Active directory RabbitMQ LDAP配置在组搜索时失败
我正在尝试设置RabbitMQ LDAP提供程序配置,以便能够验证我的用户,然后将他们与正确的用户管理标记关联 目前,rabbitmq似乎能够根据AD对我进行身份验证,但无法验证我所在的广告组 配置:Active directory RabbitMQ LDAP配置在组搜索时失败,active-directory,rabbitmq,ldap,Active Directory,Rabbitmq,Ldap,我正在尝试设置RabbitMQ LDAP提供程序配置,以便能够验证我的用户,然后将他们与正确的用户管理标记关联 目前,rabbitmq似乎能够根据AD对我进行身份验证,但无法验证我所在的广告组 配置: ,{rabbitmq_auth_backend_ldap, [ {servers, ["myDC.myDomain.com"]} ,{dn_lookup_bind, {"cn=MyServiceAccount,dc=s
,{rabbitmq_auth_backend_ldap, [
{servers, ["myDC.myDomain.com"]}
,{dn_lookup_bind, {"cn=MyServiceAccount,dc=serviceAccounts,dc=myDomain,dc=com", "Service@ccountPa$$word"}}
,{dn_lookup_attribute, "userPrincipalName"}
,{dn_lookup_base, "DC=myDomain,DC=com"}
,{group_lookup_base, "ou=myLocation,ou=Groups,dc=myDomain,dc=com"}
,{log, true}
,{vhost_access_query, {constant, true}}
,{topic_access_query, {constant, true}}
,{resource_access_query, {constant, true}}
,{tag_queries, [
{ administrator, { in_group, "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } },
{ management, { in_group, "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } }
]}
]}
,{rabbitmq_auth_backend_ldap, [
{servers, ["myDC.myDomain.com"]}
,{dn_lookup_bind, {"CN=myServiceAccount,OU=Services,DC=myDomain,DC=com", "Service@ccountPa$$word"}}
,{dn_lookup_attribute, "distinguishedName"}
,{user_dn_pattern, "CN=${username},OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com"}
,{dn_lookup_base, "DC=myDomain,DC=com"}
,{group_lookup_base, "ou=myLocation,ou=Groups,dc=myDomain,dc=com"}
,{log, true}
,{vhost_access_query, {constant, true}}
,{topic_access_query, {constant, true}}
,{resource_access_query, {constant, true}}
,{tag_queries, [
{ administrator, { in_group, "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } },
{ management, { in_group, "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } }
]}
]}
- 在显示my DN的日志中(第9行),它显示一个空数组
- 只有当我的用户名格式为myDomain\myUserName时,这似乎才起作用
- 我不必在此配置中指定我的域
2020-01-15 21:19:15.795[信息]LDAP检查:登录myUserName
2020-01-15 21:19:15.804[信息]LDAP绑定成功:CN=xxxx,OU=xxxx,DC=xxxx,DC=xxxx
2020-01-15 21:19:15.804[info]LDAP填充模板“CN=${username},OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com”和
[{用户名,}]
2020-01-15 21:19:15.804[信息]LDAP模板结果:“CN=myUserName,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com”
2020-01-15 21:19:15.812[信息]LDAP DN查找:myUserName->CN=myUserName,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com
2020-01-15 21:19:15.825[信息]LDAP绑定成功:CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx
2020-01-15 21:19:15.825[信息]LDAP检查:myUserName是否有管理员标签?
2020-01-15 21:19:15.825[信息]LDAP评估查询:{in_group,“CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com”}
2020-01-15 21:19:15.825[信息]LDAP评估查询:{in_group,“CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com”,“member”}
2020-01-15 21:19:15.825[信息]LDAP填充模板“CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com”
[{username,},{user\u dn,“CN=myUserName,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com”}]
2020-01-15 21:19:15.825[信息]LDAP模板结果:“CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com”
2020-01-15 21:19:15.833[info]LDAP在_组中评估为“CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com”:真
2020-01-15 21:19:15.834[信息]LDAP决策:myUserName是否有标记管理员?真的
2020-01-15 21:19:15.834[信息]LDAP检查:myUserName是否有标记管理?
2020-01-15 21:19:15.834[信息]LDAP评估查询:{in_group,“CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com”}
2020-01-15 21:19:15.834[信息]LDAP评估查询:{in_group,“CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com”,“member”}
2020-01-15 21:19:15.834[信息]LDAP填充模板“CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com”
[{username,},{user\u dn,“CN=myUserName,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com”}]
2020-01-15 21:19:15.834[信息]LDAP模板结果:“CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com”
2020-01-15 21:19:15.842[info]LDAP在_组中评估为“CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com”:真
2020-01-15 21:19:15.843[信息]LDAP决策:myUserName是否有标记管理?真的
2020-01-15 21:23:30.760[信息]LDAP检查:登录myPeer
2020-01-15 21:23:30.764[信息]LDAP绑定成功:CN=xxxx,OU=xxxx,DC=xxxx,DC=xxxx
2020-01-15 21:23:30.765[信息]LDAP填充模板“CN=${username},OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com”和
[{用户名,}]
2020-01-15 21:23:30.765[信息]LDAP模板结果:“CN=myPeer,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com”
2020-01-15 21:23:30.766[警告]搜索CN=myPeer、OU=randomSubOU、OU=Developers、OU=Users、OU=myLocation、DC=myDomain、DC=com的DN,返回[]
2020-01-15 21:23:30.768[信息]LDAP绑定返回“无效凭据”:CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx
2020-01-15 21:23:30.768[信息]LDAP决定:为myPeer登录:拒绝
2020-01-15 21:23:30.768[警告]HTTP访问被拒绝:CN=myPeer,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com
,{rabbitmq_auth_backend_ldap, [
{servers, ["myDC.myDomain.com"]}
,{dn_lookup_bind, {"CN=MyServiceAccount,OU=Services,DC=myDomain,DC=com", "Service@ccountPa$$word"}}
,{dn_lookup_attribute, "sAMAccountName"}
,{dn_lookup_base, "DC=myDomain,DC=com"}
,{group_lookup_base, "ou=myLocation,ou=Groups,dc=myDomain,dc=com"}
,{log, true}
,{vhost_access_query, {constant, true}}
,{topic_access_query, {constant, true}}
,{resource_access_query, {constant, true}}
,{tag_queries, [
{ administrator, { in_group, "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } },
{ management, { in_group, "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } },
]}
]}
尝试使用
dn\u lookup\u attribute=sAMAccountName2020-01-15 21:19:15.795 [info] <0.3040.0> LDAP CHECK: login for myUserName
2020-01-15 21:19:15.804 [info] <0.367.0> LDAP bind succeeded: CN=xxxx,OU=xxxx,DC=xxxx,DC=xxxx
2020-01-15 21:19:15.804 [info] <0.367.0> LDAP filling template "CN=${username},OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com" with
[{username,<<"myUserName">>}]
2020-01-15 21:19:15.804 [info] <0.367.0> LDAP template result: "CN=myUserName,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com"
2020-01-15 21:19:15.812 [info] <0.367.0> LDAP DN lookup: myUserName -> CN=myUserName,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com
2020-01-15 21:19:15.825 [info] <0.367.0> LDAP bind succeeded: CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=xxxx
2020-01-15 21:19:15.825 [info] <0.367.0> LDAP CHECK: does myUserName have tag administrator?
2020-01-15 21:19:15.825 [info] <0.367.0> LDAP evaluating query: {in_group,"CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com"}
2020-01-15 21:19:15.825 [info] <0.367.0> LDAP evaluating query: {in_group,"CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com","member"}
2020-01-15 21:19:15.825 [info] <0.367.0> LDAP filling template "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com" with
[{username,<<"myUserName">>},{user_dn,"CN=myUserName,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com"}]
2020-01-15 21:19:15.825 [info] <0.367.0> LDAP template result: "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com"
2020-01-15 21:19:15.833 [info] <0.367.0> LDAP evaluated in_group for "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com": true
2020-01-15 21:19:15.834 [info] <0.367.0> LDAP DECISION: does myUserName have tag administrator? true
2020-01-15 21:19:15.834 [info] <0.367.0> LDAP CHECK: does myUserName have tag management?
2020-01-15 21:19:15.834 [info] <0.367.0> LDAP evaluating query: {in_group,"CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com"}
2020-01-15 21:19:15.834 [info] <0.367.0> LDAP evaluating query: {in_group,"CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com","member"}
2020-01-15 21:19:15.834 [info] <0.367.0> LDAP filling template "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com" with
[{username,<<"myUserName">>},{user_dn,"CN=myUserName,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com"}]
2020-01-15 21:19:15.834 [info] <0.367.0> LDAP template result: "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com"
2020-01-15 21:19:15.842 [info] <0.367.0> LDAP evaluated in_group for "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com": true
2020-01-15 21:19:15.843 [info] <0.367.0> LDAP DECISION: does myUserName have tag management? true
2020-01-15 21:23:30.760 [info] <0.3394.0> LDAP CHECK: login for myPeer
2020-01-15 21:23:30.764 [info] <0.367.0> LDAP bind succeeded: CN=xxxx,OU=xxxx,DC=xxxx,DC=xxxx
2020-01-15 21:23:30.765 [info] <0.367.0> LDAP filling template "CN=${username},OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com" with
[{username,<<"myPeer">>}]
2020-01-15 21:23:30.765 [info] <0.367.0> LDAP template result: "CN=myPeer,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com"
2020-01-15 21:23:30.766 [warning] <0.367.0> Searching for DN for CN=myPeer,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com, got back []
2020-01-15 21:23:30.768 [info] <0.367.0> LDAP bind returned "invalid credentials": CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=xxxx
2020-01-15 21:23:30.768 [info] <0.3394.0> LDAP DECISION: login for myPeer: denied
2020-01-15 21:23:30.768 [warning] <0.3394.0> HTTP access denied: CN=myPeer,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com
,{rabbitmq_auth_backend_ldap, [
{servers, ["myDC.myDomain.com"]}
,{dn_lookup_bind, {"CN=MyServiceAccount,OU=Services,DC=myDomain,DC=com", "Service@ccountPa$$word"}}
,{dn_lookup_attribute, "sAMAccountName"}
,{dn_lookup_base, "DC=myDomain,DC=com"}
,{group_lookup_base, "ou=myLocation,ou=Groups,dc=myDomain,dc=com"}
,{log, true}
,{vhost_access_query, {constant, true}}
,{topic_access_query, {constant, true}}
,{resource_access_query, {constant, true}}
,{tag_queries, [
{ administrator, { in_group, "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } },
{ management, { in_group, "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } },
]}
]}