[rabbitmq-discuss] Error trying to configure rabbit_auth_backend_ldap
Simon MacMullen
simon at rabbitmq.com
Wed May 22 16:35:47 BST 2013
Hi.
The problem is the 'other_bind' configuration option defaults to
'as_user', but this isn't compatible with passwordless login.
'other_bind' controls how RabbitMQ connects to the LDAP server to do
anything other than check a {user, password} combination. 'as_user'
means connect to LDAP with the username and password of the logged in
user. You can see how this would fail to work.
So you need to set 'other_bind' to either 'anon' or {"another-user",
"another-password"} depending on how you want RabbitMQ connect to LDAP here.
This could really be better explained in the documentation, I'll work on
that...
Cheers, Simon
On 22/05/13 16:22, Eric Cozzi wrote:
> I am trying to configure rabbit_auth_backend_ldap as a backing auth for
> passwordless login using rabbitmq_auth_mechanism_ssl, but I am getting
> the following error. I've also included my rabbitmq.config file for
> reference.
>
> Any help would be appreciated.
> Thanks,
> Eric
>
> Logfile:
>
> =ERROR REPORT==== 22-May-2013::09:32:37 ===
> ** Generic server rabbit_auth_backend_ldap terminating
> ** Last message in was {login,<<"O=client,CN=ecozzi-01">>}
> ** When Server state == {state,
> ["192.168.252.5"],
> "cn=${username},ou=msgbus,dc=cray,dc=com",none,none,
> as_user,
> {in_group,
> "ou=${vhost}-users,ou=vhosts,dc=cray,dc=com"},
> {for,
> [{permission,configure,
> {in_group,"cn=admin,dc=cray,dc=com"}},
> {permission,write,
> {for,
> [{resource,queue,
> {in_group,"cn=admin,dc=cray,dc=com"}},
> {resource,exchange,{constant,true}}]}},
> {permission,read,
> {for,
> [{resource,exchange,
> {in_group,"cn=admin,dc=cray,dc=com"}},
> {resource,queue,{constant,true}}]}}]},
> [{administrator,{constant,false}},
> {management,{constant,true}}],
> false,network,389}
> ** Reason for termination ==
> ** as_user_no_password
>
> =INFO REPORT==== 22-May-2013::09:32:37 ===
> LDAP CHECK: passwordless login for O=client,CN=ecozzi-01
>
> =ERROR REPORT==== 22-May-2013::09:32:40 ===
> closing AMQP connection <0.4824.0> (192.168.252.1:41297 ->
> 192.168.252.1:5671):
> {handshake_error,starting,0,
> {exit,
> {as_user_no_password,
> {gen_server,call,
> [rabbit_auth_backend_ldap,
> {login,<<"O=client,CN=ecozzi-01">>},
> infinity]}},
> 'connection.start_ok',
> [{gen_server,call,3,[{file,"gen_server.erl"},{line,188}]},
> {rabbit_access_control,'-check_user_login/2-fun-0-',4,[]},
>
> {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,227}]}]}}
>
> rabbitmq.config:
>
> [
> {rabbit,
> [
> {hipe_compile, true},
> {tcp_listen_options,
> [binary,
> {packet,raw},
> {reuseaddr,true},
> {backlog,128},
> {nodelay,true},
> {exit_on_close,false}
> ]
> },
> {auth_mechanisms, ['EXTERNAL']},
> {ssl_listeners, [5671]},
> {ssl_options, [{cacertfile,"/opt/cray/ssl/testca/cacert.pem"},
> {certfile,"/opt/cray/ssl/server-01/cert.pem"},
> {keyfile,"/opt/cray/ssl/server-01/key.pem"},
> {verify,verify_peer},
> {fail_if_no_peer_cert,true}
> ]
> },
> {auth_backends, [rabbit_auth_backend_ldap]}
> ]
> },
> {rabbitmq_auth_backend_ldap,
> [
> {servers, ["192.168.252.5"]},
> {user_dn_pattern, "cn=${username},ou=msgbus,dc=cray,dc=com"},
> {use_ssl, false},
> {port, 389},
> {log, network},
> {vhost_access_query, {in_group,
> "ou=${vhost}-users,ou=vhosts,dc=cray,dc=com"}},
> {resource_access_query,
> {for, [
> {permission, configure, {in_group,
> "cn=admin,dc=cray,dc=com"}},
> {permission, write,
> {for, [{resource, queue, {in_group,
> "cn=admin,dc=cray,dc=com"}},
> {resource, exchange, {constant, true}}]}},
> {permission, read,
> {for, [{resource, exchange, {in_group,
> "cn=admin,dc=cray,dc=com"}},
> {resource, queue, {constant, true}}]}}
> ]
> }
> },
> {tag_queries, [
> {administrator, {constant, false}},
> {management, {constant, true}}
> ]
> }
> ]
> }
> ].
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
--
Simon MacMullen
RabbitMQ, Pivotal
More information about the rabbitmq-discuss
mailing list