RabbitMQ LDAP身份验证失败

时间:2015-02-18 13:06:20

标签: ldap rabbitmq ldap-query easynetq

我正在经历使用LDAP授权设置RabbitMQ的过程,但我没有太多运气......有人知道,请看看我告诉我我做错了什么?我能够使用以下代码查询LDAP以获取用户对象:

var entry = new DirectoryEntry("LDAP://ourldapbox.ourcompany.co.uk:636/CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk");

配置尝试1 

[
  {rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {user_dn_pattern,       "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"},
     {use_ssl,               false},
     {port,                  636},
     {log,                   true}
   ]
  }
].

配置尝试2 

[
  {rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {dn_lookup_attribute,   "sAMAccountName"},
     {dn_lookup_base,        "DC=ourcompany,DC=co,DC=uk"},
     {user_dn_pattern,       "${username}@ourcompany.co.uk"},
     {other_bind,            anon},
     {use_ssl,               false},
     {port,                  636},
     {log,                   true}
   ]
  }
].

配置尝试3 

[
  {rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {dn_lookup_attribute,   "userPrincipalName"},
     {dn_lookup_base,        "dc=ourcompany,dc=co,dc=uk"},
     {user_dn_pattern,       "${username}@ourcompany.co.uk"},
     {use_ssl,               false},
     {port,                  636},
     {log,                   true}
   ]
  }
].

连接代码

我尝试以多种方式连接(全部失败):

var connectionFactory = new ConnectionFactory
{
    HostName = "localhost",
    UserName = "twainm",
    Password = "fred123",
};

using (connectionFactory.CreateConnection())
{
    // fails with:
    // None of the specified endpoints were reachable
    // ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
}

内部数据库回退配置正在运行,因此guest可以毫无问题地连接。

日志 

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
accepting AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672)

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
            [{username,<<"Mark Twain">>}]

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
            [{username,<<"Mark Twain">>}]

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
    LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
                                                                                                    closed}

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
    LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
                                                                                                    closed}

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}

=ERROR REPORT==== 18-Feb-2015::10:38:16 ===
closing AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672):
{handshake_error,starting,0,
                 {amqp_error,access_refused,
                             "PLAIN login refused: user 'Mark Twain' - invalid credentials",
                             'connection.start_ok'}}

我有一个很好的Google用于&#34; LDAP绑定错误&#34;,&#34; handshake_error,开始,0&#34;和&#34; access_refused&#34;但是找不到任何可以指引我正确方向的东西。

任何帮助都将不胜感激。

2 个答案:

答案 0 :(得分:6)

解决!我意识到use_ssl=falseport=636的组合有点愚蠢,因为636是加密的(即SSL LDAP)端口。

这是我的LDAP配置(现在正在运行)。我希望这可以节省一些人几个小时:

[
  {rabbit,
   [ {auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {dn_lookup_attribute,   "sAMAccountName"},
     {dn_lookup_base,        "DC=ourcompany,DC=co,DC=uk"},
     {user_dn_pattern,       "${username}@ourcompany.co.uk"},
     {use_ssl,               true},
     {port,                  636},
     {log,                   true}
   ]
  }
].

答案 1 :(得分:0)

我遇到了类似的问题,只是我使用的是 rabbitmq.conf 而不是 advanced.config 格式。如果有人遇到此问题并使用其他配置格式,这里有一个替代解决方案:

auth_backends.1 = ldap    
auth_ldap.servers.1  = ourldapbox.ourcompany.co.uk
auth_ldap.dn_lookup_attribute = sAMAccountName
auth_ldap.dn_lookup_base = DC=ourcompany,DC=co,DC=uk
auth_ldap.user_dn_pattern = ${username}@ourcompany.co.uk
auth_ldap.use_ssl    = true
auth_ldap.port       = 636
auth_ldap.log        = true
auth_backends.2   = rabbit_auth_backend_internal
相关问题
最新问题