Auth backends. conf.example file

6 files changed, 872 insertions, 97 deletions

diff --git a/rabbitmq.conf.d/rabbitmq.conf b/rabbitmq.conf.d/rabbitmq.conf
index 31b0cd4910..a9e23b2908 100644
--- a/rabbitmq.conf.d/rabbitmq.conf
+++ b/rabbitmq.conf.d/rabbitmq.conf
@@ -60,7 +60,7 @@ loopback_user.guest = true
 
 ## Uncomment the following line if you want to allow access to the
 ## guest user from anywhere on the network.
-loopback_user.guest = false
+# loopback_user.guest = false
 
 ## Configuring SSL.
 ## See http://www.rabbitmq.com/ssl.html for full documentation.
@@ -84,7 +84,12 @@ auth_mechanism.amqplain = AMQPLAIN
 ## Select an authentication database to use. RabbitMQ comes bundled
 ## with a built-in auth-database, based on mnesia.
 ##
-auth_backend.internal   = rabbit_auth_backend_internal
+auth_backends.1   = internal
+
+auth_backends.2.authn = ldap
+auth_backends.2.authz = internal
+
+auth_backends.3.authz = rabbit_auth_backend_uaa
 
 ## Configurations supporting the rabbitmq_auth_mechanism_ssl and
 ## rabbitmq_auth_backend_ldap plugins.
@@ -111,10 +116,10 @@ auth_backend.internal   = rabbit_auth_backend_internal
 ## Enable the LDAP auth backend by adding to or replacing the
 ## auth_backends entry:
 ##
-# auth_backend.ldap   = rabbit_auth_backend_ldap
+# auth_backends.2 = rabbit_auth_backend_ldap
 
 ## Add another backend
-# auth_backend.http = rabbit_auth_backend_http
+# auth_backend.3 = rabbit_auth_backend_http
 
 
 ## This pertains to both the rabbitmq_auth_mechanism_ssl plugin and
@@ -292,7 +297,7 @@ mirroring_sync_batch_size = 4096
 ## See http://www.rabbitmq.com/clustering.html#auto-config for
 ## further details.
 ##
-cluster_nodes.disc.rabbit = rabbit@my.host.com
+# cluster_nodes.disc.rabbit = rabbit@my.host.com
 
 ## You can define multiple nodes
 # cluster_nodes.disc.hare = hare@my.host.com
@@ -306,7 +311,7 @@ cluster_nodes.disc.rabbit = rabbit@my.host.com
 ## as net_ticktime; missed keepalive messages will not cause nodes
 ## to be considered down.
 ##
-cluster_keepalive_interval = 10000
+# cluster_keepalive_interval = 10000
 
 ##
 ## Statistics Collection
@@ -360,7 +365,7 @@ queue_index_embed_msgs_below = 4kb
 # Kernel section
 # ======================================
 
-kernel.net_ticktime = 60
+# kernel.net_ticktime = 60
 
 ## ----------------------------------------------------------------------------
 ## RabbitMQ Management Plugin
@@ -403,14 +408,13 @@ management.rates_mode = basic
 ## lengths) is retained. Please read the plugin's documentation in
 ## http://www.rabbitmq.com/management.html#configuration for more
 ## details.
-##
-# QA: Some funny syntax
-management.sample_retention_policies.global.60    = 5
-management.sample_retention_policies.global.3600  = 60
-management.sample_retention_policies.global.86400 = 1200
+## Your can use 'minute', 'hour' and '24hours' keys or integer key (in seconds)
+management.sample_retention_policies.global.minute    = 5
+management.sample_retention_policies.global.hour  = 60
+management.sample_retention_policies.global.24hours = 1200
 
-management.sample_retention_policies.basic.60   = 5
-management.sample_retention_policies.basic.3600 = 60
+management.sample_retention_policies.basic.minute   = 5
+management.sample_retention_policies.basic.hour = 60
 
 management.sample_retention_policies.detailed.10 = 5
 
@@ -469,7 +473,7 @@ stomp.ssl_cert_login = true
 ## SSL certificate whenever the first frame sent on a session is not a
 ## CONNECT frame.
 ##
-stomp.implicit_connect = true
+# stomp.implicit_connect = true
 
 ## ----------------------------------------------------------------------------
 ## RabbitMQ MQTT Adapter
@@ -495,7 +499,7 @@ stomp.implicit_connect = true
 ## login information in order to connect. See the default_user/default_pass
 ## configuration elements for managing logins without authentication.
 ##
-mqtt.allow_anonymous = true
+# mqtt.allow_anonymous = true
 
 ## If you have multiple chosts, specify the one to which the
 ## adapter connects.
@@ -508,7 +512,7 @@ mqtt.exchange = amq.topic
 
 ## Specify TTL (time to live) to control the lifetime of non-clean sessions.
 ##
-mqtt.subscription_ttl = 1800000
+# mqtt.subscription_ttl = 1800000
 
 ## Set the prefetch count (governing the maximum number of unacknowledged
 ## messages that will be delivered).
@@ -552,11 +556,11 @@ mqtt.num_acceptors.ssl = 1
 ## Please note that setting this will allow clients to connect without
 ## authenticating!
 ##
-amqp1.default_user = guest
+amqp1_0.default_user = guest
 
 ## Enable protocol strict mode. See the README for more information.
 ##
-amqp1.protocol_strict_mode = false
+amqp1_0.protocol_strict_mode = false
 
 ## Lager controls logging.
 ## See https://github.com/basho/lager for more documentation
@@ -616,10 +620,10 @@ amqp1.protocol_strict_mode = false
 ## Specify servers to bind to. You *must* set this in order for the plugin
 ## to work properly.
 ##
-# ldap.servers.myserver = your-server-name-goes-here
+# ldap.servers.1 = your-server-name-goes-here
 
 ## You can define multiple servers
-# ldap.servers.other_server = your-other-server
+# ldap.servers.2 = your-other-server
 
 ## Connect to the LDAP server using SSL
 ##
@@ -644,7 +648,7 @@ amqp1.protocol_strict_mode = false
 ##
 ## Defaults to false.
 ##
-ldap.log = false
+# ldap.log = false
 
 ## Also can be true or network
 # ldap.log = true
@@ -658,7 +662,7 @@ ldap.log = false
 ## Pattern to convert the username given through AMQP to a DN before
 ## binding
 ##
-ldap.user_dn_pattern = cn=${username},ou=People,dc=example,dc=com
+# ldap.user_dn_pattern = cn=${username},ou=People,dc=example,dc=com
 
 ## Alternatively, you can convert a username to a Distinguished
 ## Name via an LDAP lookup after binding. See the documentation for
@@ -668,8 +672,8 @@ ldap.user_dn_pattern = cn=${username},ou=People,dc=example,dc=com
 ## the name of the attribute that represents the user name, and the
 ## base DN for the lookup query.
 ##
-ldap.dn_lookup_attribute = userPrincipalName
-ldap.dn_lookup_base      = DC=gopivotal,DC=com
+# ldap.dn_lookup_attribute = userPrincipalName
+# ldap.dn_lookup_base      = DC=gopivotal,DC=com
 
 ## Controls how to bind for authorisation queries and also to
 ## retrieve the details of users logging in without presenting a
@@ -681,7 +685,7 @@ ldap.dn_lookup_base      = DC=gopivotal,DC=com
 ##
 ## Defaults to 'as_user'.
 ##
-ldap.other_bind = as_user
+# ldap.other_bind = as_user
 
 ## Or can be more complex:
 # ldap.other_bind.user_dn  = User
diff --git a/rabbitmq.conf.d/rabbitmq.conf.example b/rabbitmq.conf.d/rabbitmq.conf.example
new file mode 100644
index 0000000000..073c28e557
--- /dev/null
+++ b/rabbitmq.conf.d/rabbitmq.conf.example
@@ -0,0 +1,726 @@
+# ======================================
+# RabbbitMQ broker section
+# ======================================
+
+## Network Connectivity
+## ====================
+##
+## By default, RabbitMQ will listen on all interfaces, using
+## the standard (reserved) AMQP port.
+##
+# listener.tcp.default = 5672
+
+
+## To listen on a specific interface, provide an IP address with port.
+## For example, to listen only on localhost for both IPv4 and IPv6:
+##
+# IPv4
+# listener.tcp.local    = 127.0.0.1:5672
+# IPv6
+# listener.tcp.local_v6 = ::1:5672
+
+## You can define multiple listeners using listener names
+# listener.tcp.other_port = 5673
+# listener.tcp.other_ip   = 10.10.10.10:5672
+
+
+## SSL listeners are configured in the same fashion as TCP listeners,
+## including the option to control the choice of interface.
+##
+# listener.ssl.default = 5671
+
+## Number of Erlang processes that will accept connections for the TCP
+## and SSL listeners.
+##
+# num_acceptors.tcp = 10
+# num_acceptors.ssl = 1
+
+
+## Maximum time for AMQP 0-8/0-9/0-9-1 handshake (after socket connection
+## and SSL handshake), in milliseconds.
+##
+# handshake_timeout = 10000
+
+## Set to 'true' to perform reverse DNS lookups when accepting a
+## connection. Hostnames will then be shown instead of IP addresses
+## in rabbitmqctl and the management plugin.
+##
+# reverse_dns_lookups = true
+
+##
+## Security / AAA
+## ==============
+##
+
+## The default "guest" user is only permitted to access the server
+## via a loopback interface (e.g. localhost).
+## {loopback_users, [<<"guest">>]},
+##
+# loopback_user.guest = true
+
+## Uncomment the following line if you want to allow access to the
+## guest user from anywhere on the network.
+# loopback_user.guest = false
+
+## Configuring SSL.
+## See http://www.rabbitmq.com/ssl.html for full documentation.
+##
+# ssl_option.verify               = verify_peer
+# ssl_option.fail_if_no_peer_cert = false
+# ssl_option.cacertfile           = /path/to/rabbitmq.crt
+# ssl_option.certfile             = /path/to/rabbitmq.crt
+# ssl_option.keyfile              = /path/to/rabbitmq.key
+
+## Choose the available SASL mechanism(s) to expose.
+## The two default (built in) mechanisms are 'PLAIN' and
+## 'AMQPLAIN'. Additional mechanisms can be added via
+## plugins.
+##
+## See http://www.rabbitmq.com/authentication.html for more details.
+##
+# auth_mechanism.plain = PLAIN
+# auth_mechanism.amqplain = AMQPLAIN
+
+## Select an authentication database to use. RabbitMQ comes bundled
+## with a built-in auth-database, based on mnesia.
+##
+# auth_backends.1   = internal
+
+# auth_backends.2.authn = ldap
+# auth_backends.2.authz = internal
+
+# auth_backends.3.authz = rabbit_auth_backend_uaa
+
+## Configurations supporting the rabbitmq_auth_mechanism_ssl and
+## rabbitmq_auth_backend_ldap plugins.
+##
+## NB: These options require that the relevant plugin is enabled.
+## See http://www.rabbitmq.com/plugins.html for further details.
+
+
+## The RabbitMQ-auth-mechanism-ssl plugin makes it possible to
+## authenticate a user based on the client's SSL certificate.
+##
+## To use auth-mechanism-ssl, add to or replace the auth_mechanisms
+## with EXTERNAL value.
+##
+#auth_mechanism.external = EXTERNAL
+
+## The rabbitmq_auth_backend_ldap plugin allows the broker to
+## perform authentication and authorisation by deferring to an
+## external LDAP server.
+##
+## For more information about configuring the LDAP backend, see
+## http://www.rabbitmq.com/ldap.html.
+##
+## Enable the LDAP auth backend by adding to or replacing the
+## auth_backends entry:
+##
+# auth_backends.2 = rabbit_auth_backend_ldap
+
+## Add another backend
+# auth_backend.3 = rabbit_auth_backend_http
+
+
+## This pertains to both the rabbitmq_auth_mechanism_ssl plugin and
+## STOMP ssl_cert_login configurations. See the rabbitmq_stomp
+## configuration section later in this file and the README in
+## https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl for further
+## details.
+##
+## To use the SSL cert's CN instead of its DN as the username
+##
+# ssl_cert_login_from   = common_name
+
+## SSL handshake timeout, in milliseconds.
+##
+# ssl_handshake_timeout = 5000
+
+
+## Password hashing implementation. Will only affect newly
+## created users. To recalculate hash for an existing user
+## it's necessary to update her password.
+##
+## To use SHA-512, set to rabbit_password_hashing_sha512.
+##
+# password_hashing_module = rabbit_password_hashing_sha256
+
+## When importing definitions exported from versions earlier
+## than 3.6.0, it is possible to go back to MD5 (only do this
+## as a temporary measure!) by setting this to rabbit_password_hashing_md5.
+##
+# password_hashing_module = rabbit_password_hashing_md5
+
+##
+## Default User / VHost
+## ====================
+##
+
+## On first start RabbitMQ will create a vhost and a user. These
+## config items control what gets created. See
+## http://www.rabbitmq.com/access-control.html for further
+## information about vhosts and access control.
+##
+# default_vhost = /
+# default_user = guest
+# default_pass = guest
+
+# default_permissions.configure = .*
+# default_permissions.read = .*
+# default_permissions.write = .*
+
+## Tags for default user
+##
+## For more details about tags, see the documentation for the
+## Management Plugin at http://www.rabbitmq.com/management.html.
+##
+# default_user_tags.administrator = true
+
+## Define other tags like this:
+# default_user_tags.management = true
+# default_user_tags.custom_tag = true
+
+##
+## Additional network and protocol related configuration
+## =====================================================
+##
+
+## Set the default AMQP heartbeat delay (in seconds).
+##
+# heartbeat = 600
+
+## Set the max permissible size of an AMQP frame (in bytes).
+##
+# frame_max = 131072
+
+## Set the max frame size the server will accept before connection
+## tuning occurs
+##
+# initial_frame_max = 4096
+
+## Set the max permissible number of channels per connection.
+## 0 means "no limit".
+##
+# channel_max = 128
+
+## Customising Socket Options.
+##
+## See (http://www.erlang.org/doc/man/inet.html#setopts-2) for
+## further documentation.
+##
+
+# tcp_listen_option.backlog = 128
+# tcp_listen_option.nodelay = true
+# tcp_listen_option.exit_on_close = false
+
+##
+## Resource Limits & Flow Control
+## ==============================
+##
+## See http://www.rabbitmq.com/memory.html for full details.
+
+## Memory-based Flow Control threshold.
+##
+# vm_memory_high_watermark.relative = 0.4
+
+## Alternatively, we can set a limit (in bytes) of RAM used by the node.
+##
+# vm_memory_high_watermark.absolute = 1073741824
+
+## Or you can set absolute value using memory units (with RabbitMQ 3.6.0+).
+## Absolute watermark will be ignored if relative is defined!
+##
+# vm_memory_high_watermark.absolute = 2GB
+##
+## Supported units suffixes:
+##
+## kb, KB: kibibytes (2^10 bytes)
+## mb, MB: mebibytes (2^20)
+## gb, GB: gibibytes (2^30)
+
+
+
+## Fraction of the high watermark limit at which queues start to
+## page message out to disc in order to free up memory.
+##
+## Values greater than 0.9 can be dangerous and should be used carefully.
+##
+# vm_memory_high_watermark_paging_ratio = 0.5
+
+## Interval (in milliseconds) at which we perform the check of the memory
+## levels against the watermarks.
+##
+# memory_monitor_interval = 2500
+
+## Set disk free limit (in bytes). Once free disk space reaches this
+## lower bound, a disk alarm will be set - see the documentation
+## listed above for more details.
+##
+## Absolute watermark will be ignored if relative is defined!
+# disk_free_limit.absolute = 50000
+
+## Or you can set it using memory units (same as in vm_memory_high_watermark)
+## with RabbitMQ 3.6.0+.
+# disk_free_limit.absolute = 500KB
+# disk_free_limit.absolute = 50mb
+# disk_free_limit.absolute = 5GB
+
+## Alternatively, we can set a limit relative to total available RAM.
+##
+## Values lower than 1.0 can be dangerous and should be used carefully.
+# disk_free_limit.relative = 2.0
+
+##
+## Clustering
+## =====================
+##
+# cluster_partition_handling = ignore
+
+## pause_if_all_down strategy require additional configuration
+# cluster_partition_handling = pause_if_all_down
+
+## Recover strategy. Can be either 'autoheal' or 'ignore'
+# cluster_partition_handling.pause_if_all_down.recover = ignore
+
+## Node names to check
+# cluster_partition_handling.pause_if_all_down.node.rabbit = rabbit@localhost
+# cluster_partition_handling.pause_if_all_down.node.hare   = hare@localhost
+
+## Mirror sync batch size, in messages. Increasing this will speed
+## up syncing but total batch size in bytes must not exceed 2 GiB.
+## Available in RabbitMQ 3.6.0 or later.
+##
+# mirroring_sync_batch_size = 4096
+
+## Make clustering happen *automatically* at startup - only applied
+## to nodes that have just been reset or started for the first time.
+## See http://www.rabbitmq.com/clustering.html#auto-config for
+## further details.
+##
+# cluster_nodes.disc.rabbit = rabbit@my.host.com
+
+## You can define multiple nodes
+# cluster_nodes.disc.hare = hare@my.host.com
+
+## There can be also ram nodes.
+## Ram nodes should not be defined together with disk nodes
+# cluster_nodes.ram.rabbit = rabbit@my.host.com
+
+## Interval (in milliseconds) at which we send keepalive messages
+## to other cluster members. Note that this is not the same thing
+## as net_ticktime; missed keepalive messages will not cause nodes
+## to be considered down.
+##
+# cluster_keepalive_interval = 10000
+
+##
+## Statistics Collection
+## =====================
+##
+
+## Set (internal) statistics collection granularity.
+##
+## Can be none, coarse or fine
+# collect_statistics = none
+
+# collect_statistics = coarse
+
+## Statistics collection interval (in milliseconds). Increasing
+## this will reduce the load on management database.
+##
+# collect_statistics_interval = 5000
+
+##
+## Misc/Advanced Options
+## =====================
+##
+## NB: Change these only if you understand what you are doing!
+##
+
+## Explicitly enable/disable hipe compilation.
+##
+# hipe_compile = false
+
+## Timeout used when waiting for Mnesia tables in a cluster to
+## become available.
+##
+# mnesia_table_loading_timeout = 30000
+
+## Size in bytes below which to embed messages in the queue index. See
+## http://www.rabbitmq.com/persistence-conf.html
+##
+# queue_index_embed_msgs_below = 4096
+
+## You can also set this size in memory units
+##
+# queue_index_embed_msgs_below = 4kb
+
+## ----------------------------------------------------------------------------
+## Advanced Erlang Networking/Clustering Options.
+##
+## See http://www.rabbitmq.com/clustering.html for details
+## ----------------------------------------------------------------------------
+
+# ======================================
+# Kernel section
+# ======================================
+
+# kernel.net_ticktime = 60
+
+## ----------------------------------------------------------------------------
+## RabbitMQ Management Plugin
+##
+## See http://www.rabbitmq.com/management.html for details
+## ----------------------------------------------------------------------------
+
+# =======================================
+# Management section
+# =======================================
+
+## Pre-Load schema definitions from the following JSON file. See
+## http://www.rabbitmq.com/management.html#load-definitions
+##
+# management.load_definitions = /path/to/schema.json
+
+## Log all requests to the management HTTP API to a file.
+##
+# management.http_log_dir = /path/to/access.log
+
+## Change the port on which the HTTP listener listens,
+## specifying an interface for the web server to bind to.
+## Also set the listener to use SSL and provide SSL options.
+##
+
+# QA: Maybe use IP type like in tcp_listener?
+# management.listener.port = 12345
+# management.listener.ip   = 127.0.0.1
+# management.listener.ssl  = true
+
+# management.listener.ssl_opts.cacertfile = /path/to/cacert.pem
+# management.listener.ssl_opts.certfile   = /path/to/cert.pem
+# management.listener.ssl_opts.keyfile    = /path/to/key.pem
+
+## One of 'basic', 'detailed' or 'none'. See
+## http://www.rabbitmq.com/management.html#fine-stats for more details.
+# management.rates_mode = basic
+
+## Configure how long aggregated data (such as message rates and queue
+## lengths) is retained. Please read the plugin's documentation in
+## http://www.rabbitmq.com/management.html#configuration for more
+## details.
+## Your can use 'minute', 'hour' and '24hours' keys or integer key (in seconds)
+# management.sample_retention_policies.global.minute    = 5
+# management.sample_retention_policies.global.hour  = 60
+# management.sample_retention_policies.global.24hours = 1200
+
+# management.sample_retention_policies.basic.minute   = 5
+# management.sample_retention_policies.basic.hour = 60
+
+# management.sample_retention_policies.detailed.10 = 5
+
+## ----------------------------------------------------------------------------
+## RabbitMQ Shovel Plugin
+##
+## See http://www.rabbitmq.com/shovel.html for details
+## ----------------------------------------------------------------------------
+
+## Shovel plugin config example is defined in additional.config file
+
+
+## ----------------------------------------------------------------------------
+## RabbitMQ Stomp Adapter
+##
+## See http://www.rabbitmq.com/stomp.html for details
+## ----------------------------------------------------------------------------
+
+# =======================================
+# STOMP section
+# =======================================
+
+## Network Configuration - the format is generally the same as for the broker
+##
+# stomp.listener.tcp.default = 61613
+
+## Same for ssl listeners
+##
+# stomp.listener.ssl.default = 61614
+
+## Number of Erlang processes that will accept connections for the TCP
+## and SSL listeners.
+##
+# stomp.num_acceptors.tcp = 10
+# stomp.num_acceptors.ssl = 1
+
+## Additional SSL options
+
+## Extract a name from the client's certificate when using SSL.
+##
+# stomp.ssl_cert_login = true
+
+## Set a default user name and password. This is used as the default login
+## whenever a CONNECT frame omits the login and passcode headers.
+##
+## Please note that setting this will allow clients to connect without
+## authenticating!
+##
+# stomp.default_user = guest
+# stomp.default_pass = guest
+
+## If a default user is configured, or you have configured use SSL client
+## certificate based authentication, you can choose to allow clients to
+## omit the CONNECT frame entirely. If set to true, the client is
+## automatically connected as the default user or user supplied in the
+## SSL certificate whenever the first frame sent on a session is not a
+## CONNECT frame.
+##
+# stomp.implicit_connect = true
+
+## ----------------------------------------------------------------------------
+## RabbitMQ MQTT Adapter
+##
+## See https://github.com/rabbitmq/rabbitmq-mqtt/blob/stable/README.md
+## for details
+## ----------------------------------------------------------------------------
+
+# =======================================
+# MQTT section
+# =======================================
+
+## Set the default user name and password. Will be used as the default login
+## if a connecting client provides no other login details.
+##
+## Please note that setting this will allow clients to connect without
+## authenticating!
+##
+# mqtt.default_user = guest
+# mqtt.default_pass = guest
+
+## Enable anonymous access. If this is set to false, clients MUST provide
+## login information in order to connect. See the default_user/default_pass
+## configuration elements for managing logins without authentication.
+##
+# mqtt.allow_anonymous = true
+
+## If you have multiple chosts, specify the one to which the
+## adapter connects.
+##
+# mqtt.vhost = /
+
+## Specify the exchange to which messages from MQTT clients are published.
+##
+# mqtt.exchange = amq.topic
+
+## Specify TTL (time to live) to control the lifetime of non-clean sessions.
+##
+# mqtt.subscription_ttl = 1800000
+
+## Set the prefetch count (governing the maximum number of unacknowledged
+## messages that will be delivered).
+##
+# mqtt.prefetch = 10
+
+## TCP/SSL Configuration (as per the broker configuration).
+##
+# mqtt.listener.tcp.default = 1883
+
+## Same for ssl listener
+##
+# mqtt.listener.ssl.default = 1884
+
+## Number of Erlang processes that will accept connections for the TCP
+## and SSL listeners.
+##
+# mqtt.num_acceptors.tcp = 10
+# mqtt.num_acceptors.ssl = 1
+
+## TCP/Socket options (as per the broker configuration).
+##
+# mqtt.tcp_listen_option.backlog = 128
+# mqtt.tcp_listen_option.nodelay = true
+
+## ----------------------------------------------------------------------------
+## RabbitMQ AMQP 1.0 Support
+##
+## See https://github.com/rabbitmq/rabbitmq-amqp1.0/blob/stable/README.md
+## for details
+## ----------------------------------------------------------------------------
+
+# =======================================
+# AMQP_1 section
+# =======================================
+
+
+## Connections that are not authenticated with SASL will connect as this
+## account. See the README for more information.
+##
+## Please note that setting this will allow clients to connect without
+## authenticating!
+##
+# amqp1_0.default_user = guest
+
+## Enable protocol strict mode. See the README for more information.
+##
+# amqp1_0.protocol_strict_mode = false
+
+## Lager controls logging.
+## See https://github.com/basho/lager for more documentation
+##
+## Log direcrory, taken from the RABBITMQ_LOG_BASE env variable by default.
+##
+# log.dir = /var/log/rabbitmq
+
+## Logging to console (can be true or false)
+##
+# log.console = false
+
+## Loglevel to log to console
+##
+# log.console.level = info
+
+## Logging to file. Can be false or filename.
+## Default:
+# log.file = rabbit.log
+
+## To turn off:
+# log.file = false
+
+## Loglevel to log to file
+##
+# log.file.level = info
+
+## File rotation config. No rotation by defualt.
+## DO NOT SET rotation date to ''. Leave unset if require "" value
+# log.file.rotation.date = $D0 
+# log.file.rotation.size = 0
+
+
+## QA: Config for syslog logging
+# log.syslog = false
+# log.syslog.identity = rabbitmq
+# log.syslog.level    = info
+# log.syslog.facility = daemon
+
+
+## ----------------------------------------------------------------------------
+## RabbitMQ LDAP Plugin
+##
+## See http://www.rabbitmq.com/ldap.html for details.
+##
+## ----------------------------------------------------------------------------
+
+# =======================================
+# LDAP section
+# =======================================
+
+##
+## Connecting to the LDAP server(s)
+## ================================
+##
+
+## Specify servers to bind to. You *must* set this in order for the plugin
+## to work properly.
+##
+# ldap.servers.1 = your-server-name-goes-here
+
+## You can define multiple servers
+# ldap.servers.2 = your-other-server
+
+## Connect to the LDAP server using SSL
+##
+# ldap.use_ssl = false
+
+## Specify the LDAP port to connect to
+##
+# ldap.port = 389
+
+## LDAP connection timeout, in milliseconds or 'infinity'
+##
+# ldap.timeout = infinity
+
+## Or number
+# ldap.timeout = 500
+
+## Enable logging of LDAP queries.
+## One of
+##   - false (no logging is performed)
+##   - true (verbose logging of the logic used by the plugin)
+##   - network (as true, but additionally logs LDAP network traffic)
+##
+## Defaults to false.
+##
+# ldap.log = false
+
+## Also can be true or network
+# ldap.log = true
+# ldap.log = network
+
+##
+## Authentication
+## ==============
+##
+
+## Pattern to convert the username given through AMQP to a DN before
+## binding
+##
+# ldap.user_dn_pattern = cn=${username},ou=People,dc=example,dc=com
+
+## Alternatively, you can convert a username to a Distinguished
+## Name via an LDAP lookup after binding. See the documentation for
+## full details.
+
+## When converting a username to a dn via a lookup, set these to
+## the name of the attribute that represents the user name, and the
+## base DN for the lookup query.
+##
+# ldap.dn_lookup_attribute = userPrincipalName
+# ldap.dn_lookup_base      = DC=gopivotal,DC=com
+
+## Controls how to bind for authorisation queries and also to
+## retrieve the details of users logging in without presenting a
+## password (e.g., SASL EXTERNAL).
+## One of
+##  - as_user (to bind as the authenticated user - requires a password)
+##  - anon    (to bind anonymously)
+##  - {UserDN, Password} (to bind with a specified user name and password)
+##
+## Defaults to 'as_user'.
+##
+# ldap.other_bind = as_user
+
+## Or can be more complex:
+# ldap.other_bind.user_dn  = User
+# ldap.other_bind.password = Password
+
+## If user_dn and password defined - other options is ignored.
+
+# -----------------------------
+# Too complex section of LDAP
+# -----------------------------
+
+##
+## Authorisation
+## =============
+##
+
+## The LDAP plugin can perform a variety of queries against your
+## LDAP server to determine questions of authorisation. See
+## http://www.rabbitmq.com/ldap.html#authorisation for more
+## information.
+
+## Following configuration should be defined in additional.config file
+## DO NOT UNCOMMENT THIS LINES!
+
+## Set the query to use when determining vhost access
+##
+## {vhost_access_query, {in_group,
+##                       "ou=${vhost}-users,ou=vhosts,dc=example,dc=com"}},
+
+## Set the query to use when determining resource (e.g., queue) access
+##
+## {resource_access_query, {constant, true}},
+
+## Set queries to determine which tags a user has
+##
+## {tag_queries, []}
+#   ]},
+# -----------------------------
diff --git a/schema/rabbitmq.config.schema b/schema/rabbitmq.config.schema
index 2825961799..fdf91baa59 100644
--- a/schema/rabbitmq.config.schema
+++ b/schema/rabbitmq.config.schema
@@ -18,9 +18,7 @@
 %%                  {"::1",       5672}]},
 
 {mapping, "listener.tcp.$name", "rabbit.tcp_listeners",[
-    {default, 5672},
-    {datatype, [integer, ip]},
-    {include_default, "all"}
+    {datatype, [integer, ip]}
 ]}.
 
 {translation, "rabbit.tcp_listeners",
@@ -35,9 +33,7 @@ end}.
 %% {ssl_listeners, [5671]},
 
 {mapping, "listener.ssl.$name", "rabbit.ssl_listeners",[
-    {default, 5672},
-    {datatype, [integer, ip]},
-    {include_default, "all"}
+    {datatype, [integer, ip]}
 ]}.
 
 {translation, "rabbit.ssl_listeners",
@@ -53,12 +49,10 @@ end}.
 %% {num_ssl_acceptors, 1},
 
 {mapping, "num_acceptors.ssl", "rabbit.num_ssl_acceptors", [
-    {default, 1},
     {datatype, integer}
 ]}.
 
 {mapping, "num_acceptors.tcp", "rabbit.num_tcp_acceptors", [
-    {default, 10},
     {datatype, integer}
 ]}.
 
@@ -69,7 +63,6 @@ end}.
 %% {handshake_timeout, 10000},
 
 {mapping, "handshake_timeout", "rabbit.handshake_timeout", [
-    {default, 10000},
     {datatype, integer}
 ]}.
 
@@ -80,7 +73,6 @@ end}.
 %% {reverse_dns_lookups, true},
 
 {mapping, "reverse_dns_lookups", "rabbit.reverse_dns_lookups", [
-    {default, true},
     {datatype, {enum, [true, false]}}
 ]}.
 
@@ -103,9 +95,7 @@ end}.
 %% {loopback_users, []},
 
 {mapping, "loopback_user.$user", "rabbit.loopback_users", [
-    {default, true},
-    {datatype, atom},
-    {include_default, "guest"}
+    {datatype, atom}
 ]}.
 
 {translation, "rabbit.loopback_users",
@@ -247,16 +237,87 @@ end}.
 %%
 %% {auth_backends, [rabbit_auth_backend_internal]},
 
-{mapping, "auth_backend.$name", "rabbit.auth_backends", [
-    {datatype, atom}
-]}.
-
 {translation, "rabbit.auth_backends", 
 fun(Conf) ->
-    Settings = cuttlefish_variable:filter_by_prefix("auth_backend", Conf),
-    [ V || {_, V} <- Settings ]
+    Settings = cuttlefish_variable:filter_by_prefix("auth_backends", Conf),
+    BackendModule = fun
+        (internal) -> rabbit_auth_backend_internal;
+        (ldap)     -> rabbit_auth_backend_ldap;
+        (http)     -> rabbit_auth_backend_http;
+        (amqp)     -> rabbit_auth_backend_amqp;
+        (dummy)    -> rabbit_auth_backend_dummy;
+        (Other) when is_atom(Other) -> Other;
+        (_) -> cuttlefish:invalid("Invalid auth backend")
+    end,
+    AuthBackends = [ {Num, {default, BackendModule(V)}} || {["auth_backends", Num], V} <- Settings ],
+    AuthNBackends = [ {Num, {authn, BackendModule(V)}} || {["auth_backends", Num, "authn"], V} <- Settings ],
+    AuthZBackends = [ {Num, {authz, BackendModule(V)}} || {["auth_backends", Num, "authz"], V} <- Settings ],
+    Backends = lists:foldl(
+        fun({NumStr, {Type, V}}, Acc) ->
+            Num = case catch list_to_integer(NumStr) of
+                N when is_integer(N) -> N;
+                Err -> 
+                    cuttlefish:invalid(
+                        iolist_to_binary(io_lib:format(
+                            "Auth backend number should be integer ~p", [Err])))
+            end,
+            NewVal = case dict:find(Num, Acc) of
+                {ok, {AuthN, AuthZ}} ->
+                    case {Type, AuthN, AuthZ} of
+                        {authn, undefined, _} ->
+                            {V, AuthZ};
+                        {authz, _, undefined} ->
+                            {AuthN, V};
+                        _ ->
+                            cuttlefish:invalid(
+                                iolist_to_binary(
+                                    io_lib:format(
+                                        "Auth backend already defined for ~pth ~p backend", 
+                                        [Num, Type])))
+                    end;
+                error ->
+                    case Type of
+                        authn   -> {V, undefined};
+                        authz   -> {undefined, V};
+                        default -> {V, V}
+                    end
+            end,
+            dict:store(Num, NewVal, Acc)
+        end,
+        dict:new(),
+        AuthBackends ++ AuthNBackends ++ AuthZBackends),
+    lists:map(
+        fun
+            ({Num, {undefined, AuthZ}}) ->
+                cuttlefish:warn(
+                    io_lib:format(
+                        "Auth backend undefined for ~pth authz backend. Using ~p", 
+                        [Num, AuthZ])),
+                {AuthZ, AuthZ};
+            ({Num, {AuthN, undefined}}) ->
+                cuttlefish:warn(
+                    io_lib:format(
+                        "Auth backend undefined for ~pth authn backend. Using ~p", 
+                        [Num, AuthN])),
+                {AuthN, AuthN};
+            ({_Num, {Auth, Auth}})   -> Auth;
+            ({_Num, {AuthN, AuthZ}}) -> {AuthN, AuthZ}
+        end,
+        lists:keysort(1, dict:to_list(Backends)))
 end}.
 
+{mapping, "auth_backends.$num", "rabbit.auth_backends", [
+    {datatype, atom}
+]}.
+
+{mapping, "auth_backends.$num.authn", "rabbit.auth_backends",[
+    {datatype, atom}
+]}.
+
+{mapping, "auth_backends.$num.authz", "rabbit.auth_backends",[
+    {datatype, atom}
+]}.
+
 %% This pertains to both the rabbitmq_auth_mechanism_ssl plugin and
 %% STOMP ssl_cert_login configurations. See the rabbitmq_stomp
 %% configuration section later in this file and the README in
@@ -338,17 +399,14 @@ fun(Conf) ->
 end}.
 
 {mapping, "default_permissions.configure", "rabbit.default_permissions", [
-    {default, ".*"},
     {datatype, string}
 ]}.
 
 {mapping, "default_permissions.read", "rabbit.default_permissions", [
-    {default, ".*"},
     {datatype, string}
 ]}.
 
 {mapping, "default_permissions.write", "rabbit.default_permissions", [
-    {default, ".*"},
     {datatype, string}
 ]}.
 
@@ -505,7 +563,6 @@ end}.
 %% gb, GB: gibibytes (2^30)
 
 {mapping, "vm_memory_high_watermark.relative", "rabbit.vm_memory_high_watermark", [
-    {default, 0.4},
     {datatype, float}]}.
 
 {mapping, "vm_memory_high_watermark.absolute", "rabbit.vm_memory_high_watermark", [
@@ -561,7 +618,6 @@ end}.
 %% {disk_free_limit, {mem_relative, 2.0}},
 
 {mapping, "disk_free_limit.relative", "rabbit.disk_free_limit", [
-    {default, 0.4},
     {datatype, float}]}.
 
 {mapping, "disk_free_limit.absolute", "rabbit.disk_free_limit", [
@@ -749,13 +805,13 @@ end}.
 %% authenticating!
 %%
 %% {default_user, "guest"},
-{mapping, "amqp1.default_user", "rabbitmq_amqp1_0.default_user", 
+{mapping, "amqp1_0.default_user", "rabbitmq_amqp1_0.default_user", 
     [{datatype, string}]}.
 %% Enable protocol strict mode. See the README for more information.
 %%
 %% {protocol_strict_mode, false}
 %   ]},
-{mapping, "amqp1.protocol_strict_mode", "rabbitmq_amqp1_0.protocol_strict_mode", 
+{mapping, "amqp1_0.protocol_strict_mode", "rabbitmq_amqp1_0.protocol_strict_mode", 
     [{datatype, {enum, [true, false]}}]}.
 
 
@@ -768,38 +824,30 @@ end}.
     {validators, ["dir_writable"]}]}.
 
 {mapping, "log.console", "lager.handlers", [
-    {datatype, {enum, [true, false]}},
-    {default, false}
+    {datatype, {enum, [true, false]}}
 ]}.
 
 {mapping, "log.syslog", "lager.handlers", [
-    {datatype, {enum, [true, false]}},
-    {default, false}
+    {datatype, {enum, [true, false]}}
 ]}.
 {mapping, "log.file", "lager.handlers", [
-    {datatype, [{enum, [false]}, string]},
-    {default, "rabbitmq.log"}
+    {datatype, [{enum, [false]}, string]}
 ]}.
 
 {mapping, "log.file.level", "lager.handlers", [
-    {datatype, {enum, [debug, info, warning, error]}},
-    {default, info}
+    {datatype, {enum, [debug, info, warning, error]}}
 ]}.
 {mapping, "log.$handler.level", "lager.handlers", [
-    {datatype, {enum, [debug, info, warning, error]}},
-    {default, info}
+    {datatype, {enum, [debug, info, warning, error]}}
 ]}.
 {mapping, "log.file.rotation.date", "lager.handlers", [
-    {datatype, string},
-    {default, ""}
+    {datatype, string}
 ]}.
 {mapping, "log.file.rotation.size", "lager.handlers", [
-    {datatype, integer},
-    {default, 0}
+    {datatype, integer}
 ]}.
 {mapping, "log.file.rotation.count", "lager.handlers", [
-    {datatype, integer},
-    {default, 10}
+    {datatype, integer}
 ]}.
 
 {mapping, "log.syslog.identity", "lager.handlers", [
@@ -811,34 +859,37 @@ end}.
 
 {translation, "lager.handlers",
 fun(Conf) ->
-    ConsoleHandler = case cuttlefish:conf_get("log.console", Conf) of
+    ConsoleHandler = case cuttlefish:conf_get("log.console", Conf, false) of
         true  ->
-            ConsoleLevel = cuttlefish:conf_get("log.console.level", Conf),
+            ConsoleLevel = cuttlefish:conf_get("log.console.level", Conf, info),
             [{lager_console_backend, ConsoleLevel}];
         false -> []
     end,
-    FileHandler = case cuttlefish:conf_get("log.file", Conf) of
+    FileHandler = case cuttlefish:conf_get("log.file", Conf, false) of
         false -> [];
         File  -> 
-            FileLevel = cuttlefish:conf_get("log.file.level", Conf),
-            RotationDate  = cuttlefish:conf_get("log.file.rotation.date", Conf),
-            RotationSize  = cuttlefish:conf_get("log.file.rotation.size", Conf),
-            RotationCount = cuttlefish:conf_get("log.file.rotation.count", Conf),
+            FileLevel = cuttlefish:conf_get("log.file.level", Conf, info),
+            RotationDate  = cuttlefish:conf_get("log.file.rotation.date", Conf, ""),
+            RotationSize  = cuttlefish:conf_get("log.file.rotation.size", Conf, 0),
+            RotationCount = cuttlefish:conf_get("log.file.rotation.count", Conf, 10),
             [{lager_file_backend, [{file, File}, 
                                    {level, FileLevel}, 
                                    {date, RotationDate}, 
                                    {size, RotationSize}, 
                                    {count, RotationCount}]}]
     end,
-    SyslogHandler = case cuttlefish:conf_get("log.syslog", Conf) of
+    SyslogHandler = case cuttlefish:conf_get("log.syslog", Conf, false) of
         false -> [];
         true  ->
-            SyslogLevel = cuttlefish:conf_get("log.syslog.level", Conf),
+            SyslogLevel = cuttlefish:conf_get("log.syslog.level", Conf, info),
             Identity = cuttlefish:conf_get("log.syslog.identity", Conf),
             Facility = cuttlefish:conf_get("log.syslog.facility", Conf),
             [{lager_syslog_backend, [Identity, Facility, SyslogLevel]}]
     end,
-    ConsoleHandler ++ FileHandler ++ SyslogHandler
+    case ConsoleHandler ++ FileHandler ++ SyslogHandler of
+        []    -> undefined;
+        Other -> Other
+    end
 end}.
 
 
diff --git a/schema/rabbitmq.management.schema b/schema/rabbitmq.management.schema
index 4c19e8643c..b806252217 100644
--- a/schema/rabbitmq.management.schema
+++ b/schema/rabbitmq.management.schema
@@ -84,8 +84,13 @@ fun(Conf) ->
     Global = cuttlefish_variable:filter_by_prefix("management.sample_retention_policies.global", Conf),
     Basic = cuttlefish_variable:filter_by_prefix("management.sample_retention_policies.basic", Conf),
     Detailed = cuttlefish_variable:filter_by_prefix("management.sample_retention_policies.detailed", Conf),
+    TranslateKey = fun("minute") -> 60; 
+                      ("hour") -> 3600; 
+                      ("24hours") -> 86400;
+                      (Other) -> list_to_integer(Other)
+                   end,
     TranslatePolicy = fun(Section) ->
-        [ {list_to_integer(Key), Val} || {[_,_,_,Key], Val} <- Section ]
+        [ {TranslateKey(Key), Val} || {[_,_,_,Key], Val} <- Section ]
     end,
     [{global,   TranslatePolicy(Global)}, 
      {basic,    TranslatePolicy(Basic)}, 
diff --git a/schema/rabbitmq.mqtt.schema b/schema/rabbitmq.mqtt.schema
index 23af75e655..48dcc35bc5 100644
--- a/schema/rabbitmq.mqtt.schema
+++ b/schema/rabbitmq.mqtt.schema
@@ -68,8 +68,9 @@ end}.
 %    %% Specify TTL (time to live) to control the lifetime of non-clean sessions.
 %    %%
 %    %% {subscription_ttl, 1800000},
-{mapping, "mqtt.subscription_ttl", "rabbitmq_mqtt.subscription_ttl",
-    [{datatype, integer}]}.
+{mapping, "mqtt.subscription_ttl", "rabbitmq_mqtt.subscription_ttl", [
+    {datatype, integer}
+]}.
 
 %    %% Set the prefetch count (governing the maximum number of unacknowledged
 %    %% messages that will be delivered).
@@ -84,9 +85,7 @@ end}.
 %    %% {ssl_listeners, []},
 
 {mapping, "mqtt.listener.tcp.$name", "rabbitmq_mqtt.tcp_listeners",[
-    {default, 1883},
-    {datatype, [integer, ip]},
-    {include_default, "all"}
+    {datatype, [integer, ip]}
 ]}.
 
 {translation, "rabbitmq_mqtt.tcp_listeners",
@@ -96,9 +95,7 @@ fun(Conf) ->
 end}.
 
 {mapping, "mqtt.listener.ssl.$name", "rabbitmq_mqtt.ssl_listeners",[
-    {default, 1884},
-    {datatype, [integer, ip]},
-    {include_default, "all"}
+    {datatype, [integer, ip]}
 ]}.
 
 {translation, "rabbitmq_mqtt.ssl_listeners",
@@ -114,12 +111,10 @@ end}.
 %    %% {num_ssl_acceptors, 1},
 
 {mapping, "mqtt.num_acceptors.ssl", "rabbitmq_mqtt.num_ssl_acceptors", [
-    {default, 1},
     {datatype, integer}
 ]}.
 
 {mapping, "mqtt.num_acceptors.tcp", "rabbitmq_mqtt.num_tcp_acceptors", [
-    {default, 10},
     {datatype, integer}
 ]}.
 
diff --git a/schema/rabbitmq.stomp.schema b/schema/rabbitmq.stomp.schema
index 5b40a9661a..e7f726dd17 100644
--- a/schema/rabbitmq.stomp.schema
+++ b/schema/rabbitmq.stomp.schema
@@ -12,9 +12,7 @@
 %    %%                  {"::1",       61613}]},
 
 {mapping, "stomp.listener.tcp.$name", "rabbitmq_stomp.tcp_listeners",[
-    {default, 61613},
-    {datatype, [integer, ip]},
-    {include_default, "all"}
+    {datatype, [integer, ip]}
 ]}.
 
 {translation, "rabbitmq_stomp.tcp_listeners",
@@ -24,9 +22,7 @@ fun(Conf) ->
 end}.
 
 {mapping, "stomp.listener.ssl.$name", "rabbitmq_stomp.ssl_listeners",[
-    {default, 61614},
-    {datatype, [integer, ip]},
-    {include_default, "all"}
+    {datatype, [integer, ip]}
 ]}.
 
 {translation, "rabbitmq_stomp.ssl_listeners",
@@ -42,12 +38,10 @@ end}.
 %    %% {num_ssl_acceptors, 1},
 
 {mapping, "stomp.num_acceptors.ssl", "rabbitmq_stomp.num_ssl_acceptors", [
-    {default, 1},
     {datatype, integer}
 ]}.
 
 {mapping, "stomp.num_acceptors.tcp", "rabbitmq_stomp.num_tcp_acceptors", [
-    {default, 10},
     {datatype, integer}
 ]}.