问题描述
我正在尝试在 Windows 7 上使用 RabbitMQ 3.6.2 进行 LDAP 身份验证/授权.我已经在应用程序发送用户名/密码的地方进行了基本身份验证,但密码在我需要的代码中弄清楚如何避免.有没有人在不提供密码的情况下成功配置 RabbitMQ 以通过 LDAP 进行身份验证?我一直在参考 LDAP 插件文档,但无济于事.
I'm trying to get LDAP authentication/authorization working with RabbitMQ 3.6.2 on Windows 7. I've gotten basic authentication working where the application sends a username/password, but the password is in the code which I need to figure out how to avoid. Has anyone achieved success in configuring RabbitMQ to authenticate via LDAP without supplying a password? I've been referring to the LDAP plugin docs, but to no avail.
我的 rabbitmq.config 文件就这样设置好了:
My rabbitmq.config file is set up thusly:
[
{rabbit,
{auth_backends, [{rabbit_auth_backend_ldap, rabbit_auth_backend_internal},
rabbit_auth_backend_internal]}
},
{rabbitmq_auth_backend_ldap,
[{servers, ["theserver.thedomain.com"]},
%% this works, but a password is still required
{user_dn_pattern, "CN=${username},OU=theADgroup,OU=anothergroup,DC=thedomain,DC=dom"},
%% looks like this is required
{other_bind, anon},
{use_ssl, false},
{port, 389},
{log, true}
]}
].
谢谢,
安迪
推荐答案
这就是我最终的结果,以防它帮助任何人.我必须在配置中添加 3 个参数:
Here's what I ended up with in case it helps anyone. I had to add 3 parameters to the config:
- dn_lookup_attribute 设置为userPrincipalName"
- dn_lookup_base 设置为DC=Name1,DC=Name2"(更改此项以适合您的 AD 设置)
- user_dn_pattern 设置为${username}@thedomain.com"(这样做是为了方便 - 没有这个,用户必须使用完整的电子邮件地址登录,但有了它,他们只需要使用他们的用户名)
您可能不需要下面配置中的所有设置,但这是我的配置,包括通过 SSL 进行身份验证和授予某些特定 AD 组管理员"对 RabbitMQ 管理 UI 的访问权限.我添加了很多评论,希望有助于弄清楚.
You likely won't need all the settings in the config below, but this is my config nonetheless including authenticating over SSL and granting certain specific AD groups "Administrator" access to RabbitMQ Management UI. I added lots of comments to hopefully aid in figuring it out.
[
{rabbit,
{auth_backends, [{rabbit_auth_backend_ldap, rabbit_auth_backend_internal}]}
},
%% LDAP Authentication. See https://www.rabbitmq.com/ldap.html
{rabbitmq_auth_backend_ldap,
[{servers, ["theserver.thedomain.com"]},
{dn_lookup_attribute, "userPrincipalName"},
{dn_lookup_base, "DC=Name1,DC=Name2"},
%% this makes it so that login usernames are just <username> instead of <username>@thedomain.com
{user_dn_pattern, "${username}@thedomain.com"},
%% Authenticate over SSL
{use_ssl, true},
{port, 636},
%% Change this to true to troubleshoot LDAP failures (see file rabbit@<machinename>.log and scroll to bottom for the most recent activity)
{log, false},
%% ------------------------------------------------------------------------------------
%% LDAP-based authorization for employee logins to the management UI.
%% The following settings maps the permissions that LDAP-authenticated users will have.
%% For more info, see: https://www.rabbitmq.com/access-control.html
%% ------------------------------------------------------------------------------------
%% Grant access to all virtual hosts (this is the default, but is present here for the sake of transparency)
{vhost_access_query, {constant, true}},
%% Grant access to "resources" (exchanges, queues, bindings, etc.) (this is the default)
{resource_access_query, {constant, true}},
%% Grant RabbitMQ administrator access based on LDAP group membership.
{tag_queries, [{administrator, {'or',
[{in_group, "CN=Group 1 Name,OU=Group 1 OU,OU=Groups,DC=thecompany,DC=com"},
{in_group, "CN=Group 2 Name,OU=Group 2 OU,OU=Groups,DC=thecompany,DC=com"},
{in_group_nested, "CN=Group 3 Name,OU=Group 3 OU,OU=Groups,DC=thecompany,DC=com"}]}
}]}
]}
].
这是一个程序片段,显示 RabbitMQ ConnectionFactory 在不使用用户名/密码的情况下进行连接,因为它依赖于基于证书的身份验证.您只需要 SSL 证书(使用 OpenSSL 免费生成)的路径以及证书密码.
Here's a snippet from a program that shows RabbitMQ ConnectionFactory connecting without using username/password since it relies on certificate-based authentication. You only need the path to the SSL certificate (generated for free using OpenSSL) along with the certificate passphrase.
using LipsumGenerator.Message;
using Messaging.Work;
using RabbitMQ.Client;
using System;
using System.Configuration;
using System.Security.Authentication;
namespace Publisher
{
class Program
{
static void Main(string[] args)
{
var factory = new ConnectionFactory();
factory.HostName = ConfigurationManager.AppSettings["rabbitmqHostName"];
factory.AuthMechanisms = new AuthMechanismFactory[] { new ExternalMechanismFactory() };
factory.Ssl.ServerName = ConfigurationManager.AppSettings["rabbitmqServerName"];
factory.Ssl.CertPath = ConfigurationManager.AppSettings["certificateFilePath"];
factory.Ssl.CertPassphrase = ConfigurationManager.AppSettings["certificatePassphrase"];
factory.Ssl.Enabled = true;
factory.Ssl.Version = SslProtocols.Tls12;
factory.Port = AmqpTcpEndpoint.DefaultAmqpSslPort;
factory.VirtualHost = "/";
using (var connection = factory.CreateConnection())
{
using (var channel = connection.CreateModel())
{
Console.WriteLine(" [*] Publishing messages. To exit press CTRL+C");
int count = 0;
var rand = new Random();
while (true)
{
count++;
WorkProcessor.EnqueueMessage(channel, "Lipsum", new LipsumGeneratorMessage(rand.Next(5)));
Console.WriteLine("Sent message Lipsum " + count);
System.Threading.Thread.Sleep(rand.Next(2000));
}
}
}
}
}
}
这篇关于RabbitMQ + Windows + LDAP 不发送密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!