[rabbitmq-discuss] Client certificate based authentication over SSL

Fri Mar 28 11:46:42 GMT 2014

Hi Simon,

Thank you for your response.
We have made a bit of a progress but are still struggling with a few things. Can you please give us some pointers:
1) We tried using {other_bind, anon} but that still failed even though our AD allows anonymous access. Following is an extract of the log:
{handandshake_error,starting,0,
    {exit,
        {error,operationsError},
        'connection.start_ok',
2) We used a {username, password} tuple to bind to the AD. Though this is not an ideal approach, we were able to bind to AD and authorise our certificate user. Isn't there a way to use the certificate itself to bind to AD rather giving a username, password in clear text?
3) Once this was done we had to then "create the certificate user with no password" in RabbitMQ admin and grant access to the virtual host via the admin. We want to get away with this i.e. having to maintain users outside the AD. Is there no way we can achieve this without having to create a user in RabbitMQ admin?
4) This last bit is related to authorising access to the user. We are able to write, read and create queues if our resource access query is {constant, true}. To grant access based on AD groups we changed the query to
{permission, write,
                                                {for, [{resource, queue, {constant, true}},                                                           {resource, exchange, {in_group, "cn=<Group Name>,ou=XXX,ou=Exchange,ou=Distribution Lists,dc=domain,dc=com"}}]}}

However this does not work. The group does exist and the certificate user is a member of that group. We even tried giving a full group path without any success.

Following is an extract from our log:

LDAP network traffic: search reply = {ok,
                                     {'LDAPMessage',2,
                                                     {searchResDone,           {'LDAPResult',noSuchObject,"DC=domain,DC=com",
[48,48,48,48,50,48,56,68,58,32,                                                  78,97,109,101,69,114,114,58,32,68,83,73,68,45,48,51,49,48,48,                                                    50,48,65,44,32,112,114,111,98,108,101,109,32,50,48,48,49,32,                                                     40,78,79,95,79,66,74,69,67,84,41,44,32,100,97,116,97,32,48,44,                                                   32,98,101,115,116,32,109,97,116,
99,104,32,111,102,58,10,9,39,68,                                                            67,61,101,100,102,116,114,97,100,105,110,103,44,68,67,61,99,111,109,39,10,0],
asn1_NOVALUE}}, asn1_NOVALUE}}
=INFO REPORT==== 28-Mar-2014::11:29:43 ===
LDAP evaluated in_group for "cn=Group,ou=XXX,ou=Exchange,ou=Distribution Lists,dc=domain,dc=com": {error,
noSuchObject}

Regards,
Vinay

> On 27 Mar 2014, at 21:09, Simon MacMullen <simon at rabbitmq.com> wrote:
> 
>> On 27/03/2014 14:56, Vinay Nayak wrote:
>>     {exit,as_user_no_password,'connection.start_ok',
> 
> So I think this ("as_user_no_password") is the least clear error message I have ever perpetrated. It's getting made clearer in the next release.
> 
> What it's trying to say is:
> 
> "You have (successfully) authenticated a user without giving a password (using client certs instead). However, the 'other_bind' configuration item is set to 'as_user' which means that when I want to go to the LDAP server for authorisation queries, I should bind to it with the user's credentials. But I only know how to do that with the user's password. Which I don't have."
> 
> It's not made any clearer by the fact that 'as_user' is the default value for 'other_bind'.
> 
> So you must set 'other_bind' to 'anon' (bind anonymously for authZ queries), or {"someuser", "somepassword"} (bind with those creds for authZ).
> 
> Cheers, Simon
> 