I had managed to configure RabbitMQ with LDAP and authenticate it, if it is for an individual AD account. I am using the following configurations:
RabbitMQ Config file:
auth_backends,[{rabbit_auth_backend_ldap, rabbit_auth_backend_internal},rabbit_auth_backend_internal]
In RabbitMQ management, I had manually created a username with no password set (it works). But, lets say I have an AD Group (called "Rabbit User Group") that has 3 users inside (User1, User2, User3).
The location of the "Rabbit User Group" is in:
sample.companyname.com > City Name (OU) > Groups (OU) > IT Groups (OU) > "Rabbit User Group" (Security Group)
How should I configure it in RabbitMQ management and also for the config file so that, once I update the particular group, all members inside the group will be able to authenticate and have the same permissions (e.g. only this group has admin rights) in RabbitMQ?
I want to avoid needing to manually create each individual user in the RabbitMQ management for authentication?.
I had added the following into my RabbitMQ config file
{
tag_queries, [
{administrator,{in_group,'CN="Rabbit User Group",OU="City Name", OU=Groups, OU="IT Group",DC=sample,DC=companyname,DC=com',"uniqueMember"}},
{management, {constant, true}}
]
}
and tried creating a username called "Rabbit User Group" into the RabbitMQ management without a password. But when I tried to login as "User1", I am unable to log in.
This is my overall config file:
[
{
rabbit,
[
{
auth_backends,[{rabbit_auth_backend_ldap, rabbit_auth_backend_internal},rabbit_auth_backend_internal]
}
]
},
{
rabbitmq_auth_backend_ldap,
[
{servers, ["sample.companyname.com","192.168.63.123"]},
{dn_lookup_attribute, "userPrincipalName"},
{dn_lookup_base, "DC=AS,DC=companyname,DC=com"},
{user_dn_pattern, "${username}@as.companyname.com"},
{use_ssl, false},
{port, 636},
{log, true},
{
tag_queries, [
{administrator,{in_group,'CN="Rabbit User Group",OU="City Name", OU=Groups, OU="IT Group",DC=sample,DC=companyname,DC=com',"uniqueMember"}},
{management, {constant, true}}
]
}
]%% rabbitmq_auth_backend_ldap,
}
].
You need to set the "dn_lookup_attribute" to distinguishedName (DN) instead of the userPrincipalName / sAMAccountName so that it will use this user's DN for member checking in the in_group. As shown below:
{dn_lookup_attribute, "distinguishedName"},
{user_dn_pattern, "CN=${username},OU=Users,DC=sample,DC=companyname,DC=com"},
Instead of:
{dn_lookup_attribute, "userPrincipalName"},
{user_dn_pattern, "${username}@as.companyname.com"},
Microsoft Active Directory and OpenLDAP are different LDAP service flavors and have different user list attribute for groups. The Microsoft Active Directory Group for the users list is called "member" while the OpenLDAP group is called "uniqueMember".
Overall config file:
[
{
rabbit,
[
{
auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]
}
]
},
{
rabbitmq_auth_backend_ldap,
[
{servers, ["sample.companyname.com","192.168.63.123"]},
{dn_lookup_attribute, "distinguishedName"},
{dn_lookup_base, "DC=AS,DC=companyname,DC=com"},
{user_dn_pattern, "CN=${username},OU=Users,DC=sample,DC=companyname,DC=com"},
{use_ssl, false},
{port, 636},
{log, true},
{
tag_queries, [
{administrator,{in_group,"CN=Rabbit User Group,OU=City Name, OU=Groups, OU=IT Group,DC=sample,DC=companyname,DC=com","member"}},
{management, {constant, true}}
]
}
]%% rabbitmq_auth_backend_ldap,
}
].