17-Aug-2018::08:52:40 ===

    LDAP network traffic: Connect: "LDAPDOMAIN" failed {error,eacces}

=INFO REPORT==== 17-Aug-2018::08:52:40 ===

    LDAP connect error: {error,"connect failed"}

=INFO REPORT==== 17-Aug-2018::08:52:40 ===

    LDAP connecting to servers: ["LDAPDOMAIN"]

=INFO REPORT==== 17-Aug-2018::08:52:40 ===

    LDAP network traffic: Connect: "LDAPDOMAIN" failed {error,eacces}

=INFO REPORT==== 17-Aug-2018::08:52:40 ===

    LDAP connect error: {error,"connect failed"}

=INFO REPORT==== 17-Aug-2018::08:52:40 ===

LDAP DECISION: login for MYID: {error,"connect failed"}

=WARNING REPORT==== 17-Aug-2018::08:52:40 ===

HTTP access denied: user 'MYID' - invalid credentials

Thank you for your input Michael

[VNA]

Hello Michael, I found the problem. Firewall got enabled after the reboot. anyway looks like tag_queries option seems to work. Even though I am still surprised how it was working on Windows without that option.

Thank you very much for your time and investigation.

[Michael Klishin]

 > it goes back to the eacces error below

we cannot know what causes EACCES in your environment. The OS prevents LDAP client in the plugin from connecting. Plugin configuration has absolutely

no effect on that.

We have a dedicated doc guide that explains a methodology for troubleshooting this efficiently [1]. Please work with your colleagues

on the operations side to figure out what may be kicking in.

1. https://www.rabbitmq.com/troubleshooting-networking.html

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.