RabbitMQ + Windows + LDAP无需发送密码
我正在尝试在Windows 7上使用RabbitMQ 3.6.2进行LDAP身份validation/授权。我已经在应用程序发送用户名/密码的地方进行了基本身份validation,但是密码在代码中我需要弄清楚如何避免。 有没有人在配置RabbitMQ以通过LDAP进行身份validation而不提供密码方面取得了成功? 我一直在提到LDAP插件文档 ,但无济于事。
我的rabbitmq.config文件因此设置:
[ {rabbit, {auth_backends, [{rabbit_auth_backend_ldap, rabbit_auth_backend_internal}, rabbit_auth_backend_internal]} }, {rabbitmq_auth_backend_ldap, [{servers, ["theserver.thedomain.com"]}, %% this works, but a password is still required {user_dn_pattern, "CN=${username},OU=theADgroup,OU=anothergroup,DC=thedomain,DC=dom"}, %% looks like this is required {other_bind, anon}, {use_ssl, false}, {port, 389}, {log, true} ]} ]. 谢谢,
安迪
这是我最终得到的,以防它帮助任何人。 我必须在配置中添加3个参数:
- dn_lookup_attribute设置为“userPrincipalName”
- dn_lookup_base设置为“DC = Name1,DC = Name2”(更改此选项以适合您的AD设置)
- user_dn_pattern设置为“${username }@thedomain.com”(这是为了方便起见 – 没有这个,用户必须使用他们的完整电子邮件地址登录,但有了它,他们只需要使用他们的用户名)
您可能不需要下面配置中的所有设置,但这仍然是我的配置,包括通过SSL进行身份validation并授予某些特定AD组“管理员”访问RabbitMQ管理UI的权限。 我添加了很多评论,希望有助于搞清楚。
[ {rabbit, {auth_backends, [{rabbit_auth_backend_ldap, rabbit_auth_backend_internal}]} }, %% LDAP Authentication. See https://www.rabbitmq.com/ldap.html {rabbitmq_auth_backend_ldap, [{servers, ["theserver.thedomain.com"]}, {dn_lookup_attribute, "userPrincipalName"}, {dn_lookup_base, "DC=Name1,DC=Name2"}, %% this makes it so that login usernames are just instead of @thedomain.com {user_dn_pattern, "${username}@thedomain.com"}, %% Authenticate over SSL {use_ssl, true}, {port, 636}, %% Change this to true to troubleshoot LDAP failures (see file rabbit@.log and scroll to bottom for the most recent activity) {log, false}, %% ------------------------------------------------------------------------------------ %% LDAP-based authorization for employee logins to the management UI. %% The following settings maps the permissions that LDAP-authenticated users will have. %% For more info, see: https://www.rabbitmq.com/access-control.html %% ------------------------------------------------------------------------------------ %% Grant access to all virtual hosts (this is the default, but is present here for the sake of transparency) {vhost_access_query, {constant, true}}, %% Grant access to "resources" (exchanges, queues, bindings, etc.) (this is the default) {resource_access_query, {constant, true}}, %% Grant RabbitMQ administrator access based on LDAP group membership. {tag_queries, [{administrator, {'or', [{in_group, "CN=Group 1 Name,OU=Group 1 OU,OU=Groups,DC=thecompany,DC=com"}, {in_group, "CN=Group 2 Name,OU=Group 2 OU,OU=Groups,DC=thecompany,DC=com"}, {in_group_nested, "CN=Group 3 Name,OU=Group 3 OU,OU=Groups,DC=thecompany,DC=com"}]} }]} ]} ].
编辑:这是一个程序的片段,显示RabbitMQ ConnectionFactory连接而不使用用户名/密码,因为它依赖于基于证书的身份validation。 您只需要SSL证书的路径(使用OpenSSL免费生成)以及证书密码。
using LipsumGenerator.Message; using Messaging.Work; using RabbitMQ.Client; using System; using System.Configuration; using System.Security.Authentication; namespace Publisher { class Program { static void Main(string[] args) { var factory = new ConnectionFactory(); factory.HostName = ConfigurationManager.AppSettings["rabbitmqHostName"]; factory.AuthMechanisms = new AuthMechanismFactory[] { new ExternalMechanismFactory() }; factory.Ssl.ServerName = ConfigurationManager.AppSettings["rabbitmqServerName"]; factory.Ssl.CertPath = ConfigurationManager.AppSettings["certificateFilePath"]; factory.Ssl.CertPassphrase = ConfigurationManager.AppSettings["certificatePassphrase"]; factory.Ssl.Enabled = true; factory.Ssl.Version = SslProtocols.Tls12; factory.Port = AmqpTcpEndpoint.DefaultAmqpSslPort; factory.VirtualHost = "/"; using (var connection = factory.CreateConnection()) { using (var channel = connection.CreateModel()) { Console.WriteLine(" [*] Publishing messages. To exit press CTRL+C"); int count = 0; var rand = new Random(); while (true) { count++; WorkProcessor.EnqueueMessage(channel, "Lipsum", new LipsumGeneratorMessage(rand.Next(5))); Console.WriteLine("Sent message Lipsum " + count); System.Threading.Thread.Sleep(rand.Next(2000)); } } } } } }