[rabbitmq-discuss] eldap simple_bind failure

Joey Jiao joey.jiaojg at gmail.com
Tue Jul 1 09:36:00 BST 2014 

Looks like I'm hitting this as I cannot connect to port 636. But does eldap
support StartTLS now?

From: Simon MacMullen <simon at ...
<http://gmane.org/get-address.php?address=simon%2dmQ7lE4MOPXtWk0Htik3J%2fw%40public.gmane.org>
>
Subject: Re: Configuring Auth LDAP Backend using LDAP+SSL/TLS
<http://news.gmane.org/find-root.php?message_id=5268EBB6.4010504%40rabbitmq.com>
Newsgroups: gmane.comp.networking.rabbitmq.general
<http://news.gmane.org/gmane.comp.networking.rabbitmq.general>
Date: 2013-10-24 09:43:18 GMT (35 weeks, 4 days, 22 hours and 49 minutes
ago)

Currently you can't set SSL options for *LDAP* connections, you can only
set {*use_ssl*, true} to make a connection without presenting a client
certificate. I guess this should be fixed.

Also you have {port, 389} which is unlikely to work as it's the non-SSL
port and I'm not at all convinced e*ldap* (the underlying Erlang *LDAP*
library) supports StartTLS.

So the only configuration that could work at the moment is

{*use_ssl*, true},
{port,    636}




2014-07-01 16:16 GMT+08:00 Joey Jiao <joey.jiaojg at gmail.com>:

> Here is my config
>
> [
>   {rabbit, [
>     {log_levels, [{default, info}]},
>     {reverse_dns_lookups, true},
>     {auth_backends, [rabbit_auth_backend_ldap]},
>     {ssl_listeners, [5671]}
> %    {ssl_options, [
> %      {verify, verify_none},
> %      {cacertfile, "/etc/rabbitmq/qc_root_g2_cert.crt"},
> %      {certfile, "/etc/rabbitmq/ssl_v1_cert.crt"}
> %    ]}
>   ]},
>   {rabbitmq_auth_backend_ldap, [
>     {servers, ["ldap"]},
>     {user_dn_pattern, "uid=${username},ou=people,o=xxx"},
>  %  {dn_lookup_attribute, "uid"},
>  %  {dn_lookup_base, "ou=people,o=xxx"},
>  %  {dn_lookup_bind, anon},
>     {use_ssl, false},
>     {log, network},
>     {vhost_access_query, {constant, true}},
>     {resource_access_query, {constant, true}},
>     {tag_queries, [{administrator, {constant, true}},
>                    {management, {constant, true}}]}
>   ]}
> ].
>
>
> 2014-07-01 13:20 GMT+08:00 Joey Jiao <joey.jiaojg at gmail.com>:
>
>  Hi,
>> I'm still on using rabbitmq_auth_backends_ldap plugin but login still
>> failed.
>> After a track, it failed during eldap:simple_bind.
>> But it failed at simple_bind with
>> eldap:simple_bind(L,"uid=jiangenj,ou=people,o=xxx","password") with error
>> {error,confidentialityRequired}.
>>
>> My django app uses settings below and it worked. How can I convert to
>> rabbitmq way?
>> import ldap
>>
>>
>>
>> *AUTH_LDAP_START_TLS = TrueAUTH_LDAP_GLOBAL_OPTIONS = {
>> ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER }*
>>
>> *AUTH_LDAP_BIND_DN = ''AUTH_LDAP_BIND_PASSWORD = ''*
>> *AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True*
>> AUTH_LDAP_SERVER_URI = 'ldap://ldap'
>> AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,ou=people,o=xxx'
>>
>> --
>> -Joey Jiao
>>
>
>
>
> --
> -Joey Jiao
>



-- 
-Joey Jiao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140701/f1846bff/attachment.html>

More information about the rabbitmq-discuss mailing list