RabbitMQ LDAP 身份验证失败
RabbitMQ LDAP authentication failing
我正在完成使用 LDAP 授权设置 RabbitMQ 的过程,但我运气不太好...请知道的人看看并告诉我我做错了什么?我可以使用以下代码查询 LDAP 以获取用户对象:
var entry = new DirectoryEntry("LDAP://ourldapbox.ourcompany.co.uk:636/CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk");
配置尝试 1
[
{rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ourldapbox.ourcompany.co.uk"]},
{user_dn_pattern, "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"},
{use_ssl, false},
{port, 636},
{log, true}
]
}
].
配置尝试 2
[
{rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ourldapbox.ourcompany.co.uk"]},
{dn_lookup_attribute, "sAMAccountName"},
{dn_lookup_base, "DC=ourcompany,DC=co,DC=uk"},
{user_dn_pattern, "${username}@ourcompany.co.uk"},
{other_bind, anon},
{use_ssl, false},
{port, 636},
{log, true}
]
}
].
配置尝试 3
[
{rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ourldapbox.ourcompany.co.uk"]},
{dn_lookup_attribute, "userPrincipalName"},
{dn_lookup_base, "dc=ourcompany,dc=co,dc=uk"},
{user_dn_pattern, "${username}@ourcompany.co.uk"},
{use_ssl, false},
{port, 636},
{log, true}
]
}
].
连接码
我正在尝试通过多种方式进行连接(均失败):
var connectionFactory = new ConnectionFactory
{
HostName = "localhost",
UserName = "twainm",
Password = "fred123",
};
using (connectionFactory.CreateConnection())
{
// fails with:
// None of the specified endpoints were reachable
// ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
}
内部数据库回退配置正在运行,因此 guest 可以毫无问题地连接。
日志
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
accepting AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672)
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
[{username,<<"Mark Twain">>}]
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
[{username,<<"Mark Twain">>}]
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
closed}
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
closed}
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}
=ERROR REPORT==== 18-Feb-2015::10:38:16 ===
closing AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672):
{handshake_error,starting,0,
{amqp_error,access_refused,
"PLAIN login refused: user 'Mark Twain' - invalid credentials",
'connection.start_ok'}}
我对 "LDAP bind error"、"handshake_error,starting,0" 和 "access_refused" 有很好的 Google,但找不到任何可以指引我正确方向的东西。
如有任何帮助,我们将不胜感激。
已解决!我意识到 use_ssl=false 和 port=636 的组合有点愚蠢,因为 636 是加密的(即 SSL LDAP)端口。
这是我的 LDAP 配置(现在可用)。我希望这能为一些人节省几个小时:
[
{rabbit,
[ {auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ourldapbox.ourcompany.co.uk"]},
{dn_lookup_attribute, "sAMAccountName"},
{dn_lookup_base, "DC=ourcompany,DC=co,DC=uk"},
{user_dn_pattern, "${username}@ourcompany.co.uk"},
{use_ssl, true},
{port, 636},
{log, true}
]
}
].
我遇到了类似的问题,只是我使用的是 rabbitmq.conf 而不是 advanced.config 格式。如果有人遇到此问题并使用其他配置格式,这是一个替代解决方案:
auth_backends.1 = ldap
auth_ldap.servers.1 = ourldapbox.ourcompany.co.uk
auth_ldap.dn_lookup_attribute = sAMAccountName
auth_ldap.dn_lookup_base = DC=ourcompany,DC=co,DC=uk
auth_ldap.user_dn_pattern = ${username}@ourcompany.co.uk
auth_ldap.use_ssl = true
auth_ldap.port = 636
auth_ldap.log = true
auth_backends.2 = rabbit_auth_backend_internal
我正在完成使用 LDAP 授权设置 RabbitMQ 的过程,但我运气不太好...请知道的人看看并告诉我我做错了什么?我可以使用以下代码查询 LDAP 以获取用户对象:
var entry = new DirectoryEntry("LDAP://ourldapbox.ourcompany.co.uk:636/CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk");
配置尝试 1
[
{rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ourldapbox.ourcompany.co.uk"]},
{user_dn_pattern, "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"},
{use_ssl, false},
{port, 636},
{log, true}
]
}
].
配置尝试 2
[
{rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ourldapbox.ourcompany.co.uk"]},
{dn_lookup_attribute, "sAMAccountName"},
{dn_lookup_base, "DC=ourcompany,DC=co,DC=uk"},
{user_dn_pattern, "${username}@ourcompany.co.uk"},
{other_bind, anon},
{use_ssl, false},
{port, 636},
{log, true}
]
}
].
配置尝试 3
[
{rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ourldapbox.ourcompany.co.uk"]},
{dn_lookup_attribute, "userPrincipalName"},
{dn_lookup_base, "dc=ourcompany,dc=co,dc=uk"},
{user_dn_pattern, "${username}@ourcompany.co.uk"},
{use_ssl, false},
{port, 636},
{log, true}
]
}
].
连接码
我正在尝试通过多种方式进行连接(均失败):
var connectionFactory = new ConnectionFactory
{
HostName = "localhost",
UserName = "twainm",
Password = "fred123",
};
using (connectionFactory.CreateConnection())
{
// fails with:
// None of the specified endpoints were reachable
// ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
}
内部数据库回退配置正在运行,因此 guest 可以毫无问题地连接。
日志
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
accepting AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672)
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
[{username,<<"Mark Twain">>}]
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
[{username,<<"Mark Twain">>}]
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
closed}
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
closed}
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}
=ERROR REPORT==== 18-Feb-2015::10:38:16 ===
closing AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672):
{handshake_error,starting,0,
{amqp_error,access_refused,
"PLAIN login refused: user 'Mark Twain' - invalid credentials",
'connection.start_ok'}}
我对 "LDAP bind error"、"handshake_error,starting,0" 和 "access_refused" 有很好的 Google,但找不到任何可以指引我正确方向的东西。
如有任何帮助,我们将不胜感激。
已解决!我意识到 use_ssl=false 和 port=636 的组合有点愚蠢,因为 636 是加密的(即 SSL LDAP)端口。
这是我的 LDAP 配置(现在可用)。我希望这能为一些人节省几个小时:
[
{rabbit,
[ {auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ourldapbox.ourcompany.co.uk"]},
{dn_lookup_attribute, "sAMAccountName"},
{dn_lookup_base, "DC=ourcompany,DC=co,DC=uk"},
{user_dn_pattern, "${username}@ourcompany.co.uk"},
{use_ssl, true},
{port, 636},
{log, true}
]
}
].
我遇到了类似的问题,只是我使用的是 rabbitmq.conf 而不是 advanced.config 格式。如果有人遇到此问题并使用其他配置格式,这是一个替代解决方案:
auth_backends.1 = ldap
auth_ldap.servers.1 = ourldapbox.ourcompany.co.uk
auth_ldap.dn_lookup_attribute = sAMAccountName
auth_ldap.dn_lookup_base = DC=ourcompany,DC=co,DC=uk
auth_ldap.user_dn_pattern = ${username}@ourcompany.co.uk
auth_ldap.use_ssl = true
auth_ldap.port = 636
auth_ldap.log = true
auth_backends.2 = rabbit_auth_backend_internal