[rabbitmq-discuss] ldap user declare queue =problem
Artur Nike
opalsie at gmail.com
Thu Aug 29 14:18:48 BST 2013
I have a problem :) .
I configured, or rather do me wondering, RMQ to use ldap (openldap)
for authentication and authorization.
LDAP works ok, but the LDAP-user can not declare exchanges and queues,
(login wheel:pass it works, published msg to exchange works, read msg from
queque works )
Here's my Rabbit configs :
CONFIG1:
[
{rabbit, [
{auth_backends, [rabbit_auth_backend_ldap,
rabbit_auth_backend_internal]},
{tcp_listeners, []},
{ssl_listeners, [{"127.0.0.1", 5671} ]},
{ssl_options, [{cacertfile,"/home/hg/cert/testca/cacert.pem"},
{certfile,"/home/hg/cert/server/cert.pem"},
{keyfile,"/home/hg/cert/server/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,true}]}
]
},
{rabbitmq_auth_backend_ldap,
[ {servers, ["localhost"]},
{user_dn_pattern, "cn=${username},o=org1,dc=nodomain"},
{use_ssl, false},
{port, 389},
{log, true},
{resource_access_query,
{for, [{permission, configure, {in_group,
"cn=wheel,o=org1,dc=nodomain"}},
{permission, write,
{for, [{resource, queue, {in_group,
"cn=wheel,o=org1,dc=nodomain"}},
{resource, exchange, {constant, true}}]}},
{permission, read,
{for, [{resource, exchange, {in_group,
"cn=wheel,o=org1,dc=nodomain"}},
{resource, queue, {constant, true}}]}}
]
}},
{tag_queries, [{administrator, {constant, false}},
{management, {constant, true}}]}
]
}
].
LOG:
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP DECISION: does wheel have tag management? true
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP DECISION: login for wheel: ok
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP CHECK: access to vhost "/" for "wheel"
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP bind succeeded: cn=wheel,o=org1,dc=nodomain
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP evaluating query: {constant,true}
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP evaluated constant: true
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP DECISION: access to vhost "/" for "wheel": ok
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP CHECK: configure permission for queue "tyerter" in "/" for "wheel"
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP bind succeeded: cn=wheel,o=org1,dc=nodomain
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP evaluating query: {for,
[{permission,configure,
{in_group,"cn=wheel,o=org1,dc=nodomain"}},
{permission,write,
{for,
[{resource,queue,
{in_group,"cn=wheel,o=org1,dc=nodomain"}},
{resource,exchange,{constant,true}}]}},
{permission,read,
{for,
[{resource,exchange,
{in_group,"cn=wheel,o=org1,dc=nodomain"}},
{resource,queue,{constant,true}}]}}]}
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP selecting subquery permission = configure
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP evaluating query: {in_group,"cn=wheel,o=org1,dc=nodomain"}
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP evaluating query: {in_group,"cn=wheel,o=org1,dc=nodomain","member"}
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP filling template "cn=wheel,o=org1,dc=nodomain" with
[{username,<<"wheel">>},
{user_dn,"cn=wheel,o=org1,dc=nodomain"},
{vhost,<<"/">>},
{resource,queue},
{name,<<"tyerter">>},
{permission,configure}]
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP template result: "cn=wheel,o=org1,dc=nodomain"
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP evaluated in_group for "cn=wheel,o=org1,dc=nodomain": false
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP DECISION: configure permission for queue "tyerter" in "/" for "wheel":
denied
=ERROR REPORT==== 29-Aug-2013::14:24:05 ===
connection <0.1234.0>, channel 1 - soft error:
{amqp_error,access_refused,
"access to queue 'tyerter' in vhost '/' refused for user
'wheel'",
'queue.declare'}
=ERROR REPORT==== 29-Aug-2013::14:24:05 ===
webmachine error: path="/api/queues/%2F/tyerter"
"Unauthorized"
Can anyone have any suggestions or experience with this problem.
For all thank you in advance.
Muniek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130829/44121917/attachment.htm>
More information about the rabbitmq-discuss
mailing list