<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">We are trying to connect Rabbit with our Active Directory LDAP server but still have not found the right configuration. Let me give you the use case:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We want to be able to authenticate administrative users against LDAP for the management console. Our LDAP server is ldschurch.org. We are required to authenticate using the svc-ldap account before making queries. We have tried several different
configuration options but nothing has worked so far. Here is the configuration we thought most likely to work:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[<o:p></o:p></p>
<p class="MsoNormal"> {rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},<o:p></o:p></p>
<p class="MsoNormal"> {rabbitmq_auth_backend_ldap,<o:p></o:p></p>
<p class="MsoNormal"> [ {servers, ["ldschurch.org"]},<o:p></o:p></p>
<p class="MsoNormal"> {dn_lookup_bind, {"cn=svc-ldap,ou=srv-app-accts,dc=ldschurch,dc=org", "password"}},<o:p></o:p></p>
<p class="MsoNormal"> {dn_lookup_base, "dc=ldschurch,dc=org"},<o:p></o:p></p>
<p class="MsoNormal"> {dn_lookup_attribute, "cn"},<o:p></o:p></p>
<p class="MsoNormal"> {use_ssl, false},<o:p></o:p></p>
<p class="MsoNormal"> {port, 389},<o:p></o:p></p>
<p class="MsoNormal"> {log, false}<o:p></o:p></p>
<p class="MsoNormal"> ]<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal">].<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We can tell by watching the TCP traffic that the bind user is not part of the request, only the authenticating user, which is admmvs1 in our situation.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here is the log output:<o:p></o:p></p>
<p class="MsoNormal">=INFO REPORT==== 1-May-2014::11:22:29 ===<o:p></o:p></p>
<p class="MsoNormal">LDAP CHECK: login for admmvs1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">=INFO REPORT==== 1-May-2014::11:22:29 ===<o:p></o:p></p>
<p class="MsoNormal"> LDAP filling template "${username}" with<o:p></o:p></p>
<p class="MsoNormal"> [{username,<<"admmvs1">>}]<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">=INFO REPORT==== 1-May-2014::11:22:29 ===<o:p></o:p></p>
<p class="MsoNormal"> LDAP template result: "admmvs1"<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">=INFO REPORT==== 1-May-2014::11:22:29 ===<o:p></o:p></p>
<p class="MsoNormal"> LDAP bind returned "invalid credentials": admmvs1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">=INFO REPORT==== 1-May-2014::11:22:29 ===<o:p></o:p></p>
<p class="MsoNormal">LDAP DECISION: login for admmvs1: denied<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">What did we do wrong in our configuration?<o:p></o:p></p>
</div>
<DIV>
<p class=MsoNormal><span style='font-size:7.0pt';font-family:'"Helvetica","Tahoma","Arial","sans-serif"'><font color="#666666"><br><br> NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.</span><o:p></o:p></span></p><BR>
</DIV></body>
</html>