我是RabbitMQ的新手。我将其安装在Windows 10 Enterprise上用于开发目的。Active Directory正在运行。尝试为管理插件设置LDAP,以便任何具有正确密码的用户都可以以管理员身份登录。
我的最新配置:
[
{
rabbit,
[
{
auth_backends, [
{rabbit_auth_backend_ldap, rabbit_auth_backend_internal},
rabbit_auth_backend_internal
]
}
]
},
{
rabbitmq_auth_backend_ldap,
[
{
servers, [
"WLNC0DS23N.na.mycompany.com","WBRD0DS21N.na.mycompany.com"
]
},
{
dn_lookup_attribute, "userPrincipalName"
},
{
dn_lookup_base, "DC=na,DC=mycompany,DC=com"
},
{
user_dn_pattern, "${username}@mycompany.com"
},
{
use_ssl, false
},
{
port, 389
},
{
log, true
},
{
vhost_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
resource_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
topic_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
tag_queries, [
{
administrator, {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
}
]
}
]
}
].
不幸的是,虽然LDAP似乎可以检查我,但我无法登录并在日志中获得此错误:
2019-05-28 16:04:14.662 [info] <0.678.0> LDAP CHECK: login for perryda
2019-05-28 16:04:14.663 [info] <0.678.0> LDAP filling template "${username}@mycompany.com" with
[{username,<<"perryda">>}]
2019-05-28 16:04:14.663 [info] <0.678.0> LDAP template result: "[email protected]"
2019-05-28 16:04:14.750 [info] <0.317.0> LDAP bind succeeded: xxxx
2019-05-28 16:04:14.750 [info] <0.317.0> LDAP filling template "${username}@mycompany.com" with
[{username,<<"perryda">>}]
2019-05-28 16:04:14.751 [info] <0.317.0> LDAP template result: "[email protected]"
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP DN lookup: perryda -> CN=Perry\, David,OU=Users,OU=WLNC-Wilmington,OU=OC,OU=IT-SD,DC=na,DC=mycompany,DC=com
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP CHECK: does perryda have tag administrator?
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP evaluating query: {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP evaluating query: {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member",subtree}
2019-05-28 16:04:14.754 [info] <0.317.0> LDAP filling template "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com" with
[{username,<<"perryda">>},{user_dn,"CN=Perry\\, David,OU=Users,OU=WLNC-Wilmington,OU=OC,OU=IT-SD,DC=na,DC=mycompany,DC=com"}]
2019-05-28 16:04:14.754 [info] <0.317.0> LDAP template result: "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com"
2019-05-28 16:04:14.759 [info] <0.317.0> LDAP DECISION: does perryda have tag administrator? true
2019-05-28 16:04:14.759 [info] <0.678.0> LDAP DECISION: login for perryda: ok
2019-05-28 16:04:14.759 [warning] <0.678.0> HTTP access denied: user 'perryda' - invalid credentials
有没有人知道问题出在哪里,以及如何解决?
3条答案
按热度按时间goucqfw61#
这个答案是由Daniil Fedotov在RabbitMQ Google Group发布的。效果很好!
你好,
您的auth后端配置行“{rabbit_auth_backend_ldap,rabbit_auth_backend_internal}”表示LDAP后端仅用于身份验证(检查用户是否存在),而不用于授权(检查用户是否可以访问资源),内部后端用于授权。这意味着您应该为内部用户配置权限和标记。如果你想通过LDAP进行授权,你应该替换这个元组:“{rabbit_auth_backend_ldap,rabbit_auth_backend_internal}”,其中:“rabbit_auth_backend_ldap”。或者在内部数据库中创建用户权限,但我猜这不是您要实现的目标。
mum43rcc2#
可能为时已晚,但在我的情况下,我已经解决了我的问题与身份验证+授权通过LDAP +回退到内部数据库:
更多详情:https://github.com/MarcialRosales/rabbitmq-ldap-integration/blob/master/multiple-auth-backends/README.md
elcex8rz3#
尝试设置它,以便属于特定AD组的AD用户在从IE或Edge访问管理插件时立即登录。
管理UI不支持此操作。请输入您的用户名和密码登录