[rabbitmq-discuss] rabbit_auth_backend_ldap and Active Directory
Matt Bradbury
bradbury at corenap.com
Tue Jan 8 18:51:51 GMT 2013
Got it working.
Thought I'd pass along the config I used. I was not able to login with a user_dn_pattern of just ${username}, so I guess my solution wouldn't do well in a forest of multiple domains, but it works for me.
I hadn't noticed the {log, network}, option before, so that helped in the debugging.
Thanks again.
-Matt
[
{rabbit, [{auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_ldap]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["xxxx"]},
{use_ssl, false},
{port, 389},
{log, network},
{dn_lookup_base, "DC=corp,DC=example,DC=com"},
{dn_lookup_attribute, "userPrincipalName"},
{user_dn_pattern, "${username}@corp.example.com"},
{vhost_access_query, {in_group,
"CN=Domain Admins,CN=Users,DC=corp,DC=example,DC=com"}},
{resource_access_query,
{for, [{permission, configure, {in_group, "CN=Domain Admins,CN=Users,DC=corp,DC=example,DC=com"}},
{permission, write,
{for, [{resource, queue, {in_group, "CN=Domain Admins,CN=Users,DC=corp,DC=example,DC=com"}},
{resource, exchange, {constant, true}}]}},
{permission, read,
{for, [{resource, exchange, {in_group, "CN=Domain Admins,CN=Users,DC=corp,DC=example,DC=com"}},
{resource, queue, {constant, true}}]}}
]
}},
{tag_queries, [{administrator, {constant, true}},
{management, {constant, false}}]}
]
}
].
-----Original Message-----
From: Simon MacMullen [mailto:simon at rabbitmq.com]
Sent: Tuesday, January 08, 2013 3:17 AM
To: Discussions about RabbitMQ
Cc: Matt Bradbury
Subject: Re: [rabbitmq-discuss] rabbit_auth_backend_ldap and Active Directory
Hi. dn_lookup_base and dn_lookup_attribute should do what you want. I would expect something like:
{dn_lookup_base, "OU=Users,DC=corp,DC=example,DC=com"},
{dn_lookup_attribute, "sAMAccountName"}
should work.
Do the logs (in 'network' mode) not show a search after the bind?
If not: which version of RabbitMQ are you using? Can you post your config, and a screenshot or similar showing your account in AD?
Cheers, Simon
On 07/01/2013 10:45PM, Matt Bradbury wrote:
> All/Simon?
>
> I'm new to the RabbitMQ world and like the product, but I'm about to
> pull my hair out on AD authentication.
>
> So, I'm looking to authorize with my unix username which are the same
> as our windows logins.
>
> I'm having a lot of trouble getting the DNs to play nice. Since my DN
> has my fullname as the cn part, I don't know how to map the username
> to the full name.
>
> If I login with my full name "Matt Bradbury" so that my full user_dn
> matches my group structure, it works just fine.
>
> i.e. {user_dn_pattern,
> "CN=${username},OU=Users,DC=corp,DC=example,DC=com"},
>
> To use my unix name I have to use: {user_dn_pattern,
> "${username}@CORP"},
>
> This lets me login, but I'm then unable to match the DN with my groups
> since they use my full name in the DN.
>
> Does anyone have a nice little recipe that lets me login with my
> shortname, which corresponds to the sAMAccountName attribute in AD LDAP?
>
> Also, I can't seem to get dn_lookup_base or dn_lookup_attribute to
> make any difference to the LDAP queries when I look at the logs. I
> feel like the solution is with these commands but I think I'm missing something here.
>
> Is there a way to search for a DN from the sAMAccountName when I do
> resource_access_query?
>
> FYI, I'm using other_bind for directory lookups after the login check.
>
> Thank you for your time.
>
> -Matt
>
>
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
More information about the rabbitmq-discuss
mailing list