rabbitmq配置windows authentication(windows account)登录

参考： https://www.rabbitmq.com/ldap.html
前言：
前面的文章讲到怎么为rabbitmq配置https ssl，这次是在之前的基础上配置使用window的accout。

开启插件

rabbitmq-plugins enable rabbitmq_auth_backend_ldap
1

配置文件

[
        {rabbit,[
        {tcp_listeners, [5672]},
        {auth_backends, [{rabbit_auth_backend_ldap, rabbit_auth_backend_internal},
                           rabbit_auth_backend_internal]},
        {config_entry_decoder, [
                        {passphrase, {file, "/etc/rabbitmq/key"}}
        ]},
        {ssl_listeners, [5671]},
        {ssl_options, [{cacertfile, "/etc/rabbitmq/certs/rootCA.crt"},
                    {certfile,   "/etc/rabbitmq/certs/server.crt"},
                    {keyfile,    "/etc/rabbitmq/certs/server.key"},
                    {verify, verify_none},
                    {fail_if_no_peer_cert, false},
                    {versions, ['tlsv1.2']}
                    ]}
        ]},
        {rabbitmq_management, [
                {listener, [
                        {port, 15672},
                        {ip, "rabbitmq_ip"},
                            {ssl, true},
                            {ssl_opts,
                            [{cacertfile, "/etc/rabbitmq/certs/rootCA.crt"},
                            {certfile, "/etc/rabbitmq/certs/server.crt"},
                            {keyfile, "/etc/rabbitmq/certs/server.key"}
                       ]}
                ]}
        ]},
        {rabbitmq_auth_backend_ldap,[
                {servers, ["your LDAP server"]},
                {use_ssl, true},
                {ssl_options, [
                                        {cacertfile, "/etc/rabbitmq/certs/ROOT_CA.crt"},
                                        {verify, verify_peer},
                                        {depth, 2}]},
                {port, 636},
                {timeout, 15000},
                {log,   network_unsafe },
                {dn_lookup_bind, {“username@domain”，“your_password”}},
                {dn_lookup_base, "DC=XX,DC=XX"},
                {dn_lookup_attribute, "sAMAccountName"},
                {user_dn_pattern, "${username}"}
        ]}
].
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

rabbitmq_ip 换成你的服务器IP
your LDAP server换成认证服务器的IP
port,默认是636
username@domain 换成你的账号
your_password换成你的密码
dn_lookup_attribute 有两种类型sAMAccountName和userPrincipalName
sAMAccountName 不要@和后面的域名 例如d1234567
userPrincipalName则是 $username@domain.注意这是是用${username}，不需要替换。

创建一个不需要密码的账号，赋予administrator权限。

用windows账号和密码登录rabbitmq

加密明文密码

参考文章：https://www.rabbitmq.com/configure.html#configuration-encryption

创建密钥的文件,添加密钥字符串

sudo vi /etc/rabbitmq/key
1

加密解密用户名密码

在linux

rabbitmqctl encode '<<"guest">>' mypassphrase
{encrypted,<<"... long encrypted value...">>}
rabbitmqctl encode '"amqp://fred:secret@host1.domain/my_vhost"' mypassphrase
{encrypted,<<"... long encrypted value...">>}
1
2
3
4

在windows

rabbitmqctl encode "<<""guest"">>" mypassphrase
{encrypted,<<"... long encrypted value...">>}
rabbitmqctl encode '"amqp://fred:secret@host1.domain/my_vhost"' mypassphrase
{encrypted,<<"... long encrypted value...">>}
1
2
3
4

注意加密的时候要连用户名，括号一起加密，不然rabbitmq解密会报错。
例如

sudo rabbitmqctl encode '{"xxx@xxx.com", "password"}' mypassphrase
1

mypassphrase是你放在文件/etc/rabbitmq/key里面的value，当然这个根据你的需要可以进行更改

解密
在linux

rabbitmqctl decode '{encrypted, <<"...">>}' mypassphrase
<<"guest">>
rabbitmqctl decode '{encrypted, <<"...">>}' mypassphrase
"amqp://fred:secret@host1.domain/my_vhost"
1
2
3
4

在windows

rabbitmqctl decode "{encrypted, <<""..."">>}" mypassphrase
<<"guest">>
rabbitmqctl decode "{encrypted, <<""..."">>}" mypassphrase
"amqp://fred:secret@host1.domain/my_vhost"
1
2
3
4

配置加密后的字符串

{dn_lookup_bind, {encrypted, <<“XXX”>>}}

重启rabbitmq，并且登录windows账号