rabbitmq ldap authorization for groups with inconsistent user DNs

前端 未结 1 424
失恋的感觉
失恋的感觉 2021-01-25 03:59

I\'m trying to set up rabbitmq authorization against LDAP (Microsoft Active Directory) using the in_group or in_group_nested queries. However, since o

相关标签:
1条回答
  • 2021-01-25 04:35

    It should be possible even considering DN inconsistencies, the issue here seems to reside in the way usernames are translated into DNs during the authentication.

    Instead of relying on a dn pattern, try via an LDAP lookup.

    The key is to set dn_lookup_bind to do the lookup before the user authentication. This way, the LDAP plugin will bind with these credentials first to do the lookup, then bind with the matching entry's DN to do the user login :

    auth_ldap.dn_lookup_attribute = userPrincipalName     # or sAMAccountName
    auth_ldap.dn_lookup_base = dc=example,dc=com          # restrict to user ou if any
    auth_ldap.dn_lookup_bind = {managerDN, Password}      # AD manager account
    
    # auth_ldap.user_dn_pattern should be left unset to be sure the lookup actually searches 
    # for a match in dn_lookup_attribute and not for a built-up dn. 
    

    I mentioned credentials from an 'AD manager' but it could be any account with sufficient permissions to perform a search on the targeted user entries.

    Given that configuration, when the plugin comes to the authorization process, it can properly handle the group membership lookup using the actual user dn.


    Edit - Despite what the documentation states about auth_ldap.dn_lookup_bind

    To do the lookup before binding, set auth_ldap.dn_lookup_bind to a tuple {UserDN, Password}.

    it may be safer to explicitly set :

    auth_ldap.dn_lookup_bind.user_dn = <UserDN>
    auth_ldap.dn_lookup_bind.password = <Password>
    # (OP was required to do so to make it work)
    
    0 讨论(0)
提交回复
热议问题