RabbitMQ LDAP authentication failing

Question

I'm going through the process of setting up RabbitMQ with LDAP authorization but am not having much luck... Could someone in the know, please take a look and tell me what I'm doing wrong? I'm able to query LDAP to get the user object with the following code:

var entry = new DirectoryEntry("LDAP://ourldapbox.ourcompany.co.uk:636/CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk");

Config Attempt 1

[
  {rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {user_dn_pattern,       "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"},
     {use_ssl,               false},
     {port,                  636},
     {log,                   true}
   ]
  }
].

Config Attempt 2

[
  {rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {dn_lookup_attribute,   "sAMAccountName"},
     {dn_lookup_base,        "DC=ourcompany,DC=co,DC=uk"},
     {user_dn_pattern,       "${username}@ourcompany.co.uk"},
     {other_bind,            anon},
     {use_ssl,               false},
     {port,                  636},
     {log,                   true}
   ]
  }
].

Config Attempt 3

[
  {rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {dn_lookup_attribute,   "userPrincipalName"},
     {dn_lookup_base,        "dc=ourcompany,dc=co,dc=uk"},
     {user_dn_pattern,       "${username}@ourcompany.co.uk"},
     {use_ssl,               false},
     {port,                  636},
     {log,                   true}
   ]
  }
].

Connection Code

I'm attempting to connect in a number of ways (all failing):

var connectionFactory = new ConnectionFactory
{
    HostName = "localhost",
    UserName = "twainm",
    Password = "fred123",
};

using (connectionFactory.CreateConnection())
{
    // fails with:
    // None of the specified endpoints were reachable
    // ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
}

The internal database fallback configuration is working, so guest is able to connect without issue.

Logs

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
accepting AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672)

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
            [{username,<<"Mark Twain">>}]

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
            [{username,<<"Mark Twain">>}]

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
        LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
    LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
                                                                                                    closed}

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
    LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
                                                                                                    closed}

=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}

=ERROR REPORT==== 18-Feb-2015::10:38:16 ===
closing AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672):
{handshake_error,starting,0,
                 {amqp_error,access_refused,
                             "PLAIN login refused: user 'Mark Twain' - invalid credentials",
                             'connection.start_ok'}}

I've had a good Google for "LDAP bind error", "handshake_error,starting,0" and "access_refused" but can't find anything that could point me in the right direction.

Any help would be appreciated.

Rob · Accepted Answer · 2015-02-23T10:20:11.333

9

Solved! I realised that the combination of use_ssl=false and port=636 was a bit stupid because 636 is the encrypted (i.e. SSL LDAP) port.

Here's my LDAP configuration (now working). I hope this saves a few people a few hours:

[
  {rabbit,
   [ {auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["ourldapbox.ourcompany.co.uk"]},
     {dn_lookup_attribute,   "sAMAccountName"},
     {dn_lookup_base,        "DC=ourcompany,DC=co,DC=uk"},
     {user_dn_pattern,       "${username}@ourcompany.co.uk"},
     {use_ssl,               true},
     {port,                  636},
     {log,                   true}
   ]
  }
].

edited Feb 23 '15 at 10:20

answered Feb 23 '15 at 10:06

Rob

981
12
27

I'm not sure that the `user_dn_pattern` combined with the `dn_lookup_base` is a preferred pattern... the docs are rather complicated but they seem to specify using one or the other? any hints as to why you did it this way? – Chaim Eliyah Dec 03 '15 at 00:26
1

I can't remember why I did it this way to be honest... I definitely tried both separate from one another but it only seemed to work when both were in place. As I couldn't find a way of providing SSO AD authentication for direct connections (not via the management console) I ended up removing LDAP authentication anyway. – Rob Dec 08 '15 at 14:21
Thanks. Yeah it is not heavy on the AD friendly side. – Chaim Eliyah Dec 10 '15 at 07:24
In my situation, both dn_lookup_base and user_dn_pattern are required to get the authentication I wanted... In my case I'm using dn_lookup_attribute "userPrincipalName" instead of "sAMAccountName" coupled with user_dn_pattern "${username}@mycompany.com". Having both helped simplify logins from the full email address format down to just the username part of the email address. – Andy Sep 24 '16 at 22:18

score 1 · Answer 2 · answered Jun 04 '21 at 18:39

I had a similar problem, except I was using the rabbitmq.conf instead of the advanced.config format. Here is an alternate solution if anyone is having this issue and using the other config format:

auth_backends.1 = ldap    
auth_ldap.servers.1  = ourldapbox.ourcompany.co.uk
auth_ldap.dn_lookup_attribute = sAMAccountName
auth_ldap.dn_lookup_base = DC=ourcompany,DC=co,DC=uk
auth_ldap.user_dn_pattern = ${username}@ourcompany.co.uk
auth_ldap.use_ssl    = true
auth_ldap.port       = 636
auth_ldap.log        = true
auth_backends.2   = rabbit_auth_backend_internal

RabbitMQ LDAP authentication failing

2 Answers2