3.13.2: LDAP client fails to connect on Erlang 26

[TruAmbition]

Describe the bug

Unable to authenticate with ldap via management UI.

Getting:
LDAP connect error: {error, "connect failed"}
User 'truman' failed authentication by backend rabbiq_auth_backend_ldap
HTTP access denied: rabbit_auth_backend_ldap failed authenticating truman: ldap_connect_error

I don't have TLS/SSL enabled on my management UI, so I go to http://rabbimq-instance.com. I'm pretty sure the error is due to erlang26 forcing TLS from the management UI such that ldap authentication will fail otherwise. Is it possible to disable this such that I can still use LDAP via the http endpoint?

This same configuration was fine under 3.11.2 with erlang 25. Everything else is the same configuration for the server using puppet outside of the rabbitmq version (3.13.2) and it's dependency erlang 26

For reference, I can log into the rabbitmq server using the same ldap authentication via SSH but not sure if that is at the server layer or application layer and therefore not valid for the ldap connection error I am having. I was able to create a local rabbitmq account on the server and login, but I need this manage this user access from ldap.

Reproduction steps

1. Install rabbitmq 3.13.2 on ALMA 8 server
2. Make sure erlang 26 is installed and or available in repo
3. Try to login with ldap credentials
   ...

Expected behavior

I expect to be able to login using the valid ldap credentials.

Additional context

I'm trying solutions from the rabbitmq.conf and advanced.conf to try and by pass or fix this. I'm curious if I am on the right hunch that the issue is because i'm trying to do ldap auth on an insecure http protocol. I would like to maintain this behavior for the moment. I guess the other solution would be to enable TLS on the management dashboard and try to ldap auth via https. Am I correct in thinking so ?

Please advise...

[michaelklishin]

Team RabbitMQ does not troubleshoot LDAP installations per our community support policy.

Erlang 26 does enable peer verification for all TLS clients. However, management UI has absolutely no role in whether connections to an LDAP server use TLS or not.

The information provided here is insufficient to even suggest something specific to look into. Start with enabling traffic logging for LDAP and see what exactly is sent and logged.

[michaelklishin]

The LDAP guide has a dedicated section on TLS, peer verification and how it can be disabled for LDAP client connections.

The methodology our team uses and recommends for troubleshooting TLS connections is also documented. The same tools and principles can be applied to troubleshooting TLS connections to any TLS-enabled server, including an LDAP one.

[TruAmbition]

Thank you @michaelklishin for your quick response. Prior to reaching out in the repo I applied

auth_ldap.ssl_options.verify = verify_none

To my rabbitmq.conf and restarted the rabbit service. However I'm still getting the same http access denied: rabbit_auth_backend_ldap failed authenticating Truman: ldap_connect_error. I just tried again and still unable to authenticate with ldap on the dashboard. I'll keep reading in hopes I find the missing piece.

[michaelklishin]

Enabling debug logging and LDA debug logging (linked above) will provide a lot of relevant information about what the authN/authZ backend chain observes and what the LDAP client sends and receives.

[TruAmbition]

The logs in my original post were with debug and ldap logs enabled. However the logs haven't been very helpful which prompted me to reach out here.

Based on your understanding of my issue, is this caused because I'm trying to use ldap on the dashboard via unsecured http protocol?

If so, I really hope to find a way to disable this as the flags I've tried so far haven't provided resolution.

[lukebakken]

@TruAmbition please upload your logs and your full RabbitMQ configuration and I'll take a look. Your management UI TLS settings should not have an effect on LDAP, and vice versa.

[TruAmbition]

Thank you @lukebakken for weighing in. I was able to implement the proposed ssl options configuration in the advanced.config file directly within the rabbitmq_auth_backend_ldap object and now I am able to login with LDAP in both the management UI and API.

I added the following:

{verify, verify_none},
{fail_if_no_peer_cert, false}

Previously I was adding these parameters to the rabbitmq.conf file, not realizing my advanced config was overriding these values to verify and true, respectively. Thank you again for reaching out and @michaelklishin providing support, resources and documentation. Sometimes you just need to ask the questions you tried to answer on your own. Get the "it's not that hard" or "it's already documented" from the community to help you take another look with a lot more sleep.

Kind regards,

Truman

[lukebakken]

Thank you for the follow-up!