我正在尝试在Windows 7上使用RabbitMQ 3.6.2进行LDAP身份验证/授权。我已经在应用程序发送用户名/密码的地方进行了基本身份验证,但密码在我需要的代码中弄清楚如何避免。有没有人在配置RabbitMQ以通过LDAP进行身份验证而不提供密码方面取得了成功?我一直指的是LDAP plugin docs,但无济于事。
我的rabbitmq.config文件如此设置:
bazMap[i].as<int>()谢谢,
安迪
答案 0 :(得分:2)
这是我最终得到的,以防它帮助任何人。我不得不在配置中添加3个参数:
您可能不需要下面配置中的所有设置,但这是我的配置,包括通过SSL进行身份验证并授予某些特定AD组“管理员”对RabbitMQ管理UI的访问权限。我添加了很多评论,希望有助于搞清楚。
[
{rabbit,
{auth_backends, [{rabbit_auth_backend_ldap, rabbit_auth_backend_internal}]}
},
%% LDAP Authentication. See https://www.rabbitmq.com/ldap.html
{rabbitmq_auth_backend_ldap,
[{servers, ["theserver.thedomain.com"]},
{dn_lookup_attribute, "userPrincipalName"},
{dn_lookup_base, "DC=Name1,DC=Name2"},
%% this makes it so that login usernames are just <username> instead of <username>@thedomain.com
{user_dn_pattern, "${username}@thedomain.com"},
%% Authenticate over SSL
{use_ssl, true},
{port, 636},
%% Change this to true to troubleshoot LDAP failures (see file rabbit@<machinename>.log and scroll to bottom for the most recent activity)
{log, false},
%% ------------------------------------------------------------------------------------
%% LDAP-based authorization for employee logins to the management UI.
%% The following settings maps the permissions that LDAP-authenticated users will have.
%% For more info, see: https://www.rabbitmq.com/access-control.html
%% ------------------------------------------------------------------------------------
%% Grant access to all virtual hosts (this is the default, but is present here for the sake of transparency)
{vhost_access_query, {constant, true}},
%% Grant access to "resources" (exchanges, queues, bindings, etc.) (this is the default)
{resource_access_query, {constant, true}},
%% Grant RabbitMQ administrator access based on LDAP group membership.
{tag_queries, [{administrator, {'or',
[{in_group, "CN=Group 1 Name,OU=Group 1 OU,OU=Groups,DC=thecompany,DC=com"},
{in_group, "CN=Group 2 Name,OU=Group 2 OU,OU=Groups,DC=thecompany,DC=com"},
{in_group_nested, "CN=Group 3 Name,OU=Group 3 OU,OU=Groups,DC=thecompany,DC=com"}]}
}]}
]}
].
编辑:这是一个程序片段,显示RabbitMQ ConnectionFactory连接而不使用用户名/密码,因为它依赖于基于证书的身份验证。您只需要SSL证书的路径(使用OpenSSL免费生成)以及证书密码。
using LipsumGenerator.Message;
using Messaging.Work;
using RabbitMQ.Client;
using System;
using System.Configuration;
using System.Security.Authentication;
namespace Publisher
{
class Program
{
static void Main(string[] args)
{
var factory = new ConnectionFactory();
factory.HostName = ConfigurationManager.AppSettings["rabbitmqHostName"];
factory.AuthMechanisms = new AuthMechanismFactory[] { new ExternalMechanismFactory() };
factory.Ssl.ServerName = ConfigurationManager.AppSettings["rabbitmqServerName"];
factory.Ssl.CertPath = ConfigurationManager.AppSettings["certificateFilePath"];
factory.Ssl.CertPassphrase = ConfigurationManager.AppSettings["certificatePassphrase"];
factory.Ssl.Enabled = true;
factory.Ssl.Version = SslProtocols.Tls12;
factory.Port = AmqpTcpEndpoint.DefaultAmqpSslPort;
factory.VirtualHost = "/";
using (var connection = factory.CreateConnection())
{
using (var channel = connection.CreateModel())
{
Console.WriteLine(" [*] Publishing messages. To exit press CTRL+C");
int count = 0;
var rand = new Random();
while (true)
{
count++;
WorkProcessor.EnqueueMessage(channel, "Lipsum", new LipsumGeneratorMessage(rand.Next(5)));
Console.WriteLine("Sent message Lipsum " + count);
System.Threading.Thread.Sleep(rand.Next(2000));
}
}
}
}
}
}