LDAP vs internal users

[H Sundelin]

Hi,

I'm trying to configure rabbitmq like this:

- Messaging users are authenticated with a client certificate, which is then authenticated and authorized with LDAP.

- Admin users are configured in internal database only. We have no requirements to have admins or persons in the LDAP. Our LDAP is for machines, not for people Unix accounts. We use OpenLDAP.

Messaging users work great, but admin users get huge amounts of "DENIED" from LDAP, even though in my rabbitmq.conf I have:

--

auth_backends.1 = rabbit_auth_backend_cache
auth_backends.2 = rabbit_auth_backend_internal
auth_backends.3 = rabbit_auth_backend_ldap

auth_cache.cached_backend = ldap
auth_cache.cache_ttl = 14400000

auth_ldap.other_bind.user_dn  = cn=xxxx,dc=xx,dc=xx,dc=com
auth_ldap.other_bind.password = xxxxxx
--

For admins logging in the web ui get errors like this in the logs:

2021-01-14 15:55:10.905 [info] <0.1484.0> LDAP CHECK: login for henri
2021-01-14 15:55:10.906 [info] <0.1484.0>         LDAP filling template "cn=${username},dc=pods,dc=frameryservices,dc=com" with
            [{username,<<"henri">>}]
2021-01-14 15:55:10.906 [info] <0.1484.0>         LDAP template result: "cn=henri,dc=pods,dc=frameryservices,dc=com"
2021-01-14 15:55:10.906 [info] <0.1484.0>     LDAP connecting to servers: ["ec2-54-93-116-217.eu-central-1.compute.amazonaws.com"]
2021-01-14 15:55:10.906 [info] <0.1079.0>     LDAP network traffic: bind request = {'BindRequest',3,"cn=xxxx,dc=xxxx,dc=xxxx,dc=xxxx",{simple,"xxxx"}}
2021-01-14 15:55:10.907 [info] <0.1079.0>     LDAP network traffic: bind reply = {ok,{'LDAPMessage',15,{bindResponse,{'BindResponse',invalidCredentials,[],[],asn1_NOVALUE,asn1_NOVALUE}},asn1_NOVALUE}}
2021-01-14 15:55:10.907 [info] <0.915.0>     LDAP bind returned "invalid credentials": cn=xxxx,dc=xxxx,dc=xxxx,dc=xxxx
2021-01-14 15:55:10.908 [info] <0.1484.0> LDAP DECISION: login for henri: denied

However the admin users work as expected from the internal database, we just get these extra LDAP requests.

I gather this is because it tries to bind web user with the username, correct? That is what i definitely do not want, but how to disable these queries altogether?

It seems the backend order does not affect anything.

Versions:

RabbitMQ 3.8.9 Erlang 23.2.1

Thanks already,

Henri

[Aitor P]

Hi Henri,

I suspect you are getting those LDAP errors in the log because the cache backend is set first in your list of auth backends. With that configuration, when a user logs in using the Management web UI, RabbitMQ will lookup the cache, if it finds there is no entry, it will consult LDAP, get a permission denied from LDAP, and then try to authenticate using the internal backend and succeed. I'm not sure if the cache backends caches refusals by default; you can try to set 'auth_cache.cache_refusals = true' and see if this resolves the problem.

One last thing that caught my attention was the third auth backend "auth_backends.3 = rabbit_auth_backend_ldap". I suspect this line is not necessary because you have configured the LDAP backend via "auth_cache.cached_backend = ldap".

Best regards,

Aitor