[rabbitmq-discuss] eldap simple_bind failure

Joey Jiao joey.jiaojg at gmail.com
Wed Jul 2 03:29:41 BST 2014 

So is there a way I can test from erl?
like eldap:open, eldap:start_tls, eldap:simple_bind
Tutorial is less on this on google:)


2014-07-01 17:47 GMT+08:00 Simon MacMullen <simon at rabbitmq.com>:

> On 01/07/14 09:36, Joey Jiao wrote:
>
>> Looks like I'm hitting this as I cannot connect to port 636. But does
>> eldap support StartTLS now?
>>
>
> Looks like it does now:
>
> http://www.erlang.org/doc/man/eldap.html#start_tls-2
>
> So I'll file a bug for StartTLS support. But for the time being your only
> option is to use SSL on port 636.
>
> Cheers, Simon
>
>
>  From: Simon MacMullen <simon at ...
>> <http://gmane.org/get-address.php?address=simon%
>> 2dmQ7lE4MOPXtWk0Htik3J%2fw%40public.gmane.org>>
>>
>> Subject: Re: Configuring Auth LDAP Backend using LDAP+SSL/TLS
>> <http://news.gmane.org/find-root.php?message_id=5268EBB6.
>> 4010504%40rabbitmq.com>
>> Newsgroups: gmane.comp.networking.rabbitmq.general
>> <http://news.gmane.org/gmane.comp.networking.rabbitmq.general>
>>
>> Date: 2013-10-24 09:43:18 GMT (35 weeks, 4 days, 22 hours and 49 minutes
>> ago)
>>
>> Currently you can't set SSL options for*LDAP*  connections, you can only
>> set {*use_ssl*, true} to make a connection without presenting a client
>>
>> certificate. I guess this should be fixed.
>>
>> Also you have {port, 389} which is unlikely to work as it's the non-SSL
>> port and I'm not at all convinced e*ldap*  (the underlying Erlang*LDAP*
>>
>> library) supports StartTLS.
>>
>> So the only configuration that could work at the moment is
>>
>> {*use_ssl*, true},
>>
>> {port,    636}
>>
>>
>>
>>
>> 2014-07-01 16:16 GMT+08:00 Joey Jiao <joey.jiaojg at gmail.com
>> <mailto:joey.jiaojg at gmail.com>>:
>>
>>
>>     Here is my config
>>
>>     [
>>        {rabbit, [
>>          {log_levels, [{default, info}]},
>>          {reverse_dns_lookups, true},
>>          {auth_backends, [rabbit_auth_backend_ldap]},
>>          {ssl_listeners, [5671]}
>>     %    {ssl_options, [
>>     %      {verify, verify_none},
>>     %      {cacertfile, "/etc/rabbitmq/qc_root_g2_cert.crt"},
>>     %      {certfile, "/etc/rabbitmq/ssl_v1_cert.crt"}
>>     %    ]}
>>        ]},
>>        {rabbitmq_auth_backend_ldap, [
>>          {servers, ["ldap"]},
>>          {user_dn_pattern, "uid=${username},ou=people,o=xxx"},
>>       %  {dn_lookup_attribute, "uid"},
>>       %  {dn_lookup_base, "ou=people,o=xxx"},
>>       %  {dn_lookup_bind, anon},
>>          {use_ssl, false},
>>          {log, network},
>>          {vhost_access_query, {constant, true}},
>>          {resource_access_query, {constant, true}},
>>          {tag_queries, [{administrator, {constant, true}},
>>                         {management, {constant, true}}]}
>>        ]}
>>     ].
>>
>>
>>     2014-07-01 13:20 GMT+08:00 Joey Jiao <joey.jiaojg at gmail.com
>>     <mailto:joey.jiaojg at gmail.com>>:
>>
>>
>>         Hi,
>>         I'm still on using rabbitmq_auth_backends_ldap plugin but login
>>         still failed.
>>         After a track, it failed during eldap:simple_bind.
>>         But it failed at simple_bind with
>>         eldap:simple_bind(L,"uid=jiangenj,ou=people,o=xxx","password")
>>         with error {error,confidentialityRequired}.
>>
>>         My django app uses settings below and it worked. How can I
>>         convert to rabbitmq way?
>>         import ldap
>>         *AUTH_LDAP_START_TLS = True
>>         AUTH_LDAP_GLOBAL_OPTIONS = {
>>              ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER
>>         }*
>>         *AUTH_LDAP_BIND_DN = ''
>>         AUTH_LDAP_BIND_PASSWORD = ''*
>>         *AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True*
>>
>>         AUTH_LDAP_SERVER_URI = 'ldap://ldap'
>>         AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,ou=people,o=xxx'
>>
>>         --
>>         -Joey Jiao
>>
>>
>>
>>
>>     --
>>     -Joey Jiao
>>
>>
>>
>>
>> --
>> -Joey Jiao
>>
>>
>> _______________________________________________
>> rabbitmq-discuss mailing list has moved to https://groups.google.com/
>> forum/#!forum/rabbitmq-users,
>> please subscribe to the new list!
>>
>> rabbitmq-discuss at lists.rabbitmq.com
>> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>>
>>
>
> --
> Simon MacMullen
> RabbitMQ, Pivotal
>



-- 
-Joey Jiao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140702/ee8a6942/attachment.html>

More information about the rabbitmq-discuss mailing list