本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 对适用于 RabbitMQ 的 Amazon MQ 使用 LDAP 身份验证和授权
本教程介绍如何使用为 Amazon MQ 的 RabbitMQ 代理配置 LDAP 身份验证和授权。 AWS Managed Microsoft AD
**Topics**
+ [配置 LDAP 身份验证和授权的先决条件](#rabbitmq-ldap-tutorial-prerequisites)
+ [使用 CLI 在 RabbitMQ 中配置 LDAP AWS](#rabbitmq-ldap-tutorial-configure-cli)
## 配置 LDAP 身份验证和授权的先决条件
您可以通过部署[适用于 RabbitMQ 的 Amazon MQ 的AWS CDK 堆栈](https://github.com/aws-samples/amazon-mq-samples/blob/main/rabbitmq-samples/rabbitmq-ldap-activedirectory-sample/)来设置本教程中所需的 AWS 资源。 AWS Managed Microsoft AD
此 CDK 堆栈会自动创建所有必要的 AWS 资源 AWS Managed Microsoft AD,包括 LDAP 用户和群组、Network Load Balancer、证书和 IAM 角色。有关堆栈创建的资源的完整列表,请参阅软件包自述文件。
如果您是手动设置资源而不是使用 CDK 堆栈,请确保在您的 Amazon MQ 上为 RabbitMQ 代理配置 LDAP 之前,请确保您有同等的基础架构。
### 设置 Amazon MQ 的先决条件
AWS CLI 版本 >= 2.28.23,使得在创建代理期间添加用户名和密码成为可选的。
## 使用 CLI 在 RabbitMQ 中配置 LDAP AWS
此过程使用 AWS CLI 来创建和配置必要的资源。在以下过程中,请确保将占位符值(例如 ConfigurationID 和 Revision 和)替换为它们的实际值。`` `<2>`
1. 使用 `create-configuration` AWS CLI 命令创建新配置,如以下示例所示。
```
aws mq create-configuration \
--name "rabbitmq-ldap-config" \
--engine-type "RABBITMQ" \
--engine-version "3.13"
```
此命令返回类似于以下示例的响应。
```
{
"Arn": "arn:aws:mq:us-west-2:123456789012:configuration:c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca",
"AuthenticationStrategy": "simple",
"Created": "2025-07-17T16:03:01.759943+00:00",
"Id": "c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca",
"LatestRevision": {
"Created": "2025-07-17T16:03:01.759000+00:00",
"Description": "Auto-generated default for rabbitmq-ldap-config on RabbitMQ 3.13",
"Revision": 1
},
"Name": "rabbitmq-ldap-config"
}
```
1. 创建一个名为的配置文件`rabbitmq.conf`以使用 LDAP 作为身份验证和授权方法,如以下示例所示。将模板中的所有占位符值(标有`${RabbitMqLdapTestStack.*}`)替换为已部署的 AWS CDK 先决条件堆栈输出或等效基础架构中的实际值。
```
auth_backends.1 = ldap
# LDAP authentication settings - For more information,
# see https://www.rabbitmq.com/docs/ldap#basic
# FIXME: Replace the ${RabbitMqLdapTestStack.*} placeholders with actual values
# from your deployed prerequisite CDK stack outputs.
auth_ldap.servers.1 = ${RabbitMqLdapTestStack.NlbDnsName}
auth_ldap.dn_lookup_bind.user_dn = ${RabbitMqLdapTestStack.DnLookupUserDn}
auth_ldap.dn_lookup_base = ${RabbitMqLdapTestStack.DnLookupBase}
auth_ldap.dn_lookup_attribute = ${RabbitMqLdapTestStack.DnLookupAttribute}
auth_ldap.port = 636
auth_ldap.use_ssl = true
auth_ldap.ssl_options.verify = verify_peer
auth_ldap.log = network
# AWS integration for secure credential retrieval
# - see: https://github.com/amazon-mq/rabbitmq-aws
# The aws plugin allows RabbitMQ to securely retrieve credentials and certificates
# from AWS services.
# Replace the ${RabbitMqLdapTestStack.*} placeholders with actual ARN values
# from your deployed prerequisite CDK stack outputs.
aws.arns.auth_ldap.ssl_options.cacertfile = ${RabbitMqLdapTestStack.CaCertArn}
aws.arns.auth_ldap.dn_lookup_bind.password = ${RabbitMqLdapTestStack.DnLookupUserPasswordArn}
aws.arns.assume_role_arn = ${RabbitMqLdapTestStack.AmazonMqAssumeRoleArn}
# LDAP authorization queries - For more information,
# see: https://www.rabbitmq.com/docs/ldap#authorisation
# FIXME: Replace the ${RabbitMqLdapTestStack.*} placeholders with actual group DN
# values from your deployed prerequisite CDK stack outputs
# Uses Active Directory groups created by the prerequisite CDK stack
auth_ldap.queries.tags = '''
[{administrator, {in_group, "${RabbitMqLdapTestStack.RabbitMqAdministratorsGroupDn}"}},
{management, {in_group, "${RabbitMqLdapTestStack.RabbitMqMonitoringUsersGroupDn}"}}]
'''
# FIXME: This provides all authenticated users access to all vhosts
# - update to restrict access as required
auth_ldap.queries.vhost_access = '''
{constant, true}
'''
# FIXME: This provides all authenticated users full access to all
# queues and exchanges - update to restrict access as required
auth_ldap.queries.resource_access = '''
{for, [ {permission, configure, {constant, true}},
{permission, write,
{for, [{resource, queue, {constant, true}},
{resource, exchange, {constant, true}}]}},
{permission, read,
{for, [{resource, exchange, {constant, true}},
{resource, queue, {constant, true}}]}}
]
}
'''
# FIXME: This provides all authenticated users access to all topics
# - update to restrict access as required
auth_ldap.queries.topic_access = '''
{for, [{permission, write, {constant, true}},
{permission, read, {constant, true}}
]
}
'''
```
1. 使用 `update-configuration` AWS CLI 命令更新配置,如以下示例所示。在此命令中,添加您在本过程步骤 1 的响应中收到的配置 ID。例如 `c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca`。
```
aws mq update-configuration \
--configuration-id "" \
--data "$(cat rabbitmq.conf | base64 --wrap=0)"
```
此命令返回类似于以下示例的响应。
```
{
"Arn": "arn:aws:mq:us-west-2:123456789012:configuration:c-b600ac8e-8183-4f74-a713-983e59f30e3d",
"Created": "2025-07-17T16:57:04.520931+00:00",
"Id": "c-b600ac8e-8183-4f74-a713-983e59f30e3d",
"LatestRevision": {
"Created": "2025-07-17T16:57:39.172000+00:00",
"Revision": 2
},
"Name": "rabbitmq-ldap-config",
"Warnings": []
}
```
1. 使用您在本过程的步骤 2 中创建的 LDAP 配置创建代理。为此,请使用 `create-broker` AWS CLI 命令,如以下示例所示。在此命令中,分别提供您在步骤 1 和步骤 2 的响应中获得的配置 ID 和修订号。例如,`c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca` 和 `2`。
```
aws mq create-broker \
--broker-name "rabbitmq-ldap-test-1" \
--engine-type "RABBITMQ" \
--engine-version "3.13" \
--host-instance-type "mq.m7g.large" \
--deployment-mode "CLUSTER_MULTI_AZ" \
--logs '{"General": true}' \
--publicly-accessible \
--configuration '{"Id": "","Revision": <2>}'
```
此命令返回类似于以下示例的响应。
```
{
"BrokerArn": "arn:aws:mq:us-west-2:123456789012:broker:rabbitmq-ldap-broker:b-2a1b5133-a10c-49d2-879b-8c176c34cf73",
"BrokerId": "b-2a1b5133-a10c-49d2-879b-8c176c34cf73"
}
```
**经纪人命名限制**
由先决条件 CDK 堆栈创建的 IAM 角色将代理名称限制为开头。`rabbitmq-ldap-test`请确保您的代理名称遵循此模式,否则 IAM 角色将无权担任 ARN 解析的角色。
1. 使用 `describe-broker` AWS CLI 命令验证代理的状态是否从`CREATION_IN_PROGRESS`转换为`RUNNING`,如以下示例所示。在此命令中,提供您在上一步结果中获得的代理 ID,例如 `b-2a1b5133-a10c-49d2-879b-8c176c34cf73`。
```
aws mq describe-broker \
--broker-id ""
```
此命令返回类似于以下示例的响应。以下响应是 `describe-broker` 命令返回的完整输出的缩写版本。此响应显示代理状态以及用于保护代理的认证策略。在这种情况下,`config_managed`身份验证策略表明代理使用 LDAP 身份验证方法。
```
{
"AuthenticationStrategy": "config_managed",
...,
"BrokerState": "RUNNING",
...
}
```
1. 使用先决条件 CDK 堆栈创建的测试用户之一验证 RabbitMQ 访问权限
```
# FIXME: Replace ${RabbitMqLdapTestStack.ConsoleUserPasswordArn} with the actual ARN from your deployed prerequisite CDK stack outputs
CONSOLE_PASSWORD=$(aws secretsmanager get-secret-value \
--secret-id ${RabbitMqLdapTestStack.ConsoleUserPasswordArn} \
--query 'SecretString' --output text)
# FIXME: Replace BrokerConsoleURL with the actual ConsoleURL retrieved by
# calling describe-broker for the broker created above
# Call management API /api/overview (should succeed)
curl -u RabbitMqConsoleUser:$CONSOLE_PASSWORD \
https://${BrokerConsoleURL}/api/overview
# Try to create a user (should fail - console user only has monitoring permissions)
curl -u RabbitMqConsoleUser:$CONSOLE_PASSWORD \
-X PUT https://${BrokerConsoleURL}/api/users/testuser \
-H "Content-Type: application/json" \
-d '{"password":"testpass","tags":"management"}'
```