Hello,
I am trying to get my login via active directory working.
I want to have full admin access to all users of ad-group "SW_Entwicklung". However, logging in with a user from that group seems to crash the ldap plugin at some point.
Here is the information:
rabbitmq-plugins list - ldap pluginadvanced.config-File for ldap:
[
{rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["dc1.ids.net"]},
{dn_lookup_attribute, "sAMAccountName"},
{dn_lookup_base, "OU=User,OU=Kleinostheim,DC=ids,DC=net"},
{dn_lookup_bind, {"[email protected]","***"}},
{user_dn_pattern, "${username}"},
{other_bind, {"[email protected]","***"}},
{use_ssl, true},
{port, 636},
{log, network_unsafe},
{group_lookup_base, "OU=Gruppen,OU=Kleinostheim,DC=ids,DC=net"},
{vhost_access_query, {in_group, "(CN=SW_Entwicklung,OU=Gruppen,OU=Kleinostheim,DC=ids,DC=net)"}},
{resource_access_query,
{for, [{permission, configure, {constant, true}},
{permission, write,
{for, [{resource, queue, {constant, true}},
{resource, exchange, {constant, true}}]}},
{permission, read,
{for, [{resource, exchange, {constant, true}},
{resource, queue, {constant, true}}]}}
]
}},
{tag_queries, [{administrator, {in_group, "(CN=SW_Entwicklung,OU=Gruppen,OU=Kleinostheim,DC=ids,DC=net)"}},
{management, {constant, true}}]}
]
}
].
````
Log-File:
2018-10-17 15:34:21.411 [info] <0.5.0> Server startup complete; 4 plugins started.
Apparently, i have some misconfiguration, but i can't figure out, what's wrong...
Any help is really appriciated
regards
/D
Oh, and i found another snipped in the crash.log:
2018-10-17 15:34:24 =SUPERVISOR REPORT====
Supervisor: {local,ldap_pool_sup}
Context: child_terminated
Reason: {{case_clause,{ok,{referral,["ldaps://ids.net)/(CN=SW_Entwicklung,OU=Gruppen,OU=Kleinostheim,DC=ids,DC=net)"]}}},[{rabbit_auth_backend_ldap,object_exists,3,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,397}]},{rabbit_auth_backend_ldap,evaluate0,4,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,206}]},{rabbit_auth_backend_ldap,'-do_tag_queries/5-lc$^0/1-0-',6,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,708}]},{rabbit_auth_backend_ldap,do_tag_queries,5,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,706}]},{rabbit_auth_backend_ldap,call_ldap_fun,3,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,542}]},{rabbit_auth_backend_ldap,with_login,5,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,499}]},{rabbit_auth_backend_ldap,'-with_ldap/3-fun-14-',4,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,469}]},{rabbit_auth_backend_ldap,do_login,5,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,698}]}]}
Offender: [{pid,<0.376.0>},{id,1},{mfargs,{worker_pool_worker,start_link,[ldap_pool]}},{restart_type,transient},{shutdown,4294967295},{child_type,worker}]
2018-10-17 15:34:24 =ERROR REPORT====
Ranch listener rabbit_web_dispatch_sup_15672, connection process <0.709.0>, stream 1 had its request process <0.710.0> exit with reason {{{case_clause,{ok,{referral,["ldaps://ids.net)/(CN=SW_Entwicklung,OU=Gruppen,OU=Kleinostheim,DC=ids,DC=net)"]}}},[{rabbit_auth_backend_ldap,object_exists,3,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,397}]},{rabbit_auth_backend_ldap,evaluate0,4,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,206}]},{rabbit_auth_backend_ldap,'-do_tag_queries/5-lc$^0/1-0-',6,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,708}]},{rabbit_auth_backend_ldap,do_tag_queries,5,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,706}]},{rabbit_auth_backend_ldap,call_ldap_fun,3,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,542}]},{rabbit_auth_backend_ldap,with_login,5,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,499}]},{rabbit_auth_backend_ldap,'-with_ldap/3-fun-14-',4,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,469}]},{rabbit_auth_backend_ldap,do_login,5,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,698}]}]},{gen_server2,call,[<0.376.0>,{submit,#Fun<rabbit_auth_backend_ldap.18.129106872>,<0.710.0>,reuse},infinity]}} and stacktrace [{gen_server2,call,3,[{file,"src/gen_server2.erl"},{line,329}]},{rabbit_auth_backend_ldap,user_login_authentication,2,[{file,"src/rabbit_auth_backend_ldap.erl"},{line,80}]},{rabbit_access_control,try_authenticate,3,[{file,"src/rabbit_access_control.erl"},{line,90}]},{rabbit_access_control,'-check_user_login/2-fun-4-',4,[{file,"src/rabbit_access_control.erl"},{line,75}]},{lists,foldl,3,[{file,"lists.erl"},{line,1263}]},{rabbit_mgmt_util,is_authorized,6,[{file,"src/rabbit_mgmt_util.erl"},{line,191}]},{cowboy_rest,call,3,[{file,"src/cowboy_rest.erl"},{line,1182}]},{cowboy_rest,is_authorized,2,[{file,"src/cowboy_rest.erl"},{line,346}]}]
Hello, thanks for reporting this. Please see https://github.com/rabbitmq/rabbitmq-auth-backend-ldap/issues/97 as that is the repository where this issue will be tracked and fixed.
@Docjones - Your LDAP server is returning a referral to another server for that user (docs). We may be able to take these referrals into account in a future version of RabbitMQ, but for the time being you need to configure your LDAP server to not do this, or ensure the user being authenticated does not return a referral as the result of a simple bind.
@lukebakken - Thanks a lot for the swift answer - just a question: does that mean, the config is basically ok? I will go and reqest my AD admin to have a look at that.
I'm pretty sure your RabbitMQ configuration is OK, it's just what the server is returning. I recommend using a tool like ldapsearch (part of OpenLDAP) or ldp.exe (on Windows) to see what happens when you try to do the same search as what is done here:
search request = {'SearchRequest',"(CN=SW_Entwicklung,OU=Gruppen,OU=Kleinostheim,DC=ids,DC=net)",baseObject,derefAlways,0,0,false,{equalityMatch,{'AttributeValueAssertion',"member","CN=Marc Rink,OU=User,OU=Kleinostheim,DC=ids,DC=net"}},["objectClass"]}
The search is, basically, does the member attribute of this group:
(CN=SW_Entwicklung,OU=Gruppen,OU=Kleinostheim,DC=ids,DC=net)
contain the following DN:
CN=SW_Entwicklung,OU=Gruppen,OU=Kleinostheim,DC=ids,DC=net
The result of that search is returning the referral.