
Thank you,<div><br></div><div>Now I realized the other_bind option is not what I want.<div>Jenkins LDAP has this &#39;Manager DN&#39; to establish the initial bind.</div><div>Then they look up the username using a &#39;User search filter&#39;.</div>


<div>I am not sure either about the user password. I don&#39;t see it in the network traces thus, I think the application validates the password somehow.</div><div><br></div><div>Cheers, Marc</div><div><br><div class="gmail_quote">


On Wed, Oct 10, 2012 at 6:22 PM, Simon MacMullen <span dir="ltr">&lt;<a href="mailto:simon@rabbitmq.com" target="_blank">simon@rabbitmq.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


Hi!<br>

<br>

The other_bind option is only used for authorisation queries - i.e. the queries we make *after* authenticating a user, to determine what rights they have.<br>

<br>

The user&#39;s provided username and password are used to bind to LDAP for authentication.<br>

<br>

I&#39;m not sure how authentication could work any other way - I guess we could try to look up username and password, but I assume any sensible LDAP server will not store passwords in plain text anyway.<br>

<br>

Cheers, Simon<div class="im"><br>

<br>

On 10/10/12 15:28, Marc wrote:<br>

</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">

Hello all!<br>

<br>

For authentication I need to bind to a Microsoft Active Directory.<br>

<br></div>

Let&#39;s say my bind user is &#39;/uxxx/&#39; with password &#39;/pxxx/&#39;.<br>

Let&#39;s say the user I try to authenticate is &#39;/uyyy/&#39; with password &#39;/pyyy/&#39;.<br>

<br>

I use the /other_bind<br>

&lt;<a href="http://hg.rabbitmq.com/rabbitmq-auth-backend-ldap/file/d76afaf44415/README#l100" target="_blank">http://hg.rabbitmq.com/<u></u>rabbitmq-auth-backend-ldap/<u></u>file/d76afaf44415/README#l100</a>&gt;<u></u>/<br>


configuration option in order to bind with user &#39;/uxxx/&#39;.<div class="im"><br>

<br>

Like this:<br>

<br>

         { rabbit, [{auth_backends, [rabbit_auth_backend_ldap]}]},<br>

<br>

         { rabbitmq_auth_backend_ldap, [<br>

<br>

             {servers, [&quot;myldapserver&quot;]},<br>

<br>

             {other_bind, {&quot;uxxx&quot;, &quot;pxxx&quot;}},<br>

<br>

             {dn_lookup_base, &quot;DC=my,DC=domain,DC=com&quot;},<br>

<br>

             {dn_lookup_attribute, &quot;AccountName&quot;},<br>

<br>

             {user_dn_pattern,<br>

    &quot;CN=${username},OU=users,OU=<u></u>mycompany,DC=my,DC=domain,DC=<u></u>com&quot;},<br>

<br>

             {log,true}<br>

<br>

         ]}<br>

<br>

<br></div>

but when I try to login with user &#39;/uyyy/&#39; I get this in my logs:<div class="im"><br>

<br>

    =INFO REPORT==== 10-Oct-2012::16:21:04 ===<br>

<br>

    LDAP backend: connecting to [&quot;myldapserver&quot;]<br>

<br>

<br>

    =INFO REPORT==== 10-Oct-2012::16:21:04 ===<br>

<br>

    LDAP backend: bind request = {&#39;BindRequest&#39;,3,<br>

<br>

<br>

      &quot;CN=uyyy,OU=users,OU=<u></u>mycompany,DC=my,DC=domain,DC=<u></u>com&quot;,<br>

<br>

                                      {simple,&lt;&lt;&quot;pyyy&quot;&gt;&gt;}}<br>

<br>

<br>

    =INFO REPORT==== 10-Oct-2012::16:21:04 ===<br>

<br>

    LDAP backend: bind reply = {ok,<br>

<br>

                                 {&#39;LDAPMessage&#39;,1,<br>

<br>

                                  {bindResponse,<br>

<br>

                                   {&#39;BindResponse&#39;,<u></u>invalidCredentials,[],<br>

<br>

<br>

      [56,48,48,57,48,51,48,56,58,<u></u>32,76,100,97,112,<br>

<br>

<br>

    69,114,114,58,32,68,83,73,68,<u></u>45,48,67,48,57,<br>

<br>

<br>

    48,51,65,57,44,32,99,111,109,<u></u>109,101,110,116,<br>

<br>

<br>

    58,32,65,99,99,101,112,116,83,<u></u>101,99,117,114,<br>

<br>

<br>

    105,116,121,67,111,110,116,<u></u>101,120,116,32,101,<br>

<br>

<br>

    114,114,111,114,44,32,100,97,<u></u>116,97,32,53,50,<br>

<br>

                                     101,44,32,118,49,100,98,48,0],<br>

<br>

                                    asn1_NOVALUE,asn1_NOVALUE}},<br>

<br>

                                  asn1_NOVALUE}}<br>

<br>

<br>

I understand the bind request is being forged with the wrong user.<br>

Could that be a bug in the LDAP plugin?<br>

<br>

<br></div>

______________________________<u></u>_________________<br>

rabbitmq-discuss mailing list<br>

<a href="mailto:rabbitmq-discuss@lists.rabbitmq.com" target="_blank">rabbitmq-discuss@lists.<u></u>rabbitmq.com</a><br>

<a href="https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss" target="_blank">https://lists.rabbitmq.com/<u></u>cgi-bin/mailman/listinfo/<u></u>rabbitmq-discuss</a><br>

<br><span class="HOEnZb"><font color="#888888">

</font></span></blockquote><span class="HOEnZb"><font color="#888888">

<br>

<br>

-- <br>

Simon MacMullen<br>

RabbitMQ, VMware<br>

</font></span></blockquote></div><br></div></div>