LDAP's ssl_hostname_verification client TLS setting is missing from both the docs and rabbitmq.conf.example
enniokerber opened this issue · 5 comments
Is your feature request related to a problem? Please describe.
One of my latest tasks was to configure an LDAP connection for a RabbitMQ cluster. Unfortunetely, I could not get the connection to work because I always received a "SSL-handshake error" and the error phrase "hostname_check_failed". As I am not that familiar with the terminology it was very difficult to understand, what I would need to change. It took me hours of trial and error until I finally stubled upon a random blog post here: https://pcable.net/posts/2021-02-10-rmq-ldap/
This was the only place I could find that there exists an option 'auth_ldap.ssl_options.hostname_verification' or 'rabbitmq_auth_backend_ldap.ssl_hostname_verification' which I could set to 'wildcard'. This fixed my problem as I found out, that the certificate the LDAP server was using was a wildcard certificate. My team and I lost a lot of time because of this.
Describe the solution you'd like
Please document the existence, possible values and function of the two mentioned properties at least in:
Please also always give an example configuration.
Describe alternatives you've considered
No response
Additional context
No response
@enniokerber we cannot realistically document every combination of TLS options. There are dozens of them.
We can mention a few in the LDAP guide or in the example modern config file. Or so can you, since both RabbitMQ and its documentation are open source, and chances are you are paying VMware/Broadcom nothing for it.
All TLS options available for LDAP connections can be found in its rabbitmq.conf schema.
As you can see there's a couple of dozens of them.
Thanks for your Feedback!
I do not need every combination of TLS options, but having an easy-to-read table with all the keys on the LDAP guide would help a lot of people, for sure. And also save lots of time. I would still like to see you adding something like this to one of those pages. It's also rather helpful, if I do not have to look at several pages when wanting to configure an LDAP connection.
Best regards,
Ennio
I have documented some 7-8 most commonly used options. Apparently the LDAP plugin does not expose cipher suite lists to rabbitmq.conf. This is primarily relevant for TLSv1.3 but I don't recall someone asking for a way to exclusively use TLSv1.3 in the context of LDAP.
Thank you for these quick changes! I believe this will benefit a lot of developers in the future!