<div dir="ltr"><div><div>So is there a way I can test from erl?<br></div>like eldap:open, eldap:start_tls, eldap:simple_bind<br></div>Tutorial is less on this on google:)<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
2014-07-01 17:47 GMT+08:00 Simon MacMullen <span dir="ltr"><<a href="mailto:simon@rabbitmq.com" target="_blank">simon@rabbitmq.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">On 01/07/14 09:36, Joey Jiao wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Looks like I'm hitting this as I cannot connect to port 636. But does<br>
eldap support StartTLS now?<br>
</blockquote>
<br></div>
Looks like it does now:<br>
<br>
<a href="http://www.erlang.org/doc/man/eldap.html#start_tls-2" target="_blank">http://www.erlang.org/doc/man/<u></u>eldap.html#start_tls-2</a><br>
<br>
So I'll file a bug for StartTLS support. But for the time being your only option is to use SSL on port 636.<br>
<br>
Cheers, Simon<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
From: Simon MacMullen <simon@...<br>
<<a href="http://gmane.org/get-address.php?address=simon%2dmQ7lE4MOPXtWk0Htik3J%2fw%40public.gmane.org" target="_blank">http://gmane.org/get-address.<u></u>php?address=simon%<u></u>2dmQ7lE4MOPXtWk0Htik3J%2fw%<u></u>40public.gmane.org</a>>><div class="">
<br>
Subject: Re: Configuring Auth LDAP Backend using LDAP+SSL/TLS<br></div>
<<a href="http://news.gmane.org/find-root.php?message_id=5268EBB6.4010504%40rabbitmq.com" target="_blank">http://news.gmane.org/find-<u></u>root.php?message_id=5268EBB6.<u></u>4010504%40rabbitmq.com</a>><br>
Newsgroups: gmane.comp.networking.<u></u>rabbitmq.general<br>
<<a href="http://news.gmane.org/gmane.comp.networking.rabbitmq.general" target="_blank">http://news.gmane.org/gmane.<u></u>comp.networking.rabbitmq.<u></u>general</a>><div class=""><br>
Date: 2013-10-24 09:43:18 GMT (35 weeks, 4 days, 22 hours and 49 minutes<br>
ago)<br>
<br></div>
Currently you can't set SSL options for*LDAP* connections, you can only<br>
set {*use_ssl*, true} to make a connection without presenting a client<div class=""><br>
certificate. I guess this should be fixed.<br>
<br>
Also you have {port, 389} which is unlikely to work as it's the non-SSL<br></div>
port and I'm not at all convinced e*ldap* (the underlying Erlang*LDAP*<div class=""><br>
library) supports StartTLS.<br>
<br>
So the only configuration that could work at the moment is<br>
<br></div>
{*use_ssl*, true},<div class=""><br>
{port, 636}<br>
<br>
<br>
<br>
<br>
2014-07-01 16:16 GMT+08:00 Joey Jiao <<a href="mailto:joey.jiaojg@gmail.com" target="_blank">joey.jiaojg@gmail.com</a><br></div>
<mailto:<a href="mailto:joey.jiaojg@gmail.com" target="_blank">joey.jiaojg@gmail.com</a>><u></u>>:<div><div class="h5"><br>
<br>
Here is my config<br>
<br>
[<br>
{rabbit, [<br>
{log_levels, [{default, info}]},<br>
{reverse_dns_lookups, true},<br>
{auth_backends, [rabbit_auth_backend_ldap]},<br>
{ssl_listeners, [5671]}<br>
% {ssl_options, [<br>
% {verify, verify_none},<br>
% {cacertfile, "/etc/rabbitmq/qc_root_g2_<u></u>cert.crt"},<br>
% {certfile, "/etc/rabbitmq/ssl_v1_cert.<u></u>crt"}<br>
% ]}<br>
]},<br>
{rabbitmq_auth_backend_ldap, [<br>
{servers, ["ldap"]},<br>
{user_dn_pattern, "uid=${username},ou=people,o=<u></u>xxx"},<br>
% {dn_lookup_attribute, "uid"},<br>
% {dn_lookup_base, "ou=people,o=xxx"},<br>
% {dn_lookup_bind, anon},<br>
{use_ssl, false},<br>
{log, network},<br>
{vhost_access_query, {constant, true}},<br>
{resource_access_query, {constant, true}},<br>
{tag_queries, [{administrator, {constant, true}},<br>
{management, {constant, true}}]}<br>
]}<br>
].<br>
<br>
<br>
2014-07-01 13:20 GMT+08:00 Joey Jiao <<a href="mailto:joey.jiaojg@gmail.com" target="_blank">joey.jiaojg@gmail.com</a><br></div></div>
<mailto:<a href="mailto:joey.jiaojg@gmail.com" target="_blank">joey.jiaojg@gmail.com</a>><u></u>>:<div class=""><br>
<br>
Hi,<br>
I'm still on using rabbitmq_auth_backends_ldap plugin but login<br>
still failed.<br>
After a track, it failed during eldap:simple_bind.<br>
But it failed at simple_bind with<br>
eldap:simple_bind(L,"uid=<u></u>jiangenj,ou=people,o=xxx","<u></u>password")<br>
with error {error,<u></u>confidentialityRequired}.<br>
<br>
My django app uses settings below and it worked. How can I<br>
convert to rabbitmq way?<br>
import ldap<br></div>
*AUTH_LDAP_START_TLS = True<br>
AUTH_LDAP_GLOBAL_OPTIONS = {<br>
ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER<br>
}*<br>
*AUTH_LDAP_BIND_DN = ''<br>
AUTH_LDAP_BIND_PASSWORD = ''*<br>
*AUTH_LDAP_BIND_AS_<u></u>AUTHENTICATING_USER = True*<div class=""><br>
AUTH_LDAP_SERVER_URI = 'ldap://ldap'<br>
AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,ou=people,o=xxx'<br>
<br>
--<br>
-Joey Jiao<br>
<br>
<br>
<br>
<br>
--<br>
-Joey Jiao<br>
<br>
<br>
<br>
<br>
--<br>
-Joey Jiao<br>
<br>
<br></div>
______________________________<u></u>_________________<br>
rabbitmq-discuss mailing list has moved to <a href="https://groups.google.com/forum/#!forum/rabbitmq-users" target="_blank">https://groups.google.com/<u></u>forum/#!forum/rabbitmq-users</a>,<br>
please subscribe to the new list!<br>
<br>
<a href="mailto:rabbitmq-discuss@lists.rabbitmq.com" target="_blank">rabbitmq-discuss@lists.<u></u>rabbitmq.com</a><br>
<a href="https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss" target="_blank">https://lists.rabbitmq.com/<u></u>cgi-bin/mailman/listinfo/<u></u>rabbitmq-discuss</a><br>
<br><span class="HOEnZb"><font color="#888888">
</font></span></blockquote><span class="HOEnZb"><font color="#888888">
<br>
<br>
-- <br>
Simon MacMullen<br>
RabbitMQ, Pivotal<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br>-Joey Jiao
</div>