Cannot get advanced.conf value encryption to work with LDAP

[parvvam]

Is your feature request related to a problem? Please describe.

I have configured LDAP authentication for RabbitMQ server and below is the configuration overview.

In rabbitmq.conf, i have enabled the parameters

auth_backends.1   = rabbit_auth_backend_ldap
auth_backends.2   = rabbit_auth_backend_internal

The advanced.config file has the following configuration.

[
 {rabbitmq_auth_backend_ldap, [

   {servers, ["servername"]},
   {port, 636},
   {use_ssl, true},
   {ssl_options, [{verify, verify_none}]},

   {dn_lookup_bind,
    {"username", "password"}},

   {dn_lookup_base, "dc=domain name,dc=com"},
   {dn_lookup_attribute, "sAMAccountName"},

     {tag_queries, [
      {management, {in_group, "cn=cn name,ou=users,dc=domain name,dc=com"}}
   ]}
 ]}
].

The configuration only works when the password is provided in clear text in dn_lookup_bind.

Describe the solution you'd like

Please let me know how the password can be encrypted or any other possible solution where the passwords in not exposed in clear text in the advanced.config

Update after applying the mentioned steps,

Step 1: I've followed the gemini link and observed that the password is not getting decrypted after it is provided in the encrypted values in the advanced.config.

Tried the Step 2 as well where the passoword is provided through a file.

Still it is unable to decrypt and login.

Also applied the config_entry_decoder parameter as per the official document link. Please find the updated advanced.config.

[
{rabbitmq_auth_backend_ldap, [

{servers, ["ldap server"]},
{port, 636},
{use_ssl, true},
{ssl_options, [{verify, verify_none}]},

{config_entry_decoder, [
{passphrase, {file, "/path/to/passphrasefile"}}
]},

{dn_lookup_bind,
{"username",
{encrypted,
<<"password">>}}},

{dn_lookup_base, "dc=dc name,dc=com"},
{dn_lookup_attribute, "sAMAccountName"},

{tag_queries, [
{management,
{in_group,
"cn=cn name,ou=,users,dc=dc,dc=com"}}
]}
]}
].

Please guide for the same.

Originally posted by @parvvam in #15284

[parvvam]

Update after applying the mentioned steps,

Step 1: I've followed the gemini link and observed that the password is not getting decrypted after it is provided in the encrypted values in the advanced.config.

Tried the Step 2 as well where the passoword is provided through a file.

Still it is unable to decrypt and login.

Also applied the config_entry_decoder parameter as per the official document link. Please find the updated advanced.config.

[
{rabbitmq_auth_backend_ldap, [

{servers, ["ldap server"]},
{port, 636},
{use_ssl, true},
{ssl_options, [{verify, verify_none}]},

{config_entry_decoder, [
{passphrase, {file, "/path/to/passphrasefile"}}
]},

{dn_lookup_bind,
{"username",
{encrypted,
<<"password">>}}},

{dn_lookup_base, "dc=dc name,dc=com"},
{dn_lookup_attribute, "sAMAccountName"},

{tag_queries, [
{management,
{in_group,
"cn=cn name,ou=,users,dc=dc,dc=com"}}
]}
]}
].

Please guide for the same.

[michaelklishin]

Our Community Support Policy explicitly states that we will not troubleshoot anything LDAP-related for non-paying, non-contributing users.

The configuration value encryption feature has been around for years, including recent (months ago) updates to support encrypted values in rabbitmq.conf. We are confident that it works as expected and have multiple test suites to prove it.

Start with the Troubleshooting LDAP section and enable LDAP traffic logging to see what the LDAP client really sends.

[michaelklishin]

The configuration only works when the password is provided in clear text in dn_lookup_bind

I am almost certain that you are encrypting a binary value (<<"password">>) on the command line whereas the configuration key must be a string ("password").

In 4.3, LDAP queries will be configurable in rabbitmq.conf #14868 (and encrypted:… values in rabbitmq.conf are already supported, so this subtle type discrepancy specific to advanced.config should become a non-issue in a couple of months.

See rabbitmqctl decode (and note that it interacts with the running node).