LDAP to support multiple domains authentication

[Chris Chew]

Hello,

I was wondering if it is possible to set up LDAP authentication to support multiple domains and AD. 

Here is the scenario...

We have company A and company B that each has their own DC and domain. We would like to first see if the user logging in is in company A's AD. If not, the authentication would failover to company B's. 

The purpose of this is we would like to move over ALL authentication through company A but we want a seamless transition in case there are some accounts in company B that we did not create in company A's AD. 

The only issue I see is it seems like the dn_lookup_base field only takes in one search base. Is it possible to specify two search bases? 

Primary search base of DC=CompanyA, DC=com and if it fails to search through there, then it will failover to DC=CompanyB,DC=com.

Or do you guys have a recommendation on a better solution? 

Thanks in advance!

[Michal Kuratczyk]

Hi,

This is indeed not supported by the LDAP plugin. I'd recommend using an LDAP proxy/aggregator (aka virtual LDAP). I believe OpenLDAP with the "meta" backend is one such option but there are other products that can do that.

This requirement usually comes up when merging two companies after acquisition or something like that, in which case you probably need to configure multiple domains in many systems, not just RabbitMQ.

A virtual LDAP endpoint would allow you to centralize this work and allow all systems to connect to a single endpoint. Would that be an option for you?

Best,

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/a0c616e7-42b4-4c20-9e11-74415d8d3826n%40googlegroups.com.

--

Michał

RabbitMQ team

[Chris Chew]

Hi Michal,

Thank you for the response and insight! I will take a look into those options.

Thanks!

Chris 

[Chris Chew]

Actually I do have a question... If we use the OpenLDAP solution, won't we still have to specify the search base and wouldn't they be different? Sorry for my lack of knowledge on virtual LDAP. 

[Michal Kuratczyk]

Hi,

No, you should be able to map a single search base to different bases on different servers. Take a look at the Scenarios section at https://linux.die.net/man/5/slapd-meta

Best,

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/33ac803d-28d3-4e2f-8719-abc6d65661acn%40googlegroups.com.

--

Michał

RabbitMQ team

[Chris Chew]

Thanks Micah for the help and suggestion!

I have created a LDAP server to act as a proxy to query both companie's domains and it works! 

However, I am running into an issue where two of the same user accounts (samaccountname) exists in both domains and the lookup queries both DNs and tries to bind it, resulting in a invalidDNSyntax error. Will I need to

1. Check OpenLDAP documentation to see if it can spit out one result
   or
2.  Is there something in the RabbitMQ config that can specify to use the first result for binding? 

Let me know if I need to start another thread for this.

Thanks!

[Michal Kuratczyk]

I don't think the LDAP plugin can do that - it still thinks it's talking to a single LDAP server and the whole point of DN is that it should uniquely identify a single user so no duplicates are expected.

I hope you can find a way to solve this on the LDAP side.

Best,

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/a2968e22-08ba-4474-8600-23978bea63dcn%40googlegroups.com.

--

Michał