我是RabbitMQ的新手。我已将其安装在Windows 10 Enterpise上以进行开发。我们正在运行Active Directory。尝试为管理插件设置LDAP,以便任何具有正确密码的用户都可以以管理员身份登录。
我的最新配置:
[
{
rabbit,
[
{
auth_backends, [
{rabbit_auth_backend_ldap, rabbit_auth_backend_internal},
rabbit_auth_backend_internal
]
}
]
},
{
rabbitmq_auth_backend_ldap,
[
{
servers, [
"WLNC0DS23N.na.mycompany.com","WBRD0DS21N.na.mycompany.com"
]
},
{
dn_lookup_attribute, "userPrincipalName"
},
{
dn_lookup_base, "DC=na,DC=mycompany,DC=com"
},
{
user_dn_pattern, "${username}@mycompany.com"
},
{
use_ssl, false
},
{
port, 389
},
{
log, true
},
{
vhost_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
resource_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
topic_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
tag_queries, [
{
administrator, {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
}
]
}
]
}
]。
不幸的是,虽然LDAP似乎可以将我签出,但我无法登录并在日志中得到此错误:
2019-05-28 16:04:14.662 [info] <0.678.0> LDAP CHECK: login for perryda
2019-05-28 16:04:14.663 [info] <0.678.0> LDAP filling template "${username}@mycompany.com" with
[{username,<<"perryda">>}]
2019-05-28 16:04:14.663 [info] <0.678.0> LDAP template result: "perryda@mycompany.com"
2019-05-28 16:04:14.750 [info] <0.317.0> LDAP bind succeeded: xxxx
2019-05-28 16:04:14.750 [info] <0.317.0> LDAP filling template "${username}@mycompany.com" with
[{username,<<"perryda">>}]
2019-05-28 16:04:14.751 [info] <0.317.0> LDAP template result: "perryda@mycompany.com"
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP DN lookup: perryda -> CN=Perry\, David,OU=Users,OU=WLNC-Wilmington,OU=OC,OU=IT-SD,DC=na,DC=mycompany,DC=com
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP CHECK: does perryda have tag administrator?
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP evaluating query: {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP evaluating query: {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member",subtree}
2019-05-28 16:04:14.754 [info] <0.317.0> LDAP filling template "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com" with
[{username,<<"perryda">>},{user_dn,"CN=Perry\\, David,OU=Users,OU=WLNC-Wilmington,OU=OC,OU=IT-SD,DC=na,DC=mycompany,DC=com"}]
2019-05-28 16:04:14.754 [info] <0.317.0> LDAP template result: "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com"
2019-05-28 16:04:14.759 [info] <0.317.0> LDAP DECISION: does perryda have tag administrator? true
2019-05-28 16:04:14.759 [info] <0.678.0> LDAP DECISION: login for perryda: ok
2019-05-28 16:04:14.759 [warning] <0.678.0> HTTP access denied: user 'perryda' - invalid credentials
有人知道问题出在哪里,如何解决?
答案 0 :(得分:1)
尝试进行设置,以便属于特定AD组的AD用户 当他们访问管理插件时立即登录 来自IE或Edge。
管理用户界面不支持此功能。您必须提供用户名和密码才能使用AD凭据登录。
注意: RabbitMQ团队监视rabbitmq-users mailing list,并且有时仅在StackOverflow上回答问题。
答案 1 :(得分:1)
可能为时已晚,但就我而言,我已经通过LDAP +通过回退到内部数据库解决了身份验证+授权问题。
{rabbit,
[
.......
{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]},
.......
]}
答案 2 :(得分:0)
此答案由Daniil Fedotov在RabbitMQ Google组中发布。效果很好!
嗨,
您的auth后端配置行“ {rabbit_auth_backend_ldap,rabbit_auth_backend_internal}”表示LDAP后端仅用于身份验证(检查用户是否存在),而不用于授权(检查用户有权访问资源)和内部后端用于授权。 这意味着您应该具有为内部用户配置的权限和标记。 如果您希望通过LDAP进行授权,则应将此元组“ {rabbit_auth_backend_ldap,rabbit_auth_backend_internal}”替换为“ rabbit_auth_backend_ldap”。 或在内部数据库中创建用户权限,但是我想这不是您要实现的目标。