Using the LDAP plugin with Active Directory
26 views
Skip to first unread message
Jim Anderson
Feb 3, 2016, 10:47:00 AM2/3/16
to rabbitmq-users
Hello,
We have a fairly complicated AD domain with user and service accounts defined in separate OUs and need to able to authenticate and authorize both user and service accounts. I have set up the following configuration:
{rabbitmq_auth_backend_ldap,
[
{servers, ["ldap.mydomain.biz"]},
{use_ssl, true},
{port, 636},
{user_dn_pattern, "${username}"},
{dn_lookup_base, "OU=Accounts,DC=mydomain,DC=biz"},
{tag_queries,
[{administrator, {in_group, "CN=Domain Admins,CN=Users,DC=mydomain,DC=biz"}},
{management, {constant, true}}]}
]}
[
{servers, ["ldap.mydomain.biz"]},
{use_ssl, true},
{port, 636},
{user_dn_pattern, "${username}"},
{dn_lookup_base, "OU=Accounts,DC=mydomain,DC=biz"},
{tag_queries,
[{administrator, {in_group, "CN=Domain Admins,CN=Users,DC=mydomain,DC=biz"}},
{management, {constant, true}}]}
]}
Using this setup, the login name must be of the form "mydomain.biz\user" with the associated password. This binds to AD successfully, but the query string for the in_group query passes in "mydomain.biz\user" as the member name, which obviously fails.
Is there a way to make this work without modifying the plugin to strip the domain name prior to calling the in_group query.
Thanks,
Jim
Michael Klishin
Feb 3, 2016, 7:56:39 PM2/3/16
to rabbitm...@googlegroups.com, Jim Anderson
On 3 February 2016 at 18:47:03, Jim Anderson (jim...@gmail.com) wrote:
> Is there a way to make this work without modifying the plugin
> to strip the domain name prior to calling the in_group query.
This is pushing my knowledge of AD/LDAP but dn_lookup_bind
> Is there a way to make this work without modifying the plugin
> to strip the domain name prior to calling the in_group query.
and dn_lookup_attribute seem relevant.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Reply all
Reply to author
Forward
0 new messages