I'm trying to set up rabbitmq authorization against LDAP (Microsoft Active Directory) using the in_group or in_group_nested queries. However, since our OU structure is inconsistent across our users, which results in a variety of DN patterns, I had to rely on a user_dn_pattern that simply passes the "domain\account" when binding, which works great from an authentication perspective with Microsoft Active Directory. However, when it comes to the in_group/in_group_nested queries, it doesn't match because the members property is a list of actual DNs, and logs show that it's trying to find "domain\account" in the member list.
Since the LDAP plugin demands a single pattern to construct DNs from the supplied username, am I simply out of luck to use group level LDAPauthorization in RabbitMQ?
It should be possible even considering DN inconsistencies, the issue here seems to reside in the way usernames are translated into DNs during the authentication.
Instead of relying on a dn pattern, try via an LDAP lookup.
The key is to set dn_lookup_bind to do the lookup before the user authentication. This way, the LDAP plugin will bind with these credentials first to do the lookup, then bind with the matching entry's DN to do the user login :
auth_ldap.dn_lookup_attribute = userPrincipalName # or sAMAccountName
auth_ldap.dn_lookup_base = dc=example,dc=com # restrict to user ou if any
auth_ldap.dn_lookup_bind = {managerDN, Password} # AD manager account
# auth_ldap.user_dn_pattern should be left unset to be sure the lookup actually searches
# for a match in dn_lookup_attribute and not for a built-up dn.
I mentioned credentials from an 'AD manager' but it could be any account with sufficient permissions to perform a search on the targeted user entries.
Given that configuration, when the plugin comes to the authorization process, it can properly handle the group membership lookup using the actual user dn.
Edit - Despite what the documentation states about auth_ldap.dn_lookup_bind
To do the lookup before binding, set auth_ldap.dn_lookup_bind to a
tuple {UserDN, Password}.
it may be safer to explicitly set :
auth_ldap.dn_lookup_bind.user_dn = <UserDN>
auth_ldap.dn_lookup_bind.password = <Password>
# (OP was required to do so to make it work)
