RabbitMQ LDAP身份验证失败

vc9ivgsu  于 2023-08-05  发布在  RabbitMQ
关注(0)|答案(2)|浏览(163)

我正在经历使用LDAP授权设置RabbitMQ的过程,但运气不太好...有没有知情的人帮我看看,告诉我哪里做错了?我可以使用以下代码查询LDAP以获取用户对象:

var entry = new DirectoryEntry("LDAP://ourldapbox.ourcompany.co.uk:636/CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk");

字符串

配置尝试1

[
  {rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {user_dn_pattern,       "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"},
     {use_ssl,               false},
     {port,                  636},
     {log,                   true}
   ]
  }
].

配置尝试2

[
  {rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {dn_lookup_attribute,   "sAMAccountName"},
     {dn_lookup_base,        "DC=ourcompany,DC=co,DC=uk"},
     {user_dn_pattern,       "${username}@ourcompany.co.uk"},
     {other_bind,            anon},
     {use_ssl,               false},
     {port,                  636},
     {log,                   true}
   ]
  }
].

配置尝试3

[
  {rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {dn_lookup_attribute,   "userPrincipalName"},
     {dn_lookup_base,        "dc=ourcompany,dc=co,dc=uk"},
     {user_dn_pattern,       "${username}@ourcompany.co.uk"},
     {use_ssl,               false},
     {port,                  636},
     {log,                   true}
   ]
  }
].

连接编码

我尝试了几种方法连接(都失败了):

var connectionFactory = new ConnectionFactory
{
    HostName = "localhost",
    UserName = "twainm",
    Password = "fred123",
};

using (connectionFactory.CreateConnection())
{
    // fails with:
    // None of the specified endpoints were reachable
    // ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
}


内部数据库回退配置正在工作,因此guest能够顺利连接。

日志

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
accepting AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672)

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
            [{username,<<"Mark Twain">>}]

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
            [{username,<<"Mark Twain">>}]

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
    LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
                                                                                                    closed}

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
    LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
                                                                                                    closed}

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}

=ERROR REPORT==== 18-Feb-2015::10:38:16 ===
closing AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672):
{handshake_error,starting,0,
                 {amqp_error,access_refused,
                             "PLAIN login refused: user 'Mark Twain' - invalid credentials",
                             'connection.start_ok'}}


我有一个很好的谷歌“LDAP绑定错误”,“handshake_error,starting,0”和“access_rejected”,但找不到任何可以指向我正确的方向。
如果你能帮忙的话,我将不胜感激。

wwodge7n

wwodge7n1#

解决了!我意识到use_ssl=falseport=636的组合有点愚蠢,因为636是加密的(即636)。SSL LDAP)端口。
这是我的LDAP配置(现在可以工作了)。我希望这能为一些人节省几个小时:

[
  {rabbit,
   [ {auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {dn_lookup_attribute,   "sAMAccountName"},
     {dn_lookup_base,        "DC=ourcompany,DC=co,DC=uk"},
     {user_dn_pattern,       "${username}@ourcompany.co.uk"},
     {use_ssl,               true},
     {port,                  636},
     {log,                   true}
   ]
  }
].

字符串

vzgqcmou

vzgqcmou2#

我也遇到过类似的问题,只不过我使用的是rabbitmq.conf而不是advanced.config格式。如果有人遇到这个问题并使用其他配置格式,这里有一个替代解决方案:

auth_backends.1 = ldap    
auth_ldap.servers.1  = ourldapbox.ourcompany.co.uk
auth_ldap.dn_lookup_attribute = sAMAccountName
auth_ldap.dn_lookup_base = DC=ourcompany,DC=co,DC=uk
auth_ldap.user_dn_pattern = ${username}@ourcompany.co.uk
auth_ldap.use_ssl    = true
auth_ldap.port       = 636
auth_ldap.log        = true
auth_backends.2   = rabbit_auth_backend_internal

字符串

相关问题