[rabbitmq-discuss] ldap user declare queue =problem

• Previous message: [rabbitmq-discuss] Sent message to other Network Rabbit MQ
• Next message: [rabbitmq-discuss] ANN QDB 0.4.8 released
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have a problem :) .

I configured, or rather do me wondering, RMQ to use ldap (openldap)
for authentication and authorization.

LDAP works ok, but the LDAP-user can not declare exchanges and queues,
(login wheel:pass it works, published msg to exchange works, read msg from
queque works )

Here's my Rabbit configs :

CONFIG1:
[
  {rabbit, [
     {auth_backends, [rabbit_auth_backend_ldap,
rabbit_auth_backend_internal]},
     {tcp_listeners, []},
     {ssl_listeners, [{"127.0.0.1", 5671} ]},
     {ssl_options, [{cacertfile,"/home/hg/cert/testca/cacert.pem"},
                    {certfile,"/home/hg/cert/server/cert.pem"},
                    {keyfile,"/home/hg/cert/server/key.pem"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,true}]}
   ]
  },
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["localhost"]},
     {user_dn_pattern,       "cn=${username},o=org1,dc=nodomain"},
     {use_ssl,               false},
     {port,                  389},
     {log,                   true},
     {resource_access_query,
      {for, [{permission, configure, {in_group,
"cn=wheel,o=org1,dc=nodomain"}},
             {permission, write,
              {for, [{resource, queue,    {in_group,
"cn=wheel,o=org1,dc=nodomain"}},
                     {resource, exchange, {constant, true}}]}},
             {permission, read,
              {for, [{resource, exchange, {in_group,
"cn=wheel,o=org1,dc=nodomain"}},
                     {resource, queue,    {constant, true}}]}}
            ]
      }},
     {tag_queries,           [{administrator, {constant, false}},
                              {management,    {constant, true}}]}
   ]
  }
].

LOG:
=INFO REPORT==== 29-Aug-2013::14:24:05 ===
    LDAP DECISION: does wheel have tag management? true

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP DECISION: login for wheel: ok

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP CHECK: access to vhost "/" for "wheel"

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
    LDAP bind succeeded: cn=wheel,o=org1,dc=nodomain

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
    LDAP evaluating query: {constant,true}

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
    LDAP evaluated constant: true

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP DECISION: access to vhost "/" for "wheel": ok

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP CHECK: configure permission for queue "tyerter" in "/" for "wheel"

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
    LDAP bind succeeded: cn=wheel,o=org1,dc=nodomain

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
    LDAP evaluating query: {for,
                            [{permission,configure,
                              {in_group,"cn=wheel,o=org1,dc=nodomain"}},
                             {permission,write,
                              {for,
                               [{resource,queue,
                                 {in_group,"cn=wheel,o=org1,dc=nodomain"}},
                                {resource,exchange,{constant,true}}]}},
                             {permission,read,
                              {for,
                               [{resource,exchange,
                                 {in_group,"cn=wheel,o=org1,dc=nodomain"}},
                                {resource,queue,{constant,true}}]}}]}

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
    LDAP selecting subquery permission = configure

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
    LDAP evaluating query: {in_group,"cn=wheel,o=org1,dc=nodomain"}

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
    LDAP evaluating query: {in_group,"cn=wheel,o=org1,dc=nodomain","member"}

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
        LDAP filling template "cn=wheel,o=org1,dc=nodomain" with
            [{username,<<"wheel">>},
             {user_dn,"cn=wheel,o=org1,dc=nodomain"},
             {vhost,<<"/">>},
             {resource,queue},
             {name,<<"tyerter">>},
             {permission,configure}]

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
        LDAP template result: "cn=wheel,o=org1,dc=nodomain"

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
    LDAP evaluated in_group for "cn=wheel,o=org1,dc=nodomain": false

=INFO REPORT==== 29-Aug-2013::14:24:05 ===
LDAP DECISION: configure permission for queue "tyerter" in "/" for "wheel":
denied

=ERROR REPORT==== 29-Aug-2013::14:24:05 ===
connection <0.1234.0>, channel 1 - soft error:
{amqp_error,access_refused,
            "access to queue 'tyerter' in vhost '/' refused for user
'wheel'",
            'queue.declare'}

=ERROR REPORT==== 29-Aug-2013::14:24:05 ===
webmachine error: path="/api/queues/%2F/tyerter"
"Unauthorized"



Can anyone have any suggestions or experience with this problem.
For all thank you in advance.

Muniek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130829/44121917/attachment.htm>

• Previous message: [rabbitmq-discuss] Sent message to other Network Rabbit MQ
• Next message: [rabbitmq-discuss] ANN QDB 0.4.8 released
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]