管理插件上的 RabbitMQ LDAP

Question

我是 RabbitMQ 的新手。为了开发目的，我将它安装在 Windows 10 Enterpise 上。我们有 Active Directory 运行。尝试为管理插件设置 LDAP，以便任何具有正确密码的用户都可以以管理员身份登录。

我的最新配置：

[
{
    rabbit,
    [
        {
            auth_backends, [
                {rabbit_auth_backend_ldap, rabbit_auth_backend_internal},
                rabbit_auth_backend_internal
            ]
        }
    ]
},
{
  rabbitmq_auth_backend_ldap,
  [
    {   
        servers, [
            "WLNC0DS23N.na.mycompany.com","WBRD0DS21N.na.mycompany.com"
        ]
    },
    {
        dn_lookup_attribute, "userPrincipalName"
    },
    {
        dn_lookup_base, "DC=na,DC=mycompany,DC=com"
    },
    {
        user_dn_pattern, "${username}@mycompany.com"
    },
    {
        use_ssl, false
    },
    {
        port, 389
    },          
    {
        log, true
    },
    {
        vhost_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
    },
    {
        resource_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
    },
    {
        topic_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
    },
    {
        tag_queries, [
            {
                administrator, {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
            }
        ]
    }
  ]
}

].

不幸的是，虽然 LDAP 似乎检查我是否正常，但我无法登录并在日志中出现此错误：

2019-05-28 16:04:14.662 [info] <0.678.0> LDAP CHECK: login for perryda
2019-05-28 16:04:14.663 [info] <0.678.0>         LDAP filling template "${username}@mycompany.com" with
        [{username,<<"perryda">>}]
2019-05-28 16:04:14.663 [info] <0.678.0>         LDAP template result: "perryda@mycompany.com"
2019-05-28 16:04:14.750 [info] <0.317.0>     LDAP bind succeeded: xxxx
2019-05-28 16:04:14.750 [info] <0.317.0>         LDAP filling template "${username}@mycompany.com" with
        [{username,<<"perryda">>}]
2019-05-28 16:04:14.751 [info] <0.317.0>         LDAP template result: "perryda@mycompany.com"
2019-05-28 16:04:14.753 [info] <0.317.0>     LDAP DN lookup: perryda -> CN=Perry\, David,OU=Users,OU=WLNC-Wilmington,OU=OC,OU=IT-SD,DC=na,DC=mycompany,DC=com
2019-05-28 16:04:14.753 [info] <0.317.0>     LDAP CHECK: does perryda have tag administrator?
2019-05-28 16:04:14.753 [info] <0.317.0>     LDAP evaluating query: {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
2019-05-28 16:04:14.753 [info] <0.317.0>     LDAP evaluating query: {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member",subtree}
2019-05-28 16:04:14.754 [info] <0.317.0>         LDAP filling template "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com" with
        [{username,<<"perryda">>},{user_dn,"CN=Perry\, David,OU=Users,OU=WLNC-Wilmington,OU=OC,OU=IT-SD,DC=na,DC=mycompany,DC=com"}]
2019-05-28 16:04:14.754 [info] <0.317.0>         LDAP template result: "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com"
2019-05-28 16:04:14.759 [info] <0.317.0>     LDAP DECISION: does perryda have tag administrator? true
2019-05-28 16:04:14.759 [info] <0.678.0> LDAP DECISION: login for perryda: ok
2019-05-28 16:04:14.759 [warning] <0.678.0> HTTP access denied: user 'perryda' - invalid credentials

有没有人知道问题是什么以及如何解决？

Answer 1

Trying to set it up so AD users that belong to a particular AD Group are just instantly logged in when they access the management plugin from IE or Edge.

管理层UI不支持这个。您必须提供用户名和密码才能使用 AD 凭据登录。

---

_{注意： RabbitMQ 团队监控 rabbitmq-users mailing list 并且有时只在 Whosebug 上回答问题。}

Answer 2

此答案由 Daniil Fedotov 在 RabbitMQ Google 组中发布。效果很好！

嗨，

您的身份验证后端配置行“{rabbit_auth_backend_ldap, rabbit_auth_backend_internal}”表示 LDAP 后端仅用于身份验证（检查用户是否存在）而不用于授权（检查用户是否存在）用户可以访问资源），内部后端用于授权。 这意味着您应该为内部用户配置权限和标签。 如果您希望通过 LDAP 进行授权，您应该将此元组：“{rabbit_auth_backend_ldap, rabbit_auth_backend_internal}”替换为："rabbit_auth_backend_ldap"。 或者在内部数据库中创建用户权限，但我想这不是你想要实现的。

Answer 3

可能为时已晚，但就我而言，我已经通过 LDAP + 回退到内部数据库解决了我的身份验证+授权问题：

 {rabbit,
     [
      .......
      {auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]},
      .......
     ]}

更多详情：https://github.com/MarcialRosales/rabbitmq-ldap-integration/blob/master/multiple-auth-backends/README.md