Search code examples
ldaprabbitmqldap-queryeasynetq

RabbitMQ LDAP authentication failing

I'm going through the process of setting up RabbitMQ with LDAP authorization but am not having much luck... Could someone in the know, please take a look and tell me what I'm doing wrong? I'm able to query LDAP to get the user object with the following code:

var entry = new DirectoryEntry("LDAP://ourldapbox.ourcompany.co.uk:636/CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk");

Config Attempt 1

[
  {rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {user_dn_pattern,       "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"},
     {use_ssl,               false},
     {port,                  636},
     {log,                   true}
   ]
  }
].

Config Attempt 2

[
  {rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {dn_lookup_attribute,   "sAMAccountName"},
     {dn_lookup_base,        "DC=ourcompany,DC=co,DC=uk"},
     {user_dn_pattern,       "${username}@ourcompany.co.uk"},
     {other_bind,            anon},
     {use_ssl,               false},
     {port,                  636},
     {log,                   true}
   ]
  }
].

Config Attempt 3

[
  {rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {dn_lookup_attribute,   "userPrincipalName"},
     {dn_lookup_base,        "dc=ourcompany,dc=co,dc=uk"},
     {user_dn_pattern,       "${username}@ourcompany.co.uk"},
     {use_ssl,               false},
     {port,                  636},
     {log,                   true}
   ]
  }
].

Connection Code

I'm attempting to connect in a number of ways (all failing):

var connectionFactory = new ConnectionFactory
{
    HostName = "localhost",
    UserName = "twainm",
    Password = "fred123",
};

using (connectionFactory.CreateConnection())
{
    // fails with:
    // None of the specified endpoints were reachable
    // ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
}

The internal database fallback configuration is working, so guest is able to connect without issue.

Logs

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
accepting AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672)

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
            [{username,<<"Mark Twain">>}]

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
            [{username,<<"Mark Twain">>}]

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
    LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
                                                                                                    closed}

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
    LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
                                                                                                    closed}

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}

=ERROR REPORT==== 18-Feb-2015::10:38:16 ===
closing AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672):
{handshake_error,starting,0,
                 {amqp_error,access_refused,
                             "PLAIN login refused: user 'Mark Twain' - invalid credentials",
                             'connection.start_ok'}}

I've had a good Google for "LDAP bind error", "handshake_error,starting,0" and "access_refused" but can't find anything that could point me in the right direction.

Any help would be appreciated.

Solution

  • Solved! I realised that the combination of use_ssl=false and port=636 was a bit stupid because 636 is the encrypted (i.e. SSL LDAP) port.

    Here's my LDAP configuration (now working). I hope this saves a few people a few hours:

    [
  {rabbit,
   [ {auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {dn_lookup_attribute,   "sAMAccountName"},
     {dn_lookup_base,        "DC=ourcompany,DC=co,DC=uk"},
     {user_dn_pattern,       "${username}@ourcompany.co.uk"},
     {use_ssl,               true},
     {port,                  636},
     {log,                   true}
   ]
  }
].