1

I currently have the ldap plugin working in Rabbit where it will log in any user in my domain. Which is the problem, it's doing it for EVERY user.

I want to be able to restrict rabbitmq management portal access to 1 or 2 specific groups in AD. And even further, I want only these two groups to then have full control inside the Rabbit Portal (create exchanges / vhosts / queues / whatever.) Below I'm just trying to do this with 1 group. How can I get this to do it with 2 groups? Do I add another {resource_access_query,} block for the second one?

Here is my current config:

    [
     {rabbit, [{auth_backends, [rabbit_auth_backend_ldap]}]},
     {rabbitmq_auth_backend_ldap,
      [ {servers,               ["dc.domain.com"]},
         {dn_lookup_attribute,   "sAMAccountName"},
         {dn_lookup_base,        "CN=Prod_Group,OU=ProductGroups,OU=Security Groups,OU=Production,OU=domain,DC=hq,DC=domain,DC=com"},
         {user_dn_pattern,       "${username}@domain.com"},
         {use_ssl,               false},
         {port,                  389},
         {log,                   true},
         {resource_access_query,
          {for, [{permission, configure, {in_group, "CN=Prod_Group,OU=ProductGroups,OU=Security Groups,OU=Production,OU=domain,DC=hq,DC=domain,DC=com"}},
                 {permission, write,
                  {for, [{resource, queue,    {in_group, "CN=Prod_Group,OU=ProductGroups,OU=Security Groups,OU=Production,OU=domain,DC=hq,DC=domain,DC=com"}},
                         {resource, exchange, {constant, true}}]}},
                 {permission, read,
                  {for, [{resource, exchange, {in_group, "CN=Prod_Group,OU=ProductGroups,OU=Security Groups,OU=Production,OU=domain,DC=hq,DC=domain,DC=com"}},
                         {resource, queue,    {constant, true}}]}}
       ]
          }},
         {tag_queries,           [{administrator, {constant, true}},
                                  {management,    {constant, true}}]}

       ]
      }
    ].

Even with this, it's still logging in anyone at the base dn of DC=hq,DC=domain,DC=com ... it's like it doesn't see the DN path I'm supplying. Any ideas? Thanks!

denux
  • 73
  • 2
  • 11

1 Answers1

0

As far as I can remember you need to use nested groups for it to see your ou's

In Nested Group Query

{in_group_nested, Pattern}{in_group_nested, Pattern, AttributeName}{in_group_nested, Pattern, AttributeName, Scope}

Similar to the in_group query but also traverses group hierarchy, e.g. if the logged in user is a member of the group which is a member of another group. Membership is checked against the member attribute or any named attribute. Groups are searched in the DN defined by thegroup_lookup_base configuration key, or thedn_lookup_base variable if former is none. If both lookup base variables are set to none the query will always return false. Search scope can be set to eithersubtree or single_level.

subtree searches all objects contained under the lookup basesingle_level searches for groups directly contained within the lookup baseDefault value for scope is subrtee The query is using in-depth search up from user to target group. Search process will detect and skip cyclic paths. This query can be time and memory consuming if users are members of many groups, which are members of many groups as well. Use this query when groups for a membership hierarchy. It is still recommended to use plain {in_group, ...} query when possible: nested groups can be challenging to reason about.

Example:

[ {group_lookup_base, "ou=groups,dc=example,dc=com"}, {vhost_access_query, {in_group_nested, "cn=${vhost}-groups,ou=groups,dc=example,dc=com"}, "member", single_level}]

This grants access to virtual hosts when the user a member in group hierarchy defined by the memberattribute values and located in theou=groups,dc=example,dc=com directory.