[rabbitmq-discuss] in_group not functioning with ldap bind?
Mueller, Peter
peter.mueller at viacom.com
Tue Jun 10 02:23:20 BST 2014
I am trying to get a new rabbitmq server to allow an ldap group (cn=rabbitmq_write,ou=Group,dc=company,dc=com) admin rights. Other users should have read rights. Currently I am able to login but not to create a test exchange or queue. Config is attached (1). Relevant log output (2). I have tried various settings, such as ldap settings to more exactly match 'in_group' with how our ldap group structure is (3).
I was using rabbitmq-server-3.3.1-1.noarch.rpm, but just upgraded rabbitmq-server-3.3.2-1.noarch.rpm. No changes to the rpm install other than the (1) conf file. Centos-6.5, epel, all updates, selinux & iptables disabled.
Many thanks for your assistance.
(1) conf file
[
{rabbit,
[
{auth_backends,[rabbit_auth_backend_ldap, rabbit_auth_backend_internal]},{ssl_listeners, [5671]}
]
},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ldap.server.company.com"]},
{dn_lookup_bind, {"cn=binduser,ou=LDAPusers,dc=company,dc=com", "bindpassword"}},
{dn_lookup_base, "dc=company,dc=com"},
{dn_lookup_attribute, "uid"},
{use_ssl, true},
{ssl_options, [{cacertfile, "/etc/rabbitmq/companyca.crt"},{verify,verify_peer},{fail_if_no_peer_cert,false} ]},
{port, 636},
{log, network},
{vhost_access_query, {constant, true}},
{resource_access_query,
{for, [{permission, configure, {in_group,"cn=rabbitmq_write,ou=Group,dc=company,dc=com"}},
{permission, read, {for, [{resource, exchange, {constant, true}},
{resource, queue, {constant, true}}
]}
}
]
}},
{tag_queries,[
{administrator, {in_group, "cn=admins,ou=Group,dc=company,dc=com"}},
{management, {constant, true}}
]}
]
}
].
(2) Log from rabbitmq
=INFO REPORT==== 9-Jun-2014::20:43:35 ===
LDAP bind succeeded: uid=muellerpe,ou=People,dc=company,dc=com
=INFO REPORT==== 9-Jun-2014::20:43:35 ===
LDAP evaluating query: {for,
[{permission,configure,
{in_group,
"cn=rabbitmq_write,ou=Group,dc=company,dc=com"}},
{permission,read,
{for,
[{resource,exchange,{constant,true}},
{resource,queue,{constant,true}}]}}]}
=INFO REPORT==== 9-Jun-2014::20:43:35 ===
LDAP selecting subquery permission = configure
=INFO REPORT==== 9-Jun-2014::20:43:35 ===
LDAP evaluating query: {in_group,"cn=rabbitmq_write,ou=Group,dc=company,dc=com"}
=INFO REPORT==== 9-Jun-2014::20:43:35 ===
LDAP evaluating query: {in_group,"cn=rabbitmq_write,ou=Group,dc=company,dc=com",
"member"}
=INFO REPORT==== 9-Jun-2014::20:43:35 ===
LDAP filling template "cn=rabbitmq_write,ou=Group,dc=company,dc=com" with
[{username,<<"muellerpe">>},
{user_dn,"uid=muellerpe,ou=People,dc=company,dc=com"},
{vhost,<<"/">>},
{resource,exchange},
{name,<<"test">>},
{permission,configure}]
=INFO REPORT==== 9-Jun-2014::20:43:35 ===
LDAP template result: "cn=rabbitmq_write,ou=Group,dc=company,dc=com"
=INFO REPORT==== 9-Jun-2014::20:43:35 ===
LDAP network traffic: search request = {'SearchRequest',
"cn=rabbitmq_write,ou=Group,dc=company,dc=com",
baseObject,derefAlways,0,0,false,
{equalityMatch,
{'AttributeValueAssertion',
"member",
"uid=muellerpe,ou=People,dc=company,dc=com"}},
["objectClass"]}
=INFO REPORT==== 9-Jun-2014::20:43:35 ===
LDAP network traffic: search reply = {ok,
{'LDAPMessage',2,
{searchResDone,
{'LDAPResult',success,[],[],
asn1_NOVALUE}},
asn1_NOVALUE}}
=INFO REPORT==== 9-Jun-2014::20:43:35 ===
LDAP network traffic: search reply = searchResDone
=INFO REPORT==== 9-Jun-2014::20:43:35 ===
LDAP evaluated in_group for "cn=rabbitmq_write,ou=Group,dc=company,dc=com": false
(3) ldap DN dump of group I want to make admin
dn: cn=rabbitmq_write,ou=Group,dc=company,dc=com
cn: rabbitmq_write
ou: Group
objectClass: hybridgroup
objectClass: top
gidNumber: 12345
seeAlso:
uniqueMember: uid=crawforb,ou=People,dc=company,dc=com
uniqueMember: uid=dasilvai,ou=People,dc=company,dc=com
uniqueMember: uid=muellerpe,ou=People,dc=company,dc=com
memberUid: crawforb
memberUid: dasilvai
memberUid: muellerpe
More information about the rabbitmq-discuss
mailing list