[rabbitmq-discuss] RabbitMQ Federation & SSL
Eric Cozzi
n16483 at cray.com
Wed May 29 23:00:30 BST 2013
What am I doing wrong?? I have set auth_mechanism=external in my
federation URI, but according to the RabbitMQ log, it's trying to
authenticate as guest.
ecozzi-01:~ # rabbitmqctl list_parameters
Listing runtime parameters ...
federation local-username "guest"
federation local-nodename "rabbit at ecozzi-01.site"
federation-upstream ecozzi-02
{"prefetch-count":1000,"uri":"amqps://ecozzi-02?cacertfile=/opt/cray/ssl/testca/cacert.pem&certfile=/opt/cray/ssl/client-01/cert.pem&keyfile=/opt/cray/ssl/client-01/key.pem&verify=verify_peer&fail_if_no_peer_cert=true&auth_mechanism=external","trust-user-id":true,"max-hops":1}
ecozzi-02:/etc/rabbitmq # rabbitmqctl list_parameters
Listing runtime parameters ...
federation local-username "guest"
federation local-nodename "smw_cluster"
federation-upstream ecozzi-01
{"prefetch-count":1000,"uri":"amqps://ecozzi-01?cacertfile=/opt/cray/ssl/testca/cacert.pem&certfile=/opt/cray/ssl/client-02/cert.pem&keyfile=/opt/cray/ssl/client-02/key.pem&verify=verify_peer&fail_if_no_peer_cert=true&auth_mechanism=external","trust-user-id":true,"max-hops":1}
*Log File:*
ecozzi-01:~ # rabbitmqctl list_parameters
Listing runtime parameters ...
federation local-username "guest"
federation local-nodename "rabbit at ecozzi-01.site"
federation-upstream ecozzi-02
{"prefetch-count":1000,"uri":"amqps://ecozzi-02?cacertfile=/opt/cray/ssl/testca/cacert.pem&certfile=/opt/cray/ssl/client-01/cert.pem&keyfile=/opt/cray/ssl/client-01/key.pem&verify=verify_peer&fail_if_no_peer_cert=true&auth_mechanism=external","trust-user-id":true,"max-hops":1}
ecozzi-02:/etc/rabbitmq # rabbitmqctl list_parameters
Listing runtime parameters ...
federation local-username "guest"
federation local-nodename "smw_cluster"
federation-upstream ecozzi-01
{"prefetch-count":1000,"uri":"amqps://ecozzi-01?cacertfile=/opt/cray/ssl/testca/cacert.pem&certfile=/opt/cray/ssl/client-02/cert.pem&keyfile=/opt/cray/ssl/client-02/key.pem&verify=verify_peer&fail_if_no_peer_cert=true&auth_mechanism=external","trust-user-id":true,"max-hops":1}
On 05/29/2013 09:53 AM, Eric Cozzi wrote:
> Matthias,
>
> Sorry for the delay in responding.
>
> I have the LDAP auth plugin logging at Network level. There are no
> additional log statements that are being output. I've also confirmed
> that the user exists in my LDAP. So, I'm not sure why it couldn't find
> the user, unless it's not looking for the correct username. It should
> be using the CN from the SSL certificate as the username, which in
> this case should be either ecozzi-02 or ecozzi-03.
>
> Erlang version is:
> ecozzi-01:/home/ecozzi # cat /usr/lib64/erlang/releases/RELEASES
> [{release,"OTP APN 181 01","R15B02","5.9.2",
> [{kernel,"2.15.2","/usr/lib64/erlang/lib/kernel-2.15.2"},
> {stdlib,"1.18.2","/usr/lib64/erlang/lib/stdlib-1.18.2"},
> {sasl,"2.2.1","/usr/lib64/erlang/lib/sasl-2.2.1"}],
> permanent}].
>
> Rabbit Version:
> ecozzi-01:/home/ecozzi # rabbitmqctl status
> Status of node 'rabbit at ecozzi-01' ...
> [{pid,3800},
> {running_applications,
> [{rabbitmq_federation_management,"RabbitMQ Federation Management",
> "3.0.1"},
> {rabbitmq_management,"RabbitMQ Management Console","3.0.1"},
> {rabbitmq_federation,"RabbitMQ Federation","3.0.1"},
> {rabbitmq_auth_backend_ldap,"RabbitMQ LDAP Authentication Backend",
> "3.0.1"},
> {rabbitmq_management_agent,"RabbitMQ Management Agent","3.0.1"},
> {rabbit,"RabbitMQ","3.0.1"},
> {ssl,"Erlang/OTP SSL application","5.1"},
> {public_key,"Public key infrastructure","0.16"},
> {crypto,"CRYPTO version 2","2.2"},
> {os_mon,"CPO CXC 138 46","2.2.10"},
> {rabbitmq_auth_mechanism_ssl,
> "RabbitMQ SSL authentication (SASL EXTERNAL)","3.0.1"},
> {rabbitmq_mochiweb,"RabbitMQ Mochiweb Embedding","3.0.1"},
> {webmachine,"webmachine","1.9.1-rmq3.0.1-git52e62bc"},
> {mochiweb,"MochiMedia Web Server","2.3.1-rmq3.0.1-gitd541e9a"},
> {xmerl,"XML parser","1.3.2"},
> {inets,"INETS CXC 138 49","5.9.1"},
> {mnesia,"MNESIA CXC 138 12","4.7.1"},
> {eldap,"Ldap api","1.0"},
> {amqp_client,"RabbitMQ AMQP Client","3.0.1"},
> {sasl,"SASL CXC 138 11","2.2.1"},
> {stdlib,"ERTS CXC 138 10","1.18.2"},
> {kernel,"ERTS CXC 138 10","2.15.2"}]},
> {os,{unix,linux}},
> {erlang_version,
> "Erlang R15B02 (erts-5.9.2) [source] [64-bit] [smp:2:2]
> [async-threads:30] [hipe] [kernel-poll:true]\n"},
> {memory,
> [{total,37603792},
> {connection_procs,162600},
> {queue_procs,235552},
> {plugins,377592},
> {other_proc,10276868},
> {mnesia,94464},
> {mgmt_db,84936},
> {msg_index,32576},
> {other_ets,1236360},
> {binary,306624},
> {code,20204649},
> {atom,760729},
> {other_system,3830842}]},
> {vm_memory_high_watermark,0.4},
> {vm_memory_limit,205919027},
> {disk_free_limit,1000000000},
> {disk_free,0},
> {file_descriptors,
>
> [{total_limit,924},{total_used,16},{sockets_limit,829},{sockets_used,4}]},
> {processes,[{limit,1048576},{used,249}]},
> {run_queue,0},
> {uptime,406985}]
> ...done.
>
> On 05/25/2013 03:56 PM, Matthias Radestock wrote:
>> Eric,
>>
>> On 24/05/13 22:55, Eric Cozzi wrote:
>>> {{badarg,{error,noSuchObject}},
>>> [{rabbit_access_control,'-check_vhost_access/2-fun-0-',3,[]},
>>> {rabbit_access_control,check_access,5,[]},
>>
>> That indicates that your LDAP auth backend returned a 'noSuchObject'
>> error when performing the vhost access check for the user.
>>
>> I suggest you enable logging in the LDAP auth plug-in to track down
>> the cause.
>>
>> However, the error really should be handled more gracefully by
>> rabbit, and I am at a loss why it's producing such a stack trace.
>> What versions of RabbitMQ and Erlang are you running and how did you
>> install rabbit (e.g. from a package, compiled from source, etc)?
>>
>> Matthias.
>>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130529/1c3c3702/attachment.htm>
More information about the rabbitmq-discuss
mailing list