diff options
| -rw-r--r-- | docs/rabbitmq.conf.example | 30 | ||||
| -rw-r--r-- | priv/schema/rabbitmq.schema | 1 | ||||
| -rw-r--r-- | rabbitmq.conf.d/ldap.conf | 138 | ||||
| -rw-r--r-- | rabbitmq.conf.d/rabbitmq.conf | 731 | ||||
| -rw-r--r-- | test/config_schema_SUITE_data/snippets.config | 58 |
5 files changed, 58 insertions, 900 deletions
diff --git a/docs/rabbitmq.conf.example b/docs/rabbitmq.conf.example index 96d0967db7..de59985471 100644 --- a/docs/rabbitmq.conf.example +++ b/docs/rabbitmq.conf.example @@ -660,25 +660,25 @@ ## Specify servers to bind to. You *must* set this in order for the plugin ## to work properly. ## -# ldap.servers.1 = your-server-name-goes-here +# auth_ldap.servers.1 = your-server-name-goes-here ## You can define multiple servers -# ldap.servers.2 = your-other-server +# auth_ldap.servers.2 = your-other-server ## Connect to the LDAP server using SSL ## -# ldap.use_ssl = false +# auth_ldap.use_ssl = false ## Specify the LDAP port to connect to ## -# ldap.port = 389 +# auth_ldap.port = 389 ## LDAP connection timeout, in milliseconds or 'infinity' ## -# ldap.timeout = infinity +# auth_ldap.timeout = infinity ## Or number -# ldap.timeout = 500 +# auth_ldap.timeout = 500 ## Enable logging of LDAP queries. ## One of @@ -688,11 +688,11 @@ ## ## Defaults to false. ## -# ldap.log = false +# auth_ldap.log = false ## Also can be true or network -# ldap.log = true -# ldap.log = network +# auth_ldap.log = true +# auth_ldap.log = network ## ## Authentication @@ -702,7 +702,7 @@ ## Pattern to convert the username given through AMQP to a DN before ## binding ## -# ldap.user_dn_pattern = cn=${username},ou=People,dc=example,dc=com +# auth_ldap.user_dn_pattern = cn=${username},ou=People,dc=example,dc=com ## Alternatively, you can convert a username to a Distinguished ## Name via an LDAP lookup after binding. See the documentation for @@ -712,8 +712,8 @@ ## the name of the attribute that represents the user name, and the ## base DN for the lookup query. ## -# ldap.dn_lookup_attribute = userPrincipalName -# ldap.dn_lookup_base = DC=gopivotal,DC=com +# auth_ldap.dn_lookup_attribute = userPrincipalName +# auth_ldap.dn_lookup_base = DC=gopivotal,DC=com ## Controls how to bind for authorisation queries and also to ## retrieve the details of users logging in without presenting a @@ -725,11 +725,11 @@ ## ## Defaults to 'as_user'. ## -# ldap.other_bind = as_user +# auth_ldap.other_bind = as_user ## Or can be more complex: -# ldap.other_bind.user_dn = User -# ldap.other_bind.password = Password +# auth_ldap.other_bind.user_dn = User +# auth_ldap.other_bind.password = Password ## If user_dn and password defined - other options is ignored. diff --git a/priv/schema/rabbitmq.schema b/priv/schema/rabbitmq.schema index 89c73139e4..84e3c19e4d 100644 --- a/priv/schema/rabbitmq.schema +++ b/priv/schema/rabbitmq.schema @@ -284,6 +284,7 @@ fun(Conf) -> (internal) -> rabbit_auth_backend_internal; (ldap) -> rabbit_auth_backend_ldap; (http) -> rabbit_auth_backend_http; + (cache) -> rabbit_auth_backend_cache; (amqp) -> rabbit_auth_backend_amqp; (dummy) -> rabbit_auth_backend_dummy; (cache) -> rabbit_auth_backend_cache; diff --git a/rabbitmq.conf.d/ldap.conf b/rabbitmq.conf.d/ldap.conf deleted file mode 100644 index 2f51cbb409..0000000000 --- a/rabbitmq.conf.d/ldap.conf +++ /dev/null @@ -1,138 +0,0 @@ -# ## ---------------------------------------------------------------------------- -# ## RabbitMQ LDAP Plugin -# ## -# ## See http://www.rabbitmq.com/ldap.html for details. -# ## -# ## ---------------------------------------------------------------------------- - - -# ======================================= -# LDAP section -# ======================================= - -# Should be defined in additional.conf maybe? - -# {rabbitmq_auth_backend_ldap, -# [## -# ## Connecting to the LDAP server(s) -# ## ================================ -# ## - -# ## Specify servers to bind to. You *must* set this in order for the plugin -# ## to work properly. -# ## -# ## {servers, ["your-server-name-goes-here"]}, - -ldap.servers.myserver = your-server-name-goes-here - -# ## Connect to the LDAP server using SSL -# ## -# ## {use_ssl, false}, - -ldap.use_ssl = false - -# ## Specify the LDAP port to connect to -# ## -# ## {port, 389}, - -ldap.port = 389 - -# ## LDAP connection timeout, in milliseconds or 'infinity' -# ## -# ## {timeout, infinity}, - -ldap.timeout = infinity - -# Or number -# ldap.timeout = 500 - -# ## Enable logging of LDAP queries. -# ## One of -# ## - false (no logging is performed) -# ## - true (verbose logging of the logic used by the plugin) -# ## - network (as true, but additionally logs LDAP network traffic) -# ## -# ## Defaults to false. -# ## -# ## {log, false}, - -ldap.log = false - -# Also can be true or network -# ldap.log = true -# ldap.log = network - -# ## -# ## Authentication -# ## ============== -# ## - -# ## Pattern to convert the username given through AMQP to a DN before -# ## binding -# ## -# ## {user_dn_pattern, "cn=${username},ou=People,dc=example,dc=com"}, - -ldap.user_dn_pattern = cn=${username},ou=People,dc=example,dc=com - -# ## Alternatively, you can convert a username to a Distinguished -# ## Name via an LDAP lookup after binding. See the documentation for -# ## full details. - -# ## When converting a username to a dn via a lookup, set these to -# ## the name of the attribute that represents the user name, and the -# ## base DN for the lookup query. -# ## -# ## {dn_lookup_attribute, "userPrincipalName"}, -# ## {dn_lookup_base, "DC=gopivotal,DC=com"}, - -ldap.dn_lookup_attribute = userPrincipalName -ldap.dn_lookup_base = DC=gopivotal,DC=com - -# ## Controls how to bind for authorisation queries and also to -# ## retrieve the details of users logging in without presenting a -# ## password (e.g., SASL EXTERNAL). -# ## One of -# ## - as_user (to bind as the authenticated user - requires a password) -# ## - anon (to bind anonymously) -# ## - {UserDN, Password} (to bind with a specified user name and password) -# ## -# ## Defaults to 'as_user'. -# ## -# ## {other_bind, as_user}, - -ldap.other_bind = as_user - -# Or can be more complex: -# ldap.other_bind.user_dn = User -# ldap.other_bind.password = Password -# If user_dn and password defined - other options is ignored. - -# ----------------------------- -# Too complex section of LDAP -# ----------------------------- - -# ## -# ## Authorisation -# ## ============= -# ## - -# ## The LDAP plugin can perform a variety of queries against your -# ## LDAP server to determine questions of authorisation. See -# ## http://www.rabbitmq.com/ldap.html#authorisation for more -# ## information. - -# ## Set the query to use when determining vhost access -# ## -# ## {vhost_access_query, {in_group, -# ## "ou=${vhost}-users,ou=vhosts,dc=example,dc=com"}}, - -# ## Set the query to use when determining resource (e.g., queue) access -# ## -# ## {resource_access_query, {constant, true}}, - -# ## Set queries to determine which tags a user has -# ## -# ## {tag_queries, []} -# ]}, -# ----------------------------- - diff --git a/rabbitmq.conf.d/rabbitmq.conf b/rabbitmq.conf.d/rabbitmq.conf deleted file mode 100644 index 6d43dc9f7f..0000000000 --- a/rabbitmq.conf.d/rabbitmq.conf +++ /dev/null @@ -1,731 +0,0 @@ -# ====================================== -# RabbbitMQ broker section -# ====================================== - -## Network Connectivity -## ==================== -## -## By default, RabbitMQ will listen on all interfaces, using -## the standard (reserved) AMQP port. -## -listener.tcp.default = 5672 - - -## To listen on a specific interface, provide an IP address with port. -## For example, to listen only on localhost for both IPv4 and IPv6: -## -# IPv4 -# listener.tcp.local = 127.0.0.1:5672 -# IPv6 -# listener.tcp.local_v6 = ::1:5672 - -## You can define multiple listeners using listener names -# listener.tcp.other_port = 5673 -# listener.tcp.other_ip = 10.10.10.10:5672 - - -## SSL listeners are configured in the same fashion as TCP listeners, -## including the option to control the choice of interface. -## -# listener.ssl.default = 5671 - -## Number of Erlang processes that will accept connections for the TCP -## and SSL listeners. -## -num_acceptors.tcp = 10 -num_acceptors.ssl = 1 - - -## Maximum time for AMQP 0-8/0-9/0-9-1 handshake (after socket connection -## and SSL handshake), in milliseconds. -## -handshake_timeout = 10000 - -## Set to 'true' to perform reverse DNS lookups when accepting a -## connection. Hostnames will then be shown instead of IP addresses -## in rabbitmqctl and the management plugin. -## -reverse_dns_lookups = true - -## -## Security / AAA -## ============== -## - -## The default "guest" user is only permitted to access the server -## via a loopback interface (e.g. localhost). -## {loopback_users, [<<"guest">>]}, -## -loopback_user.guest = true - -## Uncomment the following line if you want to allow access to the -## guest user from anywhere on the network. -# loopback_user.guest = false - -## Configuring SSL. -## See http://www.rabbitmq.com/ssl.html for full documentation. -## -ssl_option.verify = verify_peer -ssl_option.fail_if_no_peer_cert = false -# ssl_option.cacertfile = /path/to/rabbitmq.crt -# ssl_option.certfile = /path/to/rabbitmq.crt -# ssl_option.keyfile = /path/to/rabbitmq.key - -## Choose the available SASL mechanism(s) to expose. -## The two default (built in) mechanisms are 'PLAIN' and -## 'AMQPLAIN'. Additional mechanisms can be added via -## plugins. -## -## See http://www.rabbitmq.com/authentication.html for more details. -## -auth_mechanism.plain = PLAIN -auth_mechanism.amqplain = AMQPLAIN - -## Select an authentication database to use. RabbitMQ comes bundled -## with a built-in auth-database, based on mnesia. -## -auth_backends.1 = internal - -auth_backends.2.authn = ldap -auth_backends.2.authz = internal - -auth_backends.3.authz = rabbit_auth_backend_uaa - -## Configurations supporting the rabbitmq_auth_mechanism_ssl and -## rabbitmq_auth_backend_ldap plugins. -## -## NB: These options require that the relevant plugin is enabled. -## See http://www.rabbitmq.com/plugins.html for further details. - - -## The RabbitMQ-auth-mechanism-ssl plugin makes it possible to -## authenticate a user based on the client's SSL certificate. -## -## To use auth-mechanism-ssl, add to or replace the auth_mechanisms -## with EXTERNAL value. -## -#auth_mechanism.external = EXTERNAL - -## The rabbitmq_auth_backend_ldap plugin allows the broker to -## perform authentication and authorisation by deferring to an -## external LDAP server. -## -## For more information about configuring the LDAP backend, see -## http://www.rabbitmq.com/ldap.html. -## -## Enable the LDAP auth backend by adding to or replacing the -## auth_backends entry: -## -# auth_backends.2 = rabbit_auth_backend_ldap - -## Add another backend -# auth_backend.3 = rabbit_auth_backend_http - - -## This pertains to both the rabbitmq_auth_mechanism_ssl plugin and -## STOMP ssl_cert_login configurations. See the rabbitmq_stomp -## configuration section later in this file and the README in -## https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl for further -## details. -## -## To use the SSL cert's CN instead of its DN as the username -## -# ssl_cert_login_from = common_name - -## SSL handshake timeout, in milliseconds. -## -# ssl_handshake_timeout = 5000 - - -## Password hashing implementation. Will only affect newly -## created users. To recalculate hash for an existing user -## it's necessary to update her password. -## -## To use SHA-512, set to rabbit_password_hashing_sha512. -## -password_hashing_module = rabbit_password_hashing_sha256 - -## When importing definitions exported from versions earlier -## than 3.6.0, it is possible to go back to MD5 (only do this -## as a temporary measure!) by setting this to rabbit_password_hashing_md5. -## -# password_hashing_module = rabbit_password_hashing_md5 - -## -## Default User / VHost -## ==================== -## - -## On first start RabbitMQ will create a vhost and a user. These -## config items control what gets created. See -## http://www.rabbitmq.com/access-control.html for further -## information about vhosts and access control. -## -default_vhost = / -default_user = guest -default_pass = guest - -default_permissions.configure = .* -default_permissions.read = .* -default_permissions.write = .* - -## Tags for default user -## -## For more details about tags, see the documentation for the -## Management Plugin at http://www.rabbitmq.com/management.html. -## -default_user_tags.administrator = true - -## Define other tags like this: -# default_user_tags.management = true -# default_user_tags.custom_tag = true - -## -## Additional network and protocol related configuration -## ===================================================== -## - -## Set the default AMQP heartbeat delay (in seconds). -## -heartbeat = 600 - -## Set the max permissible size of an AMQP frame (in bytes). -## -frame_max = 131072 - -## Set the max frame size the server will accept before connection -## tuning occurs -## -initial_frame_max = 4096 - -## Set the max permissible number of channels per connection. -## 0 means "no limit". -## -channel_max = 128 - -## Customising Socket Options. -## -## See (http://www.erlang.org/doc/man/inet.html#setopts-2) for -## further documentation. -## - -tcp_listen_option.backlog = 128 -tcp_listen_option.nodelay = true -tcp_listen_option.exit_on_close = false - -## -## Resource Limits & Flow Control -## ============================== -## -## See http://www.rabbitmq.com/memory.html for full details. - -## Memory-based Flow Control threshold. -## -vm_memory_high_watermark.relative = 0.4 - -## Alternatively, we can set a limit (in bytes) of RAM used by the node. -## -# vm_memory_high_watermark.absolute = 1073741824 - -## Or you can set absolute value using memory units (with RabbitMQ 3.6.0+). -## Absolute watermark will be ignored if relative is defined! -## -# vm_memory_high_watermark.absolute = 2GB -## -## Supported units suffixes: -## -## kb, KB: kibibytes (2^10 bytes) -## mb, MB: mebibytes (2^20) -## gb, GB: gibibytes (2^30) - - - -## Fraction of the high watermark limit at which queues start to -## page message out to disc in order to free up memory. -## -## Values greater than 0.9 can be dangerous and should be used carefully. -## -vm_memory_high_watermark_paging_ratio = 0.5 - -## Interval (in milliseconds) at which we perform the check of the memory -## levels against the watermarks. -## -memory_monitor_interval = 2500 - -## Set disk free limit (in bytes). Once free disk space reaches this -## lower bound, a disk alarm will be set - see the documentation -## listed above for more details. -## -## Absolute watermark will be ignored if relative is defined! -disk_free_limit.absolute = 50000 - -## Or you can set it using memory units (same as in vm_memory_high_watermark) -## with RabbitMQ 3.6.0+. -# disk_free_limit.absolute = 500KB -# disk_free_limit.absolute = 50mb -# disk_free_limit.absolute = 5GB - -## Alternatively, we can set a limit relative to total available RAM. -## -## Values lower than 1.0 can be dangerous and should be used carefully. -disk_free_limit.relative = 2.0 - -## -## Clustering -## ===================== -## -cluster_partition_handling = ignore - -## pause_if_all_down strategy require additional configuration -# cluster_partition_handling = pause_if_all_down - -## Recover strategy. Can be either 'autoheal' or 'ignore' -# cluster_partition_handling.pause_if_all_down.recover = ignore - -## Node names to check -# cluster_partition_handling.pause_if_all_down.node.rabbit = rabbit@localhost -# cluster_partition_handling.pause_if_all_down.node.hare = hare@localhost - -## Mirror sync batch size, in messages. Increasing this will speed -## up syncing but total batch size in bytes must not exceed 2 GiB. -## Available in RabbitMQ 3.6.0 or later. -## -mirroring_sync_batch_size = 4096 - -## Make clustering happen *automatically* at startup - only applied -## to nodes that have just been reset or started for the first time. -## See http://www.rabbitmq.com/clustering.html#auto-config for -## further details. -## -# cluster_nodes.disc.1 = rabbit@my.host.com - -## You can define multiple nodes -# cluster_nodes.disc.2 = hare@my.host.com - -## There can be also ram nodes. -## Ram nodes should not be defined together with disk nodes -# cluster_nodes.ram.1 = rabbit@my.host.com - -## Interval (in milliseconds) at which we send keepalive messages -## to other cluster members. Note that this is not the same thing -## as net_ticktime; missed keepalive messages will not cause nodes -## to be considered down. -## -# cluster_keepalive_interval = 10000 - -## -## Statistics Collection -## ===================== -## - -## Set (internal) statistics collection granularity. -## -## Can be none, coarse or fine -collect_statistics = none - -# collect_statistics = coarse - -## Statistics collection interval (in milliseconds). Increasing -## this will reduce the load on management database. -## -collect_statistics_interval = 5000 - -## -## Misc/Advanced Options -## ===================== -## -## NB: Change these only if you understand what you are doing! -## - -## Explicitly enable/disable hipe compilation. -## -hipe_compile = false - -## Timeout used when waiting for Mnesia tables in a cluster to -## become available. -## -mnesia_table_loading_retry_timeout = 30000 - -## Retries when waiting for Mnesia tables in the cluster startup. Note that -## this setting is not applied to Mnesia upgrades or node deletions. -## -## mnesia_table_loading_retry_limit = 10 - -## Size in bytes below which to embed messages in the queue index. See -## http://www.rabbitmq.com/persistence-conf.html -## -queue_index_embed_msgs_below = 4096 - -## You can also set this size in memory units -## -queue_index_embed_msgs_below = 4kb - -## ---------------------------------------------------------------------------- -## Advanced Erlang Networking/Clustering Options. -## -## See http://www.rabbitmq.com/clustering.html for details -## ---------------------------------------------------------------------------- - -# ====================================== -# Kernel section -# ====================================== - -# kernel.net_ticktime = 60 - -## ---------------------------------------------------------------------------- -## RabbitMQ Management Plugin -## -## See http://www.rabbitmq.com/management.html for details -## ---------------------------------------------------------------------------- - -# ======================================= -# Management section -# ======================================= - -## Pre-Load schema definitions from the following JSON file. See -## http://www.rabbitmq.com/management.html#load-definitions -## -# management.load_definitions = /path/to/schema.json - -## Log all requests to the management HTTP API to a file. -## -# management.http_log_dir = /path/to/access.log - -## Change the port on which the HTTP listener listens, -## specifying an interface for the web server to bind to. -## Also set the listener to use SSL and provide SSL options. -## - -# QA: Maybe use IP type like in tcp_listener? -management.listener.port = 12345 -management.listener.ip = 127.0.0.1 -# management.listener.ssl = true - -# management.listener.ssl_opts.cacertfile = /path/to/cacert.pem -# management.listener.ssl_opts.certfile = /path/to/cert.pem -# management.listener.ssl_opts.keyfile = /path/to/key.pem - -## One of 'basic', 'detailed' or 'none'. See -## http://www.rabbitmq.com/management.html#fine-stats for more details. -management.rates_mode = basic - -## Configure how long aggregated data (such as message rates and queue -## lengths) is retained. Please read the plugin's documentation in -## http://www.rabbitmq.com/management.html#configuration for more -## details. -## Your can use 'minute', 'hour' and '24hours' keys or integer key (in seconds) -management.sample_retention_policies.global.minute = 5 -management.sample_retention_policies.global.hour = 60 -management.sample_retention_policies.global.day = 1200 - -management.sample_retention_policies.basic.minute = 5 -management.sample_retention_policies.basic.hour = 60 - -management.sample_retention_policies.detailed.10 = 5 - -## ---------------------------------------------------------------------------- -## RabbitMQ Shovel Plugin -## -## See http://www.rabbitmq.com/shovel.html for details -## ---------------------------------------------------------------------------- - -## Shovel plugin config example is defined in additional.config file - - -## ---------------------------------------------------------------------------- -## RabbitMQ Stomp Adapter -## -## See http://www.rabbitmq.com/stomp.html for details -## ---------------------------------------------------------------------------- - -# ======================================= -# STOMP section -# ======================================= - -## Network Configuration - the format is generally the same as for the broker -## -stomp.listener.tcp.default = 61613 - -## Same for ssl listeners -## -# stomp.listener.ssl.default = 61614 - -## Number of Erlang processes that will accept connections for the TCP -## and SSL listeners. -## -stomp.num_acceptors.tcp = 10 -stomp.num_acceptors.ssl = 1 - -## Additional SSL options - -## Extract a name from the client's certificate when using SSL. -## -stomp.ssl_cert_login = true - -## Set a default user name and password. This is used as the default login -## whenever a CONNECT frame omits the login and passcode headers. -## -## Please note that setting this will allow clients to connect without -## authenticating! -## -# stomp.default_user = guest -# stomp.default_pass = guest - -## If a default user is configured, or you have configured use SSL client -## certificate based authentication, you can choose to allow clients to -## omit the CONNECT frame entirely. If set to true, the client is -## automatically connected as the default user or user supplied in the -## SSL certificate whenever the first frame sent on a session is not a -## CONNECT frame. -## -# stomp.implicit_connect = true - -## ---------------------------------------------------------------------------- -## RabbitMQ MQTT Adapter -## -## See https://github.com/rabbitmq/rabbitmq-mqtt/blob/stable/README.md -## for details -## ---------------------------------------------------------------------------- - -# ======================================= -# MQTT section -# ======================================= - -## Set the default user name and password. Will be used as the default login -## if a connecting client provides no other login details. -## -## Please note that setting this will allow clients to connect without -## authenticating! -## -# mqtt.default_user = guest -# mqtt.default_pass = guest - -## Enable anonymous access. If this is set to false, clients MUST provide -## login information in order to connect. See the default_user/default_pass -## configuration elements for managing logins without authentication. -## -# mqtt.allow_anonymous = true - -## If you have multiple chosts, specify the one to which the -## adapter connects. -## -mqtt.vhost = / - -## Specify the exchange to which messages from MQTT clients are published. -## -mqtt.exchange = amq.topic - -## Specify TTL (time to live) to control the lifetime of non-clean sessions. -## -# mqtt.subscription_ttl = 1800000 - -## Set the prefetch count (governing the maximum number of unacknowledged -## messages that will be delivered). -## -mqtt.prefetch = 10 - -## TCP/SSL Configuration (as per the broker configuration). -## -mqtt.listener.tcp.default = 1883 - -## Same for ssl listener -## -# mqtt.listener.ssl.default = 1884 - -## Number of Erlang processes that will accept connections for the TCP -## and SSL listeners. -## -mqtt.num_acceptors.tcp = 10 -mqtt.num_acceptors.ssl = 1 - -## TCP/Socket options (as per the broker configuration). -## -# mqtt.tcp_listen_option.backlog = 128 -# mqtt.tcp_listen_option.nodelay = true - -## ---------------------------------------------------------------------------- -## RabbitMQ AMQP 1.0 Support -## -## See https://github.com/rabbitmq/rabbitmq-amqp1.0/blob/stable/README.md -## for details -## ---------------------------------------------------------------------------- - -# ======================================= -# AMQP_1 section -# ======================================= - - -## Connections that are not authenticated with SASL will connect as this -## account. See the README for more information. -## -## Please note that setting this will allow clients to connect without -## authenticating! -## -amqp1_0.default_user = guest - -## Enable protocol strict mode. See the README for more information. -## -amqp1_0.protocol_strict_mode = false - -## Lager controls logging. -## See https://github.com/basho/lager for more documentation -## -## Log direcrory, taken from the RABBITMQ_LOG_BASE env variable by default. -## -# log.dir = /var/log/rabbitmq - -## Logging to console (can be true or false) -## -# log.console = false - -## Loglevel to log to console -## -# log.console.level = info - -## Logging to file. Can be false or filename. -## Default: -# log.file = rabbit.log - -## To turn off: -# log.file = false - -## Loglevel to log to file -## -# log.file.level = info - -## File rotation config. No rotation by defualt. -## DO NOT SET rotation date to ''. Leave unset if require "" value -# log.file.rotation.date = $D0 -# log.file.rotation.size = 0 - - -## QA: Config for syslog logging -# log.syslog = false -# log.syslog.identity = rabbitmq -# log.syslog.level = info -# log.syslog.facility = daemon - - -## ---------------------------------------------------------------------------- -## RabbitMQ LDAP Plugin -## -## See http://www.rabbitmq.com/ldap.html for details. -## -## ---------------------------------------------------------------------------- - -# ======================================= -# LDAP section -# ======================================= - -## -## Connecting to the LDAP server(s) -## ================================ -## - -## Specify servers to bind to. You *must* set this in order for the plugin -## to work properly. -## -# ldap.servers.1 = your-server-name-goes-here - -## You can define multiple servers -# ldap.servers.2 = your-other-server - -## Connect to the LDAP server using SSL -## -# ldap.use_ssl = false - -## Specify the LDAP port to connect to -## -# ldap.port = 389 - -## LDAP connection timeout, in milliseconds or 'infinity' -## -# ldap.timeout = infinity - -## Or number -# ldap.timeout = 500 - -## Enable logging of LDAP queries. -## One of -## - false (no logging is performed) -## - true (verbose logging of the logic used by the plugin) -## - network (as true, but additionally logs LDAP network traffic) -## -## Defaults to false. -## -# ldap.log = false - -## Also can be true or network -# ldap.log = true -# ldap.log = network - -## -## Authentication -## ============== -## - -## Pattern to convert the username given through AMQP to a DN before -## binding -## -# ldap.user_dn_pattern = cn=${username},ou=People,dc=example,dc=com - -## Alternatively, you can convert a username to a Distinguished -## Name via an LDAP lookup after binding. See the documentation for -## full details. - -## When converting a username to a dn via a lookup, set these to -## the name of the attribute that represents the user name, and the -## base DN for the lookup query. -## -# ldap.dn_lookup_attribute = userPrincipalName -# ldap.dn_lookup_base = DC=gopivotal,DC=com - -## Controls how to bind for authorisation queries and also to -## retrieve the details of users logging in without presenting a -## password (e.g., SASL EXTERNAL). -## One of -## - as_user (to bind as the authenticated user - requires a password) -## - anon (to bind anonymously) -## - {UserDN, Password} (to bind with a specified user name and password) -## -## Defaults to 'as_user'. -## -# ldap.other_bind = as_user - -## Or can be more complex: -# ldap.other_bind.user_dn = User -# ldap.other_bind.password = Password - -## If user_dn and password defined - other options is ignored. - -# ----------------------------- -# Too complex section of LDAP -# ----------------------------- - -## -## Authorisation -## ============= -## - -## The LDAP plugin can perform a variety of queries against your -## LDAP server to determine questions of authorisation. See -## http://www.rabbitmq.com/ldap.html#authorisation for more -## information. - -## Following configuration should be defined in additional.config file -## DO NOT UNCOMMENT THIS LINES! - -## Set the query to use when determining vhost access -## -## {vhost_access_query, {in_group, -## "ou=${vhost}-users,ou=vhosts,dc=example,dc=com"}}, - -## Set the query to use when determining resource (e.g., queue) access -## -## {resource_access_query, {constant, true}}, - -## Set queries to determine which tags a user has -## -## {tag_queries, []} -# ]}, -# ----------------------------- diff --git a/test/config_schema_SUITE_data/snippets.config b/test/config_schema_SUITE_data/snippets.config index ca40d2a429..09ddf95969 100644 --- a/test/config_schema_SUITE_data/snippets.config +++ b/test/config_schema_SUITE_data/snippets.config @@ -140,46 +140,46 @@ auth_backends.2 = internal", rabbit_auth_backend_internal]}]}],[]} , {16.1, -"rabbitmq_auth_backend_ldap.servers.1 = DC1.domain.com - rabbitmq_auth_backend_ldap.servers.2 = DC1.eng.domain.com", +"auth_ldap.servers.1 = DC1.domain.com + auth_ldap.servers.2 = DC1.eng.domain.com", [{rabbitmq_auth_backend_ldap, [{servers, ["DC1.domain.com", "DC1.eng.domain.com"]}]}], [rabbitmq_auth_backend_ldap]} , {16.2, -"rabbitmq_auth_backend_ldap.servers.1 = hostname1 - rabbitmq_auth_backend_ldap.servers.2 = hostname2", +"auth_ldap.servers.1 = hostname1 + auth_ldap.servers.2 = hostname2", [{rabbitmq_auth_backend_ldap, [{servers, ["hostname1", "hostname2"]}]}], [rabbitmq_auth_backend_ldap]} , {17, -"rabbitmq_auth_backend_ldap.dn_lookup_attribute = userPrincipalName -rabbitmq_auth_backend_ldap.dn_lookup_base = DC=gopivotal,DC=com -rabbitmq_auth_backend_ldap.dn_lookup_bind = as_user", +"auth_ldap.dn_lookup_attribute = userPrincipalName +auth_ldap.dn_lookup_base = DC=gopivotal,DC=com +auth_ldap.dn_lookup_bind = as_user", [{rabbitmq_auth_backend_ldap, [{dn_lookup_attribute, "userPrincipalName"}, {dn_lookup_base, "DC=gopivotal,DC=com"}, {dn_lookup_bind, as_user}]}], [rabbitmq_auth_backend_ldap]} , {18, -"rabbitmq_auth_backend_ldap.dn_lookup_bind.user_dn = username -rabbitmq_auth_backend_ldap.dn_lookup_bind.password = password", +"auth_ldap.dn_lookup_bind.user_dn = username +auth_ldap.dn_lookup_bind.password = password", [{rabbitmq_auth_backend_ldap, [ {dn_lookup_bind, {"username", "password"}}]}], [rabbitmq_auth_backend_ldap]} , {19, -"rabbitmq_auth_backend_ldap.other_bind = anon", +"auth_ldap.other_bind = anon", [{rabbitmq_auth_backend_ldap, [{other_bind, anon}]}], [rabbitmq_auth_backend_ldap]} , {20, -"rabbitmq_auth_backend_ldap.other_bind = as_user", +"auth_ldap.other_bind = as_user", [{rabbitmq_auth_backend_ldap, [{other_bind, as_user}]}], [rabbitmq_auth_backend_ldap]} , {21, -"rabbitmq_auth_backend_ldap.other_bind.user_dn = username -rabbitmq_auth_backend_ldap.other_bind.password = password", +"auth_ldap.other_bind.user_dn = username +auth_ldap.other_bind.password = password", [{rabbitmq_auth_backend_ldap, [{other_bind, {"username", "password"}}]}], [rabbitmq_auth_backend_ldap]} , @@ -732,9 +732,9 @@ web_stomp.ssl.password = changeme", [rabbitmq_web_stomp]}, {69, "auth_backends.1 = http -rabbitmq_auth_backend_http.user_path = http://some-server/auth/user -rabbitmq_auth_backend_http.vhost_path = http://some-server/auth/vhost -rabbitmq_auth_backend_http.resource_path = http://some-server/auth/resource", +auth_http.user_path = http://some-server/auth/user +auth_http.vhost_path = http://some-server/auth/vhost +auth_http.resource_path = http://some-server/auth/resource", [{rabbit, [{auth_backends, [rabbit_auth_backend_http]}]}, {rabbitmq_auth_backend_http, [{user_path, "http://some-server/auth/user"}, @@ -818,6 +818,31 @@ credential_validator.regexp = ^abc\\d+", {regexp, "^abc\\d+"} ]} ]}],[]}, + +{79, +"auth_backends.1 = amqp +auth_amqp.username = user +auth_amqp.vhost = my_vhost +auth_amqp.exchange = exchange_name +auth_amqp.timeout = 100", +[{rabbit, [{auth_backends, [rabbit_auth_backend_amqp]}]}, + {rabbitmq_auth_backend_amqp, + [{username, <<"user">>}, + {vhost, <<"my_vhost">>}, + {exchange, <<"exchange_name">>}, + {timeout, 100}]}], +[rabbitmq_auth_backend_amqp]}, + +{80, +"auth_backends.1 = cache +auth_cache.cached_backend = ldap", +[ + {rabbit, + [{auth_backends,[rabbit_auth_backend_cache]}]}, + {rabbitmq_auth_backend_cache, + [{cached_backend,rabbit_auth_backend_ldap}]} +], [rabbitmq_auth_backend_cache]}, + {auth_backend_cache, "auth_backends.1 = cache", [{rabbit, [{auth_backends, [rabbit_auth_backend_cache]}]}], @@ -854,4 +879,5 @@ credential_validator.regexp = ^abc\\d+", [{rabbit, [{auth_backends, [rabbit_auth_backend_cache]}]}, {rabbitmq_auth_backend_cache, [{cache_module, rabbit_auth_backend_ets_segmented}]}], [rabbitmq_auth_backend_cache]} + ]. |