[rabbitmq-discuss] rabbitmq_auth_mechanism_ssl limitations
gsim at redhat.com
Wed Jul 13 09:53:55 BST 2011
On 07/12/2011 04:42 PM, Simon MacMullen wrote:
> This is something Matthias and I have been arguing about for ages. I
> suspect that even though just RFC 4514-serialising the DN and doing
> string matching is completely wrong in theory, in practice it would be
> what a decent number of users would want. Matthias thinks that it will
> lead into a tarpit of bugs around DN equivalence. And I have to admit
> that he has much more real world experience dealing with stupid SSL /
> x509 behaviour than I do!
The RFC 4514 strings are also a little unwieldy. E.g. if you need to use
the name in ACLs or if application logic checks the publisher of a
message or whatever.
I'm certainly no expert but fwiw what I did was to concatenate any DC
elements separated by a '.' to form a domain qualifier and appended that
to the CN.
e.g. CN=bob,DC=example,DC=com => bob at example.com
It's not canonical, and I'm sure it wouldn't work for every case
(doesn't handle the multiple CN case for example). However it is simple,
allows for non-unique CN provided the domain components are included
(which seems to be a very common pattern in practice) and results in a
qualified username of the form we use for other authentication mechanisms.
More information about the rabbitmq-discuss