The main goal of this guide is to demonstrate, step by step, how to set up RabbitMQ to authenticate and authorize via the LDAP plugin. It starts with a very simple scenario, Only Authentication, which just configures RabbitMQ to authenticate users via LDAP.
Every scenario helps the user launch an OpenLDAP server, import required LDAP entries to work with the scenario and configure RabbitMQ accordingly. It also helps the user verify the configuration.
The guide continues further configuring RabbitMQ with LDAP to secure vhost access, secure resource (i.e. exchanges and queues) access and management plugin access too.
The last scenario, Authentication and Authorization (tags, vhosts, resources), is the most complete one and it is one possible LDAP+RabbitMQ scenario out of the many we may encounter in real-world.
The aim of this repository is to address more scenarios in the future.
This guide assumes RabbitMQ is running locally (on port 5672 and 15672). It also provides an script to deploy OpenLDAP locally via Docker. Additionally, we need the following prerequisites:
ldaptools are installed such asldapsearchand/orldapadd.- Ruby is installed. We will use it to run some AMQP clients.
- Python is installed. We will use it to run rabbitmqadmin
rabbitadminis installed. Go to http://localhost:15672/cli/rabbitmqadmin, copy the downloaded file to your preferred location in yourPATH
If you are currently running RabbitMQ for PCF you can still use this guide. We have written the first scenario called Only Authentication for OpenLDAP running locally and for OpenLDAP running externally, in a separate VM in GCP. The two scenarios only differ on how to configure RabbitMQ for PCF because both share the same mechanisms to set up LDAP which are:
- Invoke script
start.shto deploy OpenLDAP - and invoke script
import.shto import the users and ldap layout required by the scenario
In a nutshell, to run any of the other scenarios in RabbitMQ for PCF, you need to do these 3 simple steps:
- Deploy OpenLDAP externally
cd only-authentication-4-pcf; ./start.sh - Import the scenario's ldap configuration (users and objects),
e.g.cd authentication-and-tags; ./import.sh - Make sure you have enabled LDAP plugin in RabbitMQ for PCF
- Take the scenarios's ldap configuration, e.g.
authentication-and-tags/rabbitmq.configand configure RabbitMQ for PCF with it.
- Only Authentication
- Authentication and User tags
- Authentication, User tags and Vhosts
- Authentication and Authorization (tags, vhosts, resources)
- Users are organized in a hierarchical fashion (e.g. under different Organizatinal Units)
- Use multiple Authentication backends
- Cache Authentication and Authorization backend results
- Retrieve RabbitMQ's client identify from the client's certificate
In addition to all the recommendations done in the RabbitMQ LDAP documentation, it is worth keeping an eye on these other ones.
With external authz backends like the LDAP one we highly recommend using https://github.com/rabbitmq/rabbitmq-auth-backend-cache in production because under load RabbitMQ is known to hammer LDAP servers hard enough with queries that they can't keep up.
Check out the scenario Cache Authentication and Authorization backend results.
Make sure the connection timeouts in your LDAP server are larger than your configured timeout (auth_ldap.timeout) otherwise your LDAP server may terminate the connection and the ldap plugin may fail to operate afterwards.
LDAP server connections are pooled to avoid excessive connection churn and LDAP server load. By default the pool has up to 64 connections. This can be controlled using the auth_ldap.connection_pool_size . Pooled connections without activity are closed after a period of time configurable via auth_ldap.idle_timeout which by default it is set to 300000 msec.
TODO : Add more sample log statements and the minimum configuration to enable it
[warning] <0.1777.0> HTTP access denied: rabbit_auth_backend_ldap failed authenticating bob: ldap_connect_error