[rabbitmq-discuss] eldap simple_bind failure

Simon MacMullen simon at rabbitmq.com
Tue Jul 1 10:47:43 BST 2014


On 01/07/14 09:36, Joey Jiao wrote:
> Looks like I'm hitting this as I cannot connect to port 636. But does
> eldap support StartTLS now?

Looks like it does now:

http://www.erlang.org/doc/man/eldap.html#start_tls-2

So I'll file a bug for StartTLS support. But for the time being your 
only option is to use SSL on port 636.

Cheers, Simon


> From: Simon MacMullen <simon at ...
> <http://gmane.org/get-address.php?address=simon%2dmQ7lE4MOPXtWk0Htik3J%2fw%40public.gmane.org>>
> Subject: Re: Configuring Auth LDAP Backend using LDAP+SSL/TLS
> <http://news.gmane.org/find-root.php?message_id=5268EBB6.4010504%40rabbitmq.com>
> Newsgroups: gmane.comp.networking.rabbitmq.general
> <http://news.gmane.org/gmane.comp.networking.rabbitmq.general>
> Date: 2013-10-24 09:43:18 GMT (35 weeks, 4 days, 22 hours and 49 minutes
> ago)
>
> Currently you can't set SSL options for*LDAP*  connections, you can only
> set {*use_ssl*, true} to make a connection without presenting a client
> certificate. I guess this should be fixed.
>
> Also you have {port, 389} which is unlikely to work as it's the non-SSL
> port and I'm not at all convinced e*ldap*  (the underlying Erlang*LDAP*
> library) supports StartTLS.
>
> So the only configuration that could work at the moment is
>
> {*use_ssl*, true},
> {port,    636}
>
>
>
>
> 2014-07-01 16:16 GMT+08:00 Joey Jiao <joey.jiaojg at gmail.com
> <mailto:joey.jiaojg at gmail.com>>:
>
>     Here is my config
>
>     [
>        {rabbit, [
>          {log_levels, [{default, info}]},
>          {reverse_dns_lookups, true},
>          {auth_backends, [rabbit_auth_backend_ldap]},
>          {ssl_listeners, [5671]}
>     %    {ssl_options, [
>     %      {verify, verify_none},
>     %      {cacertfile, "/etc/rabbitmq/qc_root_g2_cert.crt"},
>     %      {certfile, "/etc/rabbitmq/ssl_v1_cert.crt"}
>     %    ]}
>        ]},
>        {rabbitmq_auth_backend_ldap, [
>          {servers, ["ldap"]},
>          {user_dn_pattern, "uid=${username},ou=people,o=xxx"},
>       %  {dn_lookup_attribute, "uid"},
>       %  {dn_lookup_base, "ou=people,o=xxx"},
>       %  {dn_lookup_bind, anon},
>          {use_ssl, false},
>          {log, network},
>          {vhost_access_query, {constant, true}},
>          {resource_access_query, {constant, true}},
>          {tag_queries, [{administrator, {constant, true}},
>                         {management, {constant, true}}]}
>        ]}
>     ].
>
>
>     2014-07-01 13:20 GMT+08:00 Joey Jiao <joey.jiaojg at gmail.com
>     <mailto:joey.jiaojg at gmail.com>>:
>
>         Hi,
>         I'm still on using rabbitmq_auth_backends_ldap plugin but login
>         still failed.
>         After a track, it failed during eldap:simple_bind.
>         But it failed at simple_bind with
>         eldap:simple_bind(L,"uid=jiangenj,ou=people,o=xxx","password")
>         with error {error,confidentialityRequired}.
>
>         My django app uses settings below and it worked. How can I
>         convert to rabbitmq way?
>         import ldap
>         *AUTH_LDAP_START_TLS = True
>         AUTH_LDAP_GLOBAL_OPTIONS = {
>              ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER
>         }*
>         *AUTH_LDAP_BIND_DN = ''
>         AUTH_LDAP_BIND_PASSWORD = ''*
>         *AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True*
>         AUTH_LDAP_SERVER_URI = 'ldap://ldap'
>         AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,ou=people,o=xxx'
>
>         --
>         -Joey Jiao
>
>
>
>
>     --
>     -Joey Jiao
>
>
>
>
> --
> -Joey Jiao
>
>
> _______________________________________________
> rabbitmq-discuss mailing list has moved to https://groups.google.com/forum/#!forum/rabbitmq-users,
> please subscribe to the new list!
>
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>


-- 
Simon MacMullen
RabbitMQ, Pivotal


More information about the rabbitmq-discuss mailing list