Secure LDAP

[bdaoudtdc]

I am not sure if secure LDAP is supported

I enabled the ldap plugin using additional plugins. I can see that we can add add additional config using spec.rabbitmq.additionalConfig and advanced config using spec.rabbitmq.advancedConfig.

However , I am not sure how can we reference our cacertfile ...
Is secure LDAP supported on the operator.

On a non-k8s installation .. my advanced config file would like something like

cat advanced.config
[
{rabbitmq_auth_backend_ldap, [
{ssl_options, [{cacertfile,"/etc/openldap/certs/rootCA.cer"}]},

{tag_queries,           [{administrator, {in_group, "CN=mygroup,OU=SecurityGroups,DC=www,DC=example,DC=com"}},
                      {management,    {constant, true}}]}

]}
].

I am not sure how can I translate that to be used with the cluster operator ..

[ChunyiLyu]

Hi @bdaoudtdc,

You are right that you can set advanced.config in spec.rabbitmq.advancedConfig. For your ldap ca cert file, you would need to use the statefulSet override to mount an additional secret, which contains the ca cert you would like to use.

For example, your rabbitmq manifest could look something like:

apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
  name: example
spec:
  rabbitmq:
    advancedConfig: your advancedConfig; and `cacertfile` should be set to path to your-mounted ca cert, in this case it would be `/etc/rabbitmq/certs/<LDAP ca cert secret key name>`
  override:
    statefulSet:
      spec:
        template:
          spec:
            containers:
            - name: rabbitmq
              volumeMounts:
              - mountPath: /etc/rabbitmq/certs
                name: ldapcacert
            volumes:
            - name: ldapcacert
              secret:
                secretName: <secretName>

Let me know whether this helps.

[bdaoudtdc]

Thank you for your help.
It worked fine.