[rabbitmq-discuss] Authenticating users via SSPI

Dan Wise Dan.Wise at ignisasset.com
Fri Jul 16 15:05:07 BST 2010

Yes, this confirms the issue I was worrying about. 


I think it would be very valuable to add NTLM authentication to Rabbit
on Windows, so that only a username could be supplied on the client and
the authentication verified on the server, without the need to pass
clear-text passwords or per-user SSL certificates. This would really
enhance the commercial attractiveness of Rabbit.


Anyone want to take up the challenge?





From: Mark Steele [mailto:msteele at beringmedia.com] 
Sent: 16 July 2010 13:44
To: Dan Wise
Cc: rabbitmq-discuss at lists.rabbitmq.com
Subject: Re: [rabbitmq-discuss] Authenticating users via SSPI


Really depends on what your needs are.


You could have one cert per user, and use the same authentication
information in your rabbit cloud for all users. I just noticed however
that the erlang new_ssl implementation does not support CRLs, so you
won't be able to revoke a certificate and have that reflected by an
authentication failure on the rabbit server.


Wonder what the odds of adding CRL or OCSP support to rabbit
are....There was a thread about this in 2009:


Both these functionalities are pretty trivial to implement using the
openssl library


So I guess my original suggestion doesn't fly as a good solution, sorry!



Mark Steele
Director of development
Bering Media Inc.

On Thu, Jul 15, 2010 at 6:33 PM, Dan Wise <Dan.Wise at ignisasset.com>

Would I need a separate certificate for each user? Does peer certificate
verification bypass normal username and password checking?





From: Mark Steele [mailto:msteele at beringmedia.com] 
Sent: 15 July 2010 14:52
To: Dan Wise
Cc: rabbitmq-discuss at lists.rabbitmq.com
Subject: Re: [rabbitmq-discuss] Authenticating users via SSPI


You could use PKI and store the certificates in LDAP. Have your app use
the current credentials of the user to grab the certificate and connect
to rabbit over SSL with peer certificate verification enabled.

Mark Steele
Director of development
Bering Media Inc.

On Thu, Jul 15, 2010 at 5:53 AM, Dan Wise <Dan.Wise at ignisasset.com>



We have a number of Windows users who want to use our rabbitmq
messaging. However we need to ensure that we authenticate them without
them having to enter their Windows passwords and syncing with the
rabbitmq user passwords.


Has anyone looked at a mechanism for using SSPI authentication to allow
clients to connect? This is surely a common challenge, particularly in
an organisation where there are large numbers of users and the job of
providing and maintaining separate passwords for different systems is




Dan Wise




Visit our Website at http://www.ignisasset.com/ 
The information contained in this email (including any attachments
transmitted within it) is confidential and is intended solely for the
use of the named person. 
The unauthorised access, copying or re-use of the information in it by
any other person is strictly forbidden. 
If you are not the intended recipient please notify us immediately by
return email to postmaster at ignisasset.com.

Internet communication is not guaranteed to be timely, secure, error or
virus free. We accept no liability for any harm to systems or data, nor
for personal emails. Emails may be recalled, deleted and monitored.

Ignis Asset Management is the trading name of the Ignis Asset Management
Limited group of companies which includes the following subsidiary and
associated companies: Ignis Asset Management Limited (Registered in
Scotland No. SC200801), Ignis Investment Services Limited* (Registered
in Scotland No. SC101825) 
Ignis Fund Managers Limited* (Registered in Scotland No. SC85610)
Scottish Mutual Investment Managers Limited* (Registered in Scotland No.
Registered Office: 50 Bothwell Street, Glasgow, G2 6HR, Tel:
0141-222-8000 and Scottish Mutual PEP & ISA Managers Limited*
(Registered in England No. 971504)
Registered Office: 1 Wythall Green Way, Wythall, Birmingham B47 6WG and
Ignis Investment Management Limited* (Registered in England No. 5809046)

Registered Office: Sentinel House, 16 Harcourt Street, London, W1H 4AD.
Scottish Mutual is a registered trade mark of Scottish Mutual Assurance

*Authorised and regulated by the Financial Services Authority.


rabbitmq-discuss mailing list
rabbitmq-discuss at lists.rabbitmq.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20100716/16344da3/attachment-0001.htm>

More information about the rabbitmq-discuss mailing list