使用 Amazon MQ for RabbitMQ 的 LDAP 身分驗證和授權 - Amazon MQ
設定 LDAP 身分驗證和授權的先決條件使用 CLI 在 RabbitMQ AWS 中設定 LDAP

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

使用 Amazon MQ for RabbitMQ 的 LDAP 身分驗證和授權

本教學說明如何使用 設定 Amazon MQ for RabbitMQ 代理程式的 LDAP 身分驗證和授權 AWS Managed Microsoft AD。

設定 LDAP 身分驗證和授權的先決條件

您可以部署 AWS Amazon MQ for RabbitMQ LDAP 整合的 CDK 堆疊 AWS Managed Microsoft AD,藉此設定本教學課程中所需的 AWS 資源。

此 CDK 堆疊會自動建立所有必要 AWS 的資源 AWS Managed Microsoft AD,包括 LDAP 使用者和群組、Network Load Balancer、憑證和 IAM 角色。如需堆疊所建立資源的完整清單,請參閱套件 README。

如果您要手動設定資源,而不是使用 CDK 堆疊,請確保在 Amazon MQ for RabbitMQ 代理程式上設定 LDAP 之前,已具備同等的基礎設施。

設定 Amazon MQ 的先決條件

AWS CLI 版本 >= 2.28.23,以便在建立代理程式期間選擇性新增使用者名稱和密碼。

使用 CLI 在 RabbitMQ AWS 中設定 LDAP

此程序使用 AWS CLI 來建立和設定必要的資源。在下列程序中,請務必使用其實際值取代預留位置值,例如 configurationID 和 Revision<2><c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca>以及 。

  1. 使用 create-configuration AWS CLI 命令建立新的組態,如下列範例所示。

    
aws mq create-configuration \
  --name "rabbitmq-ldap-config" \
  --engine-type "RABBITMQ" \
  --engine-version "3.13"

    此命令會傳回類似下列範例的回應。

    
{
"Arn": "arn:aws:mq:us-west-2:123456789012:configuration:c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca",
    "AuthenticationStrategy": "simple",
    "Created": "2025-07-17T16:03:01.759943+00:00",
    "Id": "c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca",
    "LatestRevision": {
"Created": "2025-07-17T16:03:01.759000+00:00",
    "Description": "Auto-generated default for rabbitmq-ldap-config on RabbitMQ 3.13",
    "Revision": 1
    },
    "Name": "rabbitmq-ldap-config"
}

  2. 建立名為 的組態檔案rabbitmq.conf,以使用 LDAP 做為身分驗證和授權方法,如下列範例所示。將範本中的所有預留位置值 (以 標記${RabbitMqLdapTestStack.*}) 取代為您部署 AWS CDK 的先決條件堆疊輸出或同等基礎設施的實際值。

    
auth_backends.1 = ldap

# LDAP authentication settings - For more information,
# see https://www.rabbitmq.com/docs/ldap#basic

# FIXME: Replace the ${RabbitMqLdapTestStack.*} placeholders with actual values
# from your deployed prerequisite CDK stack outputs.
auth_ldap.servers.1 = ${RabbitMqLdapTestStack.NlbDnsName}
auth_ldap.dn_lookup_bind.user_dn = ${RabbitMqLdapTestStack.DnLookupUserDn}
auth_ldap.dn_lookup_base = ${RabbitMqLdapTestStack.DnLookupBase}
auth_ldap.dn_lookup_attribute = ${RabbitMqLdapTestStack.DnLookupAttribute}
auth_ldap.port = 636
auth_ldap.use_ssl = true
auth_ldap.ssl_options.verify = verify_peer
auth_ldap.log = network

# AWS integration for secure credential retrieval
# - see: https://github.com/amazon-mq/rabbitmq-aws
# The aws plugin allows RabbitMQ to securely retrieve credentials and certificates
# from AWS services.

# Replace the ${RabbitMqLdapTestStack.*} placeholders with actual ARN values
# from your deployed prerequisite CDK stack outputs.
aws.arns.auth_ldap.ssl_options.cacertfile = ${RabbitMqLdapTestStack.CaCertArn}
aws.arns.auth_ldap.dn_lookup_bind.password = ${RabbitMqLdapTestStack.DnLookupUserPasswordArn}
aws.arns.assume_role_arn = ${RabbitMqLdapTestStack.AmazonMqAssumeRoleArn}

# LDAP authorization queries - For more information,
# see: https://www.rabbitmq.com/docs/ldap#authorisation

# FIXME: Replace the ${RabbitMqLdapTestStack.*} placeholders with actual group DN
# values from your deployed prerequisite CDK stack outputs
# Uses Active Directory groups created by the prerequisite CDK stack
auth_ldap.queries.tags = '''
[{administrator, {in_group, "${RabbitMqLdapTestStack.RabbitMqAdministratorsGroupDn}"}},
{management,    {in_group, "${RabbitMqLdapTestStack.RabbitMqMonitoringUsersGroupDn}"}}]
'''

# FIXME: This provides all authenticated users access to all vhosts
# - update to restrict access as required
auth_ldap.queries.vhost_access = '''
{constant, true}
'''

# FIXME: This provides all authenticated users full access to all
# queues and exchanges - update to restrict access as required
auth_ldap.queries.resource_access = '''
{for, [    {permission, configure, {constant, true}},
     {permission, write,
      {for, [{resource, queue,    {constant, true}},
             {resource, exchange, {constant, true}}]}},
     {permission, read,
      {for, [{resource, exchange, {constant, true}},
             {resource, queue,    {constant, true}}]}}
    ]
}
'''

# FIXME: This provides all authenticated users access to all topics
# - update to restrict access as required
auth_ldap.queries.topic_access = '''
{for, [{permission, write, {constant, true}},
     {permission, read,  {constant, true}}
    ]
}
'''

  3. 使用 update-configuration AWS CLI 命令更新組態,如下列範例所示。在此命令中,新增您在此程序步驟 1 的回應中收到的組態 ID。例如 c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca

    
aws mq update-configuration \
  --configuration-id "<c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca>" \
  --data "$(cat rabbitmq.conf | base64 --wrap=0)"

    此命令會傳回類似下列範例的回應。

    
{
    "Arn": "arn:aws:mq:us-west-2:123456789012:configuration:c-b600ac8e-8183-4f74-a713-983e59f30e3d",
    "Created": "2025-07-17T16:57:04.520931+00:00",
    "Id": "c-b600ac8e-8183-4f74-a713-983e59f30e3d",
    "LatestRevision": {
        "Created": "2025-07-17T16:57:39.172000+00:00",
        "Revision": 2
    },
    "Name": "rabbitmq-ldap-config",
    "Warnings": []
}

  4. 使用您在此程序的步驟 2 中建立的 LDAP 組態來建立代理程式。若要這樣做,請使用 create-broker AWS CLI 命令,如下列範例所示。在此命令中,分別提供您在步驟 1 和 2 回應中取得的組態 ID 和修訂編號。例如,c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca2

    
aws mq create-broker \
 --broker-name "rabbitmq-ldap-test-1" \
 --engine-type "RABBITMQ" \
 --engine-version "3.13" \
 --host-instance-type "mq.m7g.large" \
 --deployment-mode "CLUSTER_MULTI_AZ" \
 --logs '{"General": true}' \
 --publicly-accessible \
 --configuration '{"Id": "<c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca>","Revision": <2>}'

    此命令會傳回類似下列範例的回應。

    
{
    "BrokerArn": "arn:aws:mq:us-west-2:123456789012:broker:rabbitmq-ldap-broker:b-2a1b5133-a10c-49d2-879b-8c176c34cf73",
    "BrokerId": "b-2a1b5133-a10c-49d2-879b-8c176c34cf73"
}
    中介裝置命名限制

    先決條件 CDK 堆疊建立的 IAM 角色會將代理程式名稱限制為以 開頭rabbitmq-ldap-test。確保您的代理程式名稱遵循此模式,否則 IAM 角色將無法擔任 ARN 解析的角色。

  5. 使用 describe-broker AWS CLI 命令,確認代理程式的狀態從 轉換為 CREATION_IN_PROGRESS RUNNING,如下列範例所示。在此命令中,提供您在上一個步驟的結果中取得的代理程式 ID 例如,b-2a1b5133-a10c-49d2-879b-8c176c34cf73

    
aws mq describe-broker \
 --broker-id "<b-2a1b5133-a10c-49d2-879b-8c176c34cf73>"

    此命令會傳回類似下列範例的回應。下列回應是 describe-broker命令傳回的完整輸出的縮寫版本。此回應顯示代理程式狀態和用於保護代理程式的身分驗證策略。在此情況下,config_managed身分驗證策略表示代理程式使用 LDAP 身分驗證方法。

    
{
"AuthenticationStrategy": "config_managed",
    ...,
    "BrokerState": "RUNNING",
    ...
}

  6. 使用先決條件 CDK 堆疊建立的其中一個測試使用者來驗證 RabbitMQ 存取

    
# FIXME: Replace ${RabbitMqLdapTestStack.ConsoleUserPasswordArn} with the actual ARN from your deployed prerequisite CDK stack outputs
CONSOLE_PASSWORD=$(aws secretsmanager get-secret-value \
  --secret-id ${RabbitMqLdapTestStack.ConsoleUserPasswordArn} \
  --query 'SecretString' --output text)

# FIXME: Replace BrokerConsoleURL with the actual ConsoleURL retrieved by
# calling describe-broker for the broker created above
# Call management API /api/overview (should succeed)
curl -u RabbitMqConsoleUser:$CONSOLE_PASSWORD \
  https://${BrokerConsoleURL}/api/overview

# Try to create a user (should fail - console user only has monitoring permissions)
curl -u RabbitMqConsoleUser:$CONSOLE_PASSWORD \
  -X PUT https://${BrokerConsoleURL}/api/users/testuser \
  -H "Content-Type: application/json" \
  -d '{"password":"testpass","tags":"management"}'