When using LDAP for authentication and authorization in RabbitMQ, authorization is controlled by 4 configurable queries:

• rabbitmq_auth_backend_ldap.vhost_access_query
• rabbitmq_auth_backend_ldap.resource_access_query
• rabbitmq_auth_backend_ldap.topic_access_query
• rabbitmq_auth_backend_ldap.tag_queries

See RabbitMQ LDAP documentation for more information

If "in_group_nested" type query is used, it can deny access unexpectedly as RabbitMQ will do a case sensitive compare on DN strings returned by LDAP searches to the DN specified in the query.

The string/pattern specified in the advanced.config file must be a case sensitive match to the DN returned by the LDAP server when searches are done.

To see the DNs returned by the LDAP server searches, set the RabbitMQ parameter "auth_ldap.log = network".

Check the case of the string returned by LDAP server and ensure that the string specified in the "in_group_nested" pattern matches.

This can be more difficult if the pattern contains a variable for substitution, for example ${vhost}. The substituted string may be of mixed case, but the DN reported by LDAP must match the case.

The issue can be present even with the attribute names. That is if the LDAP server returns the DN with "CN=..,OU=..." or with "cn=...,ou=..." (lowercase), the string in the advanced.config file must match this also.