active-directory - RabbitMQ LDAP 配置在组搜索时失败
问题描述
我正在尝试设置我的 RabbitMQ LDAP 提供程序配置,以便能够对我的用户进行身份验证,然后将它们与正确的用户管理标签相关联。
目前,rabbitmq 似乎能够针对 AD 对我进行身份验证,但它无法验证我所在的 AD 组。
配置:
,{rabbitmq_auth_backend_ldap, [
{servers, ["myDC.myDomain.com"]}
,{dn_lookup_bind, {"cn=MyServiceAccount,dc=serviceAccounts,dc=myDomain,dc=com", "Service@ccountPa$$word"}}
,{dn_lookup_attribute, "userPrincipalName"}
,{dn_lookup_base, "DC=myDomain,DC=com"}
,{group_lookup_base, "ou=myLocation,ou=Groups,dc=myDomain,dc=com"}
,{log, true}
,{vhost_access_query, {constant, true}}
,{topic_access_query, {constant, true}}
,{resource_access_query, {constant, true}}
,{tag_queries, [
{ administrator, { in_group, "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } },
{ management, { in_group, "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } }
]}
]}
您可以在下面看到它正在找到我,然后无法解析我的群组。
一些值得注意的事情包括:
- 在显示我的 DN(第 9 行)的日志中,它显示了一个空数组。
- 这似乎只在我的用户名格式为 myDomain\myUserName 时才有效
2020-01-15 19:22:17.582 [info] <0.2143.0> LDAP CHECK: login for myDomain\myUserName
2020-01-15 19:22:17.582 [info] <0.2143.0> LDAP filling template "${username}" with
[{username,<<"myDomain\\myUserName">>},{ad_domain,<<"myDomain">>},{ad_user,<<"myUserName">>}]
2020-01-15 19:22:17.582 [info] <0.2143.0> LDAP template result: "myDomain\myUserName"
2020-01-15 19:22:17.589 [info] <0.367.0> LDAP bind succeeded: xxxx
2020-01-15 19:22:17.589 [info] <0.367.0> LDAP filling template "${username}" with
[{username,<<"myDomain\\myUserName">>},{ad_domain,<<"myDomain">>},{ad_user,<<"myUserName">>}]
2020-01-15 19:22:17.589 [info] <0.367.0> LDAP template result: "myDomain\myUserName"
2020-01-15 19:22:17.591 [warning] <0.367.0> Searching for DN for myDomain\myUserName, got back []
2020-01-15 19:22:17.594 [info] <0.367.0> LDAP bind succeeded: CN=xxxx,OU=xxxx,DC=xxxx,DC=xxxx
2020-01-15 19:22:17.594 [info] <0.367.0> LDAP CHECK: does myDomain\myUserName have tag administrator?
2020-01-15 19:22:17.594 [info] <0.367.0> LDAP evaluating query: {in_group,"CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com"}
2020-01-15 19:22:17.594 [info] <0.367.0> LDAP evaluating query: {in_group,"CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com","member"}
2020-01-15 19:22:17.594 [info] <0.367.0> LDAP filling template "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com" with
[{username,<<"myDomain\\myUserName">>},{user_dn,"myDomain\\myUserName"},{ad_domain,<<"myDomain">>},{ad_user,<<"myUserName">>}]
2020-01-15 19:22:17.594 [info] <0.367.0> LDAP template result: "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com"
2020-01-15 19:22:17.596 [info] <0.367.0> LDAP evaluated in_group for "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com": false
2020-01-15 19:22:17.596 [info] <0.367.0> LDAP DECISION: does myDomain\myUserName have tag administrator? false
2020-01-15 19:22:17.596 [info] <0.367.0> LDAP CHECK: does myDomain\myUserName have tag management?
2020-01-15 19:22:17.596 [info] <0.367.0> LDAP evaluating query: {in_group,"CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com"}
2020-01-15 19:22:17.596 [info] <0.367.0> LDAP evaluating query: {in_group,"CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com","member"}
2020-01-15 19:22:17.596 [info] <0.367.0> LDAP filling template "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com" with
[{username,<<"myDomain\\myUserName">>},{user_dn,"myDomain\\myUserName"},{ad_domain,<<"myDomain">>},{ad_user,<<"myUserName">>}]
2020-01-15 19:22:17.596 [info] <0.367.0> LDAP template result: "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com"
2020-01-15 19:22:17.597 [info] <0.367.0> LDAP evaluated in_group for "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com": false
2020-01-15 19:22:17.598 [info] <0.367.0> LDAP DECISION: does myDomain\myUserName have tag management? false
2020-01-15 19:22:17.598 [info] <0.2143.0> LDAP DECISION: login for myDomain\myUserName: ok
2020-01-15 19:22:17.598 [warning] <0.2143.0> HTTP access denied: user 'myDomain\myUserName' - Not management user
在另一篇文章中,我读到他们通过设置 user_dn_pattern 并将 dn_lookup_attribute 更改为“distinguishedName”来实现他们的工作。这似乎对我有用,但不幸的是我公司的 DN 没有标准化,所以如果我这样做,我只能让一小部分用户工作。
配置:
,{rabbitmq_auth_backend_ldap, [
{servers, ["myDC.myDomain.com"]}
,{dn_lookup_bind, {"CN=myServiceAccount,OU=Services,DC=myDomain,DC=com", "Service@ccountPa$$word"}}
,{dn_lookup_attribute, "distinguishedName"}
,{user_dn_pattern, "CN=${username},OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com"}
,{dn_lookup_base, "DC=myDomain,DC=com"}
,{group_lookup_base, "ou=myLocation,ou=Groups,dc=myDomain,dc=com"}
,{log, true}
,{vhost_access_query, {constant, true}}
,{topic_access_query, {constant, true}}
,{resource_access_query, {constant, true}}
,{tag_queries, [
{ administrator, { in_group, "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } },
{ management, { in_group, "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } }
]}
]}
在日志中,您可以看到它正在找到我,然后将我与正确的组相关联,但它不适用于 DN 与我的 DN 不完全匹配的用户
一些值得注意的事情包括:
- 我不必在此配置中指定我的域
我的 DN:CN=myUserName,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com
2020-01-15 21:19:15.795 [info] <0.3040.0> LDAP CHECK: login for myUserName
2020-01-15 21:19:15.804 [info] <0.367.0> LDAP bind succeeded: CN=xxxx,OU=xxxx,DC=xxxx,DC=xxxx
2020-01-15 21:19:15.804 [info] <0.367.0> LDAP filling template "CN=${username},OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com" with
[{username,<<"myUserName">>}]
2020-01-15 21:19:15.804 [info] <0.367.0> LDAP template result: "CN=myUserName,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com"
2020-01-15 21:19:15.812 [info] <0.367.0> LDAP DN lookup: myUserName -> CN=myUserName,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com
2020-01-15 21:19:15.825 [info] <0.367.0> LDAP bind succeeded: CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=xxxx
2020-01-15 21:19:15.825 [info] <0.367.0> LDAP CHECK: does myUserName have tag administrator?
2020-01-15 21:19:15.825 [info] <0.367.0> LDAP evaluating query: {in_group,"CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com"}
2020-01-15 21:19:15.825 [info] <0.367.0> LDAP evaluating query: {in_group,"CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com","member"}
2020-01-15 21:19:15.825 [info] <0.367.0> LDAP filling template "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com" with
[{username,<<"myUserName">>},{user_dn,"CN=myUserName,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com"}]
2020-01-15 21:19:15.825 [info] <0.367.0> LDAP template result: "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com"
2020-01-15 21:19:15.833 [info] <0.367.0> LDAP evaluated in_group for "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com": true
2020-01-15 21:19:15.834 [info] <0.367.0> LDAP DECISION: does myUserName have tag administrator? true
2020-01-15 21:19:15.834 [info] <0.367.0> LDAP CHECK: does myUserName have tag management?
2020-01-15 21:19:15.834 [info] <0.367.0> LDAP evaluating query: {in_group,"CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com"}
2020-01-15 21:19:15.834 [info] <0.367.0> LDAP evaluating query: {in_group,"CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com","member"}
2020-01-15 21:19:15.834 [info] <0.367.0> LDAP filling template "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com" with
[{username,<<"myUserName">>},{user_dn,"CN=myUserName,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com"}]
2020-01-15 21:19:15.834 [info] <0.367.0> LDAP template result: "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com"
2020-01-15 21:19:15.842 [info] <0.367.0> LDAP evaluated in_group for "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com": true
2020-01-15 21:19:15.843 [info] <0.367.0> LDAP DECISION: does myUserName have tag management? true
这是当我的一个同行(来自不同的 OU)登录时日志的样子
我的同行的 DN:CN=myPeer,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com
2020-01-15 21:23:30.760 [info] <0.3394.0> LDAP CHECK: login for myPeer
2020-01-15 21:23:30.764 [info] <0.367.0> LDAP bind succeeded: CN=xxxx,OU=xxxx,DC=xxxx,DC=xxxx
2020-01-15 21:23:30.765 [info] <0.367.0> LDAP filling template "CN=${username},OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com" with
[{username,<<"myPeer">>}]
2020-01-15 21:23:30.765 [info] <0.367.0> LDAP template result: "CN=myPeer,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com"
2020-01-15 21:23:30.766 [warning] <0.367.0> Searching for DN for CN=myPeer,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com, got back []
2020-01-15 21:23:30.768 [info] <0.367.0> LDAP bind returned "invalid credentials": CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=xxxx
2020-01-15 21:23:30.768 [info] <0.3394.0> LDAP DECISION: login for myPeer: denied
2020-01-15 21:23:30.768 [warning] <0.3394.0> HTTP access denied: CN=myPeer,OU=randomSubOU,OU=Developers,OU=Users,OU=myLocation,DC=myDomain,DC=com
解决方案
我最终弄清楚了这一点。就像 Eric 提到的那样,看起来我需要将 dn_lookup_attribute 切换为 sAMAccountName 名称。
,{rabbitmq_auth_backend_ldap, [
{servers, ["myDC.myDomain.com"]}
,{dn_lookup_bind, {"CN=MyServiceAccount,OU=Services,DC=myDomain,DC=com", "Service@ccountPa$$word"}}
,{dn_lookup_attribute, "sAMAccountName"}
,{dn_lookup_base, "DC=myDomain,DC=com"}
,{group_lookup_base, "ou=myLocation,ou=Groups,dc=myDomain,dc=com"}
,{log, true}
,{vhost_access_query, {constant, true}}
,{topic_access_query, {constant, true}}
,{resource_access_query, {constant, true}}
,{tag_queries, [
{ administrator, { in_group, "CN=rabbitAdmins,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } },
{ management, { in_group, "CN=rabbitManagers,OU=myLocation,OU=Groups,DC=myDomain,DC=com" } },
]}
]}
推荐阅读
- algorithm - 为什么 Keras (tf) Binary Classification predict() 总是给出极端概率,要么是零,要么是一?
- ios - 文件管理器检查 fileExists 是否在 iOS 13 中不起作用
- reactjs - 由状态修改的语义 UI React Jsx 属性未呈现 css 类
- asp.net - 将 WindowsCortanaPane 复制为 UrlReferrer
- amazon-web-services - 如何从 AWS 实例中确定操作系统?
- r - 同时将函数列表应用于一个矩阵
- node.js - Azure 存储队列 - Cosmos DB 输出 - 错误处理
- python - 聚合后对列中的值进行四舍五入
- javascript - 如何在条件语句下更改单元格的颜色?
- c# - 已发布的 C# 控制台应用程序 - 系统找不到指定的文件