RabbitMQ ldap user login errors

352 views
Skip to first unread message

MUTYAM KOTI REDDY

unread,
Aug 28, 2015, 7:44:11 AM8/28/15
to rabbitmq-users
Hi,

I'm new to RabbitMQ and im setting up ldap access to RMQ but i getting failed errors.Could someone help with setting up ldap login for RabbitMQ please?

My configuration :

{rabbit, [{auth_backends, [rabbit_auth_backend_ldap]}]},

{rabbitmq_auth_backend_ldap, [

    {servers, ["lexample.com"]},

    {user_dn_pattern, "uid=${username},ou=People,dc=example,dc=com"},

    {use_ssl, false},

    {port, 389},

    {log, true},


{vhost_access_query,     {in_group, "cn=admin,ou=Groups,dc=example,dc=com"}},

{resource_access_query,  {in_group, "cn=admin,ou=Groups,dc=example,dc=com"}},


{tag_queries,           [{administrator, {in_group, "cn=admin,ou=Groups,dc=example,dc=com"}},

                          {management,   {in_group, "cn=admin,ou=Groups,dc=example,dc=com"}}]}

]

}

].


I'm getting below errors:


=ERROR REPORT==== 28-Aug-2015::12:27:10 ===

webmachine error: path="/api/whoami"

"Unauthorized"



Michael Klishin

unread,
Aug 28, 2015, 7:46:43 AM8/28/15
to rabbitm...@googlegroups.com, MUTYAM KOTI REDDY
On 28 August 2015 at 14:44:13, MUTYAM KOTI REDDY (koti.r...@gmail.com) wrote:
> =ERROR REPORT==== 28-Aug-2015::12:27:10 ===
>
>
> webmachine error: path="/api/whoami"
>
>
> "Unauthorized"

You can enable verbose logging of the LDAP backend, see "log" on [1].

1. http://www.rabbitmq.com/ldap.html 
--
MK

Staff Software Engineer, Pivotal/RabbitMQ


MUTYAM KOTI REDDY

unread,
Aug 28, 2015, 8:12:28 AM8/28/15
to rabbitmq-users, koti.r...@gmail.com
Hi,

I've already enabled verbose,you see in the configuration and here is the logging information :Can you help with this please?

=INFO REPORT==== 28-Aug-2015::12:42:05 ===


LDAP CHECK: login for balamutyam




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


        LDAP filling template "uid=${username},ou=example,dc=example,dc=com" with


            [{username,<<"balamutyam">>}]




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


        LDAP template result: "uid= balamutyam,ou=example,dc=example,dc=com"




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


    LDAP bind succeeded: uid=balamutyam,ou=example,dc=example,dc=com




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


        LDAP filling template "uid=${username},ou=example,dc=example,dc=com" with


            [{username,<<"balamutyam">>}]




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


        LDAP template result: "uid=balamutyam,ou=example,dc=example,dc=com"




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


    LDAP CHECK: does balamutyam have tag administrator?




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


    LDAP evaluating query: {in_group,"cn=admin,ou=example,dc=example,dc=com"}




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


    LDAP evaluating query: {in_group,"cn=admin,ou=example,dc=example,dc=com",


                                     "member"}




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


        LDAP filling template "cn=admin,ou=example,dc=example,dc=com" with


            [{username,<<"balamutyam">>},


             {user_dn,"uid=balamutyam,ou=example,dc=example,dc=com"}]




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


        LDAP template result: "cn=admin,ou=example,dc=example,dc=com"




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


    LDAP evaluated in_group for "cn=admin,ou=example,dc=example,dc=com": false




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


    LDAP DECISION: does balamutyam have tag administrator? false




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


    LDAP CHECK: does balamutyam have tag management?




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


    LDAP evaluating query: {in_group,”cn=admin,ou=example,dc=example,dc=com"}




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


    LDAP evaluating query: {in_group,"cn=admin,ou=example,dc=example,dc=com",


                                     "member"}




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


        LDAP filling template "cn=admin,ou=example,dc=example,dc=com" with


            [{username,<<"balamutyam">>},


             {user_dn,"uid=username,ou=example,dc=example,dc=com"}]




=INFO REPORT==== 28-Aug-2015::12:42:05 ===


        LDAP template result: "cn=admin,ou=example,dc=example,dc=com




=ERROR REPORT==== 28-Aug-2015::12:42:05 ===


webmachine error: path="/api/whoami"


"Unauthorized"

[root@cdmrabbitmq ~]# 



Michael Klishin

unread,
Aug 28, 2015, 8:16:06 AM8/28/15
to rabbitm...@googlegroups.com, MUTYAM KOTI REDDY
On 28 August 2015 at 15:12:30, MUTYAM KOTI REDDY (koti.r...@gmail.com) wrote:
> =INFO REPORT==== 28-Aug-2015::12:42:05 ===
>
> LDAP DECISION: does balamutyam have tag administrator? false
>
> =INFO REPORT==== 28-Aug-2015::12:42:05 ===
>
> LDAP CHECK: does balamutyam have tag management?

According to the above, your user doesn't have the tag to access management UI
(one of "management", "policymaker", "administrator"). Have you tried authenticating
using a RabbitMQ client to see if that works?

It's quite difficult to help beyond this without having access to your environment. 

MUTYAM KOTI REDDY

unread,
Aug 28, 2015, 9:03:13 AM8/28/15
to rabbitmq-users, koti.r...@gmail.com
Hi,

I'm not sure how this ldap plugin works, we just just wanted to access RabbitMQ with ldap credentials. where can i tag management", "policymaker", "administrator? in the rabbitmq config file? or on the console? or do i have to change anything in ldap configuration? sorry for troubling you again ?

Thanks
Bala

Michael Klishin

unread,
Aug 28, 2015, 9:08:05 AM8/28/15
to rabbitm...@googlegroups.com, MUTYAM KOTI REDDY
On 28 August 2015 at 16:03:16, MUTYAM KOTI REDDY (koti.r...@gmail.com) wrote:
> I'm not sure how this ldap plugin works, we just just wanted to
> access RabbitMQ with ldap credentials. where can i tag management",
> "policymaker", "administrator? in the rabbitmq config file?
> or on the console? or do i have to change anything in ldap configuration?

Without LDAP, tags are managed using rabbitmqctl set_user_tags. With LDAP,
you need to configure tag_queries:

http://www.rabbitmq.com/ldap.html

Default value for tag_queries is [{administrator, {constant, false}}],
as mentioned in the guide above.

If you run RabbitMQ in a trusted environment and have no problem with everybody
having access to management UI and all vhosts, you can configure tag_queries to use
{constant, false}.

If only access to management UI is desired, you can do the same for the policymaker
tag (includes management).

MUTYAM KOTI REDDY

unread,
Aug 28, 2015, 9:18:29 AM8/28/15
to rabbitmq-users, koti.r...@gmail.com
Thank you very much, I dont want to give access to RabbitMQ to all ldap users.is it possible to set all the tags like administrator,management...etc to only 2 groups like A and B? and how can i set set_user_tags using command line? what is wrong with my above config file?


Thanks
Bala

Michael Klishin

unread,
Aug 28, 2015, 9:20:34 AM8/28/15
to rabbitm...@googlegroups.com, MUTYAM KOTI REDDY
On 28 August 2015 at 16:18:31, MUTYAM KOTI REDDY (koti.r...@gmail.com) wrote:
> I dont want to give access to RabbitMQ to
> all ldap users.is it possible to set all the tags like administrator,management...etc
> to only 2 groups like A and B?

You can configure tag_queries to use any LDAP query you please.

MUTYAM KOTI REDDY

unread,
Aug 28, 2015, 9:28:15 AM8/28/15
to rabbitmq-users, koti.r...@gmail.com
Thanks, i m bit struggling with configuring tag_queries for admins and devs?

Michael Klishin

unread,
Aug 28, 2015, 4:21:34 PM8/28/15
to rabbitm...@googlegroups.com, MUTYAM KOTI REDDY
On 28 August 2015 at 16:28:17, MUTYAM KOTI REDDY (koti.r...@gmail.com) wrote:
> i m bit struggling with configuring tag_queries for admins
> and devs?

tag_queries is not really different from other queries, it just has 3 "nested keys".

You can use in_group there, for example. 
Reply all
Reply to author
Forward
0 new messages