本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 使用 Amazon MQ for RabbitMQ 的 LDAP 身分驗證和授權
<a name="rabbitmq-ldap-tutorial"></a>

本教學說明如何使用 設定 Amazon MQ for RabbitMQ 代理程式的 LDAP 身分驗證和授權 AWS Managed Microsoft AD。

**Topics**
+ [設定 LDAP 身分驗證和授權的先決條件](#rabbitmq-ldap-tutorial-prerequisites)
+ [使用 CLI 在 RabbitMQ AWS 中設定 LDAP](#rabbitmq-ldap-tutorial-configure-cli)

## 設定 LDAP 身分驗證和授權的先決條件
<a name="rabbitmq-ldap-tutorial-prerequisites"></a>

您可以部署 [AWS Amazon MQ for RabbitMQ LDAP 整合的 CDK 堆疊 AWS Managed Microsoft AD](https://github.com/aws-samples/amazon-mq-samples/blob/main/rabbitmq-samples/rabbitmq-ldap-activedirectory-sample/)，藉此設定本教學課程中所需的 AWS 資源。

此 CDK 堆疊會自動建立所有必要 AWS 的資源 AWS Managed Microsoft AD，包括 LDAP 使用者和群組、Network Load Balancer、憑證和 IAM 角色。如需堆疊所建立資源的完整清單，請參閱套件 README。

如果您要手動設定資源，而不是使用 CDK 堆疊，請確保在 Amazon MQ for RabbitMQ 代理程式上設定 LDAP 之前，已具備同等的基礎設施。

### 設定 Amazon MQ 的先決條件
<a name="rabbitmq-ldap-tutorial-prerequisite-cli"></a>

AWS CLI 版本 >= 2.28.23，以便在建立代理程式期間選擇性新增使用者名稱和密碼。

## 使用 CLI 在 RabbitMQ AWS 中設定 LDAP
<a name="rabbitmq-ldap-tutorial-configure-cli"></a>

此程序使用 AWS CLI 來建立和設定必要的資源。在下列程序中，請務必使用其實際值取代預留位置值，例如 configurationID 和 Revision`<2>`，`<c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca>`以及 。

1. 使用 `create-configuration` AWS CLI 命令建立新的組態，如下列範例所示。

   ```
   aws mq create-configuration \
     --name "rabbitmq-ldap-config" \
     --engine-type "RABBITMQ" \
     --engine-version "3.13"
   ```

   此命令會傳回類似下列範例的回應。

   ```
   {
   "Arn": "arn:aws:mq:us-west-2:123456789012:configuration:c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca",
       "AuthenticationStrategy": "simple",
       "Created": "2025-07-17T16:03:01.759943+00:00",
       "Id": "c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca",
       "LatestRevision": {
   "Created": "2025-07-17T16:03:01.759000+00:00",
       "Description": "Auto-generated default for rabbitmq-ldap-config on RabbitMQ 3.13",
       "Revision": 1
       },
       "Name": "rabbitmq-ldap-config"
   }
   ```

1. 建立名為 的組態檔案`rabbitmq.conf`，以使用 LDAP 做為身分驗證和授權方法，如下列範例所示。將範本中的所有預留位置值 （以 標記`${RabbitMqLdapTestStack.*}`) 取代為您部署 AWS CDK 的先決條件堆疊輸出或同等基礎設施的實際值。

   ```
   auth_backends.1 = ldap
   
   # LDAP authentication settings - For more information,
   # see https://www.rabbitmq.com/docs/ldap#basic
   
   # FIXME: Replace the ${RabbitMqLdapTestStack.*} placeholders with actual values
   # from your deployed prerequisite CDK stack outputs.
   auth_ldap.servers.1 = ${RabbitMqLdapTestStack.NlbDnsName}
   auth_ldap.dn_lookup_bind.user_dn = ${RabbitMqLdapTestStack.DnLookupUserDn}
   auth_ldap.dn_lookup_base = ${RabbitMqLdapTestStack.DnLookupBase}
   auth_ldap.dn_lookup_attribute = ${RabbitMqLdapTestStack.DnLookupAttribute}
   auth_ldap.port = 636
   auth_ldap.use_ssl = true
   auth_ldap.ssl_options.verify = verify_peer
   auth_ldap.log = network
   
   # AWS integration for secure credential retrieval
   # - see: https://github.com/amazon-mq/rabbitmq-aws
   # The aws plugin allows RabbitMQ to securely retrieve credentials and certificates
   # from AWS services.
   
   # Replace the ${RabbitMqLdapTestStack.*} placeholders with actual ARN values
   # from your deployed prerequisite CDK stack outputs.
   aws.arns.auth_ldap.ssl_options.cacertfile = ${RabbitMqLdapTestStack.CaCertArn}
   aws.arns.auth_ldap.dn_lookup_bind.password = ${RabbitMqLdapTestStack.DnLookupUserPasswordArn}
   aws.arns.assume_role_arn = ${RabbitMqLdapTestStack.AmazonMqAssumeRoleArn}
   
   # LDAP authorization queries - For more information,
   # see: https://www.rabbitmq.com/docs/ldap#authorisation
   
   # FIXME: Replace the ${RabbitMqLdapTestStack.*} placeholders with actual group DN
   # values from your deployed prerequisite CDK stack outputs
   # Uses Active Directory groups created by the prerequisite CDK stack
   auth_ldap.queries.tags = '''
   [{administrator, {in_group, "${RabbitMqLdapTestStack.RabbitMqAdministratorsGroupDn}"}},
   {management,    {in_group, "${RabbitMqLdapTestStack.RabbitMqMonitoringUsersGroupDn}"}}]
   '''
   
   # FIXME: This provides all authenticated users access to all vhosts
   # - update to restrict access as required
   auth_ldap.queries.vhost_access = '''
   {constant, true}
   '''
   
   # FIXME: This provides all authenticated users full access to all
   # queues and exchanges - update to restrict access as required
   auth_ldap.queries.resource_access = '''
   {for, [    {permission, configure, {constant, true}},
        {permission, write,
         {for, [{resource, queue,    {constant, true}},
                {resource, exchange, {constant, true}}]}},
        {permission, read,
         {for, [{resource, exchange, {constant, true}},
                {resource, queue,    {constant, true}}]}}
       ]
   }
   '''
   
   # FIXME: This provides all authenticated users access to all topics
   # - update to restrict access as required
   auth_ldap.queries.topic_access = '''
   {for, [{permission, write, {constant, true}},
        {permission, read,  {constant, true}}
       ]
   }
   '''
   ```

1. 使用 `update-configuration` AWS CLI 命令更新組態，如下列範例所示。在此命令中，新增您在此程序步驟 1 的回應中收到的組態 ID。例如 `c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca`。

   ```
   aws mq update-configuration \
     --configuration-id "<c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca>" \
     --data "$(cat rabbitmq.conf | base64 --wrap=0)"
   ```

   此命令會傳回類似下列範例的回應。

   ```
   {
       "Arn": "arn:aws:mq:us-west-2:123456789012:configuration:c-b600ac8e-8183-4f74-a713-983e59f30e3d",
       "Created": "2025-07-17T16:57:04.520931+00:00",
       "Id": "c-b600ac8e-8183-4f74-a713-983e59f30e3d",
       "LatestRevision": {
           "Created": "2025-07-17T16:57:39.172000+00:00",
           "Revision": 2
       },
       "Name": "rabbitmq-ldap-config",
       "Warnings": []
   }
   ```

1. 使用您在此程序的步驟 2 中建立的 LDAP 組態來建立代理程式。若要這樣做，請使用 `create-broker` AWS CLI 命令，如下列範例所示。在此命令中，分別提供您在步驟 1 和 2 回應中取得的組態 ID 和修訂編號。例如，`c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca` 和 `2`。

   ```
   aws mq create-broker \
    --broker-name "rabbitmq-ldap-test-1" \
    --engine-type "RABBITMQ" \
    --engine-version "3.13" \
    --host-instance-type "mq.m7g.large" \
    --deployment-mode "CLUSTER_MULTI_AZ" \
    --logs '{"General": true}' \
    --publicly-accessible \
    --configuration '{"Id": "<c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca>","Revision": <2>}'
   ```

   此命令會傳回類似下列範例的回應。

   ```
   {
       "BrokerArn": "arn:aws:mq:us-west-2:123456789012:broker:rabbitmq-ldap-broker:b-2a1b5133-a10c-49d2-879b-8c176c34cf73",
       "BrokerId": "b-2a1b5133-a10c-49d2-879b-8c176c34cf73"
   }
   ```
**中介裝置命名限制**  
先決條件 CDK 堆疊建立的 IAM 角色會將代理程式名稱限制為以 開頭`rabbitmq-ldap-test`。確保您的代理程式名稱遵循此模式，否則 IAM 角色將無法擔任 ARN 解析的角色。

1. 使用 `describe-broker` AWS CLI 命令，確認代理程式的狀態從 轉換為 `CREATION_IN_PROGRESS` `RUNNING`，如下列範例所示。在此命令中，提供您在上一個步驟的結果中取得的代理程式 ID 例如，`b-2a1b5133-a10c-49d2-879b-8c176c34cf73`。

   ```
   aws mq describe-broker \
    --broker-id "<b-2a1b5133-a10c-49d2-879b-8c176c34cf73>"
   ```

   此命令會傳回類似下列範例的回應。下列回應是 `describe-broker`命令傳回的完整輸出的縮寫版本。此回應顯示代理程式狀態和用於保護代理程式的身分驗證策略。在此情況下，`config_managed`身分驗證策略表示代理程式使用 LDAP 身分驗證方法。

   ```
   {
   "AuthenticationStrategy": "config_managed",
       ...,
       "BrokerState": "RUNNING",
       ...
   }
   ```

1. 使用先決條件 CDK 堆疊建立的其中一個測試使用者來驗證 RabbitMQ 存取

   ```
   # FIXME: Replace ${RabbitMqLdapTestStack.ConsoleUserPasswordArn} with the actual ARN from your deployed prerequisite CDK stack outputs
   CONSOLE_PASSWORD=$(aws secretsmanager get-secret-value \
     --secret-id ${RabbitMqLdapTestStack.ConsoleUserPasswordArn} \
     --query 'SecretString' --output text)
   
   # FIXME: Replace BrokerConsoleURL with the actual ConsoleURL retrieved by
   # calling describe-broker for the broker created above
   # Call management API /api/overview (should succeed)
   curl -u RabbitMqConsoleUser:$CONSOLE_PASSWORD \
     https://${BrokerConsoleURL}/api/overview
   
   # Try to create a user (should fail - console user only has monitoring permissions)
   curl -u RabbitMqConsoleUser:$CONSOLE_PASSWORD \
     -X PUT https://${BrokerConsoleURL}/api/users/testuser \
     -H "Content-Type: application/json" \
     -d '{"password":"testpass","tags":"management"}'
   ```