[rabbitmq-discuss] RabbitMQ 3.3.0 doesn't working with OpenLDAP ????

Wed Apr 30 13:14:33 BST 2014

Please keep rabbitmq-discuss CCed.

On 30/04/14 03:47, Ngoc Tang (Quant Edge) wrote:
> Dear Simon
>
> I have enable the Ldap Plugin, But I can not login with OpenLdap, this is
> the contents of log file
> ------ --- -- --------      -------------
> Server startup complete; 10 plugins started.
>   * amqp_client
>   * eldap
>   * mochiweb
>   * rabbitmq_auth_backend_ldap
>   * rabbitmq_auth_mechanism_ssl
>   * rabbitmq_federation_management
>   * rabbitmq_management
>   * rabbitmq_management_agent
>   * rabbitmq_web_dispatch
>   * webmachine
>
> =INFO REPORT==== 30-Apr-2014::09:31:56 ===
> LDAP CHECK: login for test.rabbit

<snip>

> =INFO REPORT==== 30-Apr-2014::09:31:56 ===
> LDAP DECISION: login for test.rabbit: {error,invalidDNSyntax}

Since you have configured neither user_dn_pattern nor 
dn_lookup_attribute, the LDAP plugin treats the user name as provided 
over HTTP / AMQP as the DN for LDAP. And "test.rabbit" is not a valid DN.

<snip>

> And this is the contents of config file
>
> --------------  ------------------
> [
>    {rabbit, [
>       {tcp_listeners, [{"10.x.x.x",5672}]},
>       {ssl_listeners, [{"10.x.x.x",5671}]},
>       {ssl_options, [{cacertfile,"/etc/rabbitmq/ssl/nvca/cacert.pem"},
>                      {certfile,"/etc/rabbitmq/ssl/server/cert.pem"},
>                      {keyfile,"/etc/rabbitmq/ssl/server/key.pem"},
>                      {verify,verify_none},
>                      {fail_if_no_peer_cert,false}]},
>       {heartbeat, 15},
>       {vm_memory_high_watermark_paging_ratio, 0.75},
>       {vm_memory_high_watermark, 0.4},
>       {auth_backends, [{rabbit_auth_backend_ldap,
> rabbit_auth_backend_internal},
>                            rabbit_auth_backend_internal]},
>       {disk_free_limit, 40000000000}
>    ]},
>    {rabbitmq_auth_backend_ldap,
>     [ {servers,               ["openldap.com"]},
> %%     {dn_lookup_attribute,
> {"uid=${username},ou=allusers,dc=openldap,dc=com"}},
>       {dn_lookup_base,        {"dc=openldap,dc=com"}},
>       {other_bind,            ["cn=manager,cn=internal,dc=openldap,dc=com","
> Ad09DSJwidjdwf89D"]},
>       {use_ssl,               false},
>       {port,                  389},
>       {log,                   network},
>     {vhost_access_query,    {exists, "cn=${username},ou=allusers,
> dc=openldap,dc=com"}},
>       {resource_access_query,
>       {for, [{resource, exchange, {for, [{permission, configure,
>                                       {in_group, "cn=${username},
> dc=openldap,dc=com "}
>                                      },
>                                      {permission, write, {constant, true}},
>                                      {permission, read,  {constant, true}}
>                                     ]}},
>          {resource, queue,    {constant, true}}]}},
>       {tag_queries,           [{administrator, {constant, true}},
>                                {management,    {constant, true}}]}
>     ]
>    }
> ].

You haven't said what you are trying to do. The LDAP plugin can be 
configured to convert usernames into DNs and subsequently bind in a 
number of different ways - how are you expecting it to work?

Cheers, Simon

> And this is the Information of OpenLdap
>
> LDAP Base DN	dc=openldap,dc=com
> LDAP Bind DN	cn=manager,cn=internal,dc=openldap,dc=com
> LDAP Bind Password	Ad09DSJwidjdwf89D
> ----
> Help me Please.
> Thanks & Regards.
> Ngoc Tang.
>

-- 
Simon MacMullen
RabbitMQ, Pivotal