我是 RabbitMQ 的新手。我将其安装在 Windows 10 Enterprise 上用于开发目的。我们正在运行 Active Directory。尝试为管理插件设置 LDAP,以便任何具有正确密码的用户都可以以管理员身份登录。
我的最新配置:
[
{
rabbit,
[
{
auth_backends, [
{rabbit_auth_backend_ldap, rabbit_auth_backend_internal},
rabbit_auth_backend_internal
]
}
]
},
{
rabbitmq_auth_backend_ldap,
[
{
servers, [
"WLNC0DS23N.na.mycompany.com","WBRD0DS21N.na.mycompany.com"
]
},
{
dn_lookup_attribute, "userPrincipalName"
},
{
dn_lookup_base, "DC=na,DC=mycompany,DC=com"
},
{
user_dn_pattern, "${username}@mycompany.com"
},
{
use_ssl, false
},
{
port, 389
},
{
log, true
},
{
vhost_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
resource_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
topic_access_query, {in_group_nested, "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
},
{
tag_queries, [
{
administrator, {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
}
]
}
]
}
].
不幸的是,虽然 LDAP 似乎检查我没问题,但我无法登录并在日志中收到此错误:
2019-05-28 16:04:14.662 [info] <0.678.0> LDAP CHECK: login for perryda
2019-05-28 16:04:14.663 [info] <0.678.0> LDAP filling template "${username}@mycompany.com" with
[{username,<<"perryda">>}]
2019-05-28 16:04:14.663 [info] <0.678.0> LDAP template result: "[email protected]"
2019-05-28 16:04:14.750 [info] <0.317.0> LDAP bind succeeded: xxxx
2019-05-28 16:04:14.750 [info] <0.317.0> LDAP filling template "${username}@mycompany.com" with
[{username,<<"perryda">>}]
2019-05-28 16:04:14.751 [info] <0.317.0> LDAP template result: "[email protected]"
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP DN lookup: perryda -> CN=Perry\, David,OU=Users,OU=WLNC-Wilmington,OU=OC,OU=IT-SD,DC=na,DC=mycompany,DC=com
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP CHECK: does perryda have tag administrator?
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP evaluating query: {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member"}
2019-05-28 16:04:14.753 [info] <0.317.0> LDAP evaluating query: {in_group_nested,"CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com","member",subtree}
2019-05-28 16:04:14.754 [info] <0.317.0> LDAP filling template "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com" with
[{username,<<"perryda">>},{user_dn,"CN=Perry\\, David,OU=Users,OU=WLNC-Wilmington,OU=OC,OU=IT-SD,DC=na,DC=mycompany,DC=com"}]
2019-05-28 16:04:14.754 [info] <0.317.0> LDAP template result: "CN=NA_WHS,OU=GroupsAndContacts,OU=Exchange,DC=na,DC=mycompany,DC=com"
2019-05-28 16:04:14.759 [info] <0.317.0> LDAP DECISION: does perryda have tag administrator? true
2019-05-28 16:04:14.759 [info] <0.678.0> LDAP DECISION: login for perryda: ok
2019-05-28 16:04:14.759 [warning] <0.678.0> HTTP access denied: user 'perryda' - invalid credentials
有人知道问题是什么以及如何解决吗?
此答案由 Daniil Fedotov 在 RabbitMQ Google Group 中发布。效果很好!
嗨,
您的auth后端配置行“{rabbit_auth_backend_ldap,rabbit_auth_backend_internal}”表示LDAP后端仅用于身份验证(检查用户是否存在),但不用于授权(检查用户是否有权访问资源),并且使用内部后端用于授权。 这意味着您应该为内部用户配置权限和标签。 如果您希望通过 LDAP 进行授权,您应该将此元组:“{rabbit_auth_backend_ldap,rabbit_auth_backend_internal}”替换为:“rabbit_auth_backend_ldap”。 或者在内部数据库中创建用户权限,但我想这不是您想要实现的目标。
可能为时已晚,但就我而言,我已经通过 LDAP 身份验证+授权+回退到内部数据库解决了我的问题:
{rabbit,
[
.......
{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]},
.......
]}
尝试将其设置为属于特定 AD 组的 AD 用户 当他们访问管理插件时立即登录 来自 IE 或 Edge。
管理UI不支持此功能。您必须提供用户名和密码才能使用 AD 凭据登录。