[rabbitmq-discuss] Authenticating users via SSPI
Mark Steele
msteele at beringmedia.com
Fri Jul 16 13:44:06 BST 2010
Really depends on what your needs are.
You could have one cert per user, and use the same authentication
information in your rabbit cloud for all users. I just noticed however that
the erlang new_ssl implementation does not support CRLs, so you won't be
able to revoke a certificate and have that reflected by an authentication
failure on the rabbit server.
Wonder what the odds of adding CRL or OCSP support to rabbit are....There
was a thread about this in 2009:
http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/2009-July/004189.html
Both these functionalities are pretty trivial to implement using the openssl
library
So I guess my original suggestion doesn't fly as a good solution, sorry!
Cheers,
Mark Steele
Director of development
Bering Media Inc.
On Thu, Jul 15, 2010 at 6:33 PM, Dan Wise <Dan.Wise at ignisasset.com> wrote:
> Would I need a separate certificate for each user? Does peer certificate
> verification bypass normal username and password checking?
>
>
>
> Dan.
>
>
>
>
>
> *From:* Mark Steele [mailto:msteele at beringmedia.com]
> *Sent:* 15 July 2010 14:52
> *To:* Dan Wise
> *Cc:* rabbitmq-discuss at lists.rabbitmq.com
> *Subject:* Re: [rabbitmq-discuss] Authenticating users via SSPI
>
>
>
> You could use PKI and store the certificates in LDAP. Have your app use the
> current credentials of the user to grab the certificate and connect to
> rabbit over SSL with peer certificate verification enabled.
>
>
> Mark Steele
> Director of development
> Bering Media Inc.
>
>
> On Thu, Jul 15, 2010 at 5:53 AM, Dan Wise <Dan.Wise at ignisasset.com>
> wrote:
>
> Hi,
>
>
>
> We have a number of Windows users who want to use our rabbitmq messaging.
> However we need to ensure that we authenticate them without them having to
> enter their Windows passwords and syncing with the rabbitmq user passwords.
>
>
>
> Has anyone looked at a mechanism for using SSPI authentication to allow
> clients to connect? This is surely a common challenge, particularly in an
> organisation where there are large numbers of users and the job of providing
> and maintaining separate passwords for different systems is hugs.
>
>
>
> Thanks,
>
>
>
> *Dan Wise*
>
> * *
>
>
>
> **************************************************************
>
> Visit our Website at http://www.ignisasset.com/
> The information contained in this email (including any attachments
> transmitted within it) is confidential and is intended solely for the use of
> the named person.
> The unauthorised access, copying or re-use of the information in it by any
> other person is strictly forbidden.
> If you are not the intended recipient please notify us immediately by
> return email to postmaster at ignisasset.com.
>
> Internet communication is not guaranteed to be timely, secure, error or
> virus free. We accept no liability for any harm to systems or data, nor for
> personal emails. Emails may be recalled, deleted and monitored.
>
> Ignis Asset Management is the trading name of the Ignis Asset Management
> Limited group of companies which includes the following subsidiary and
> associated companies: Ignis Asset Management Limited (Registered in Scotland
> No. SC200801), Ignis Investment Services Limited* (Registered in Scotland
> No. SC101825)
> Ignis Fund Managers Limited* (Registered in Scotland No. SC85610) Scottish
> Mutual Investment Managers Limited* (Registered in Scotland No. SC88674)
> Registered Office: 50 Bothwell Street, Glasgow, G2 6HR, Tel: 0141-222-8000
> and Scottish Mutual PEP & ISA Managers Limited* (Registered in England No.
> 971504)
> Registered Office: 1 Wythall Green Way, Wythall, Birmingham B47 6WG and
> Ignis Investment Management Limited* (Registered in England No. 5809046)
> Registered Office: Sentinel House, 16 Harcourt Street, London, W1H 4AD.
> Scottish Mutual is a registered trade mark of Scottish Mutual Assurance
> Limited
>
> *Authorised and regulated by the Financial Services Authority.
>
> **************************************************************
>
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20100716/b78cd453/attachment.htm>
More information about the rabbitmq-discuss
mailing list