[rabbitmq-discuss] Fine-grained LDAP access to resources

James McClelland jamesmcc at gmail.com
Fri Sep 20 22:35:08 BST 2013


Hello,

I'm in the process of configuring RabbitMQ to leverage LDAP. I have it 
configured and working but I'm now looking to lock down the access using a 
finer grain. Right now I'm doing this for resource control:

{permission, configure,
  {for, [
     {resource, queue,
         {in_group, "CN=rmq-${vhost}-queue,OU=xxx,OU=xxx,DC=xxx,DC=xxx"}}]}}

Using this method, anyone in a matching group can create any queue anywhere 
inside the vhost. What I'd like is to provide them access to create queues 
only with a specific prefix based on group name.

It seems you could kind of do this by using CN=rmq-${vhost}-${name}-queue 
but that would expand to the full resource name and would require multiple 
ldap groups for every single object in the vhost which quickly becomes 
maintainable and non dynamic.

I'm wondering if there's some way I could get functionality similar to 
{in_group, CN=rmq-${vhost}-${prefix}-queue} where ${prefix} is the first 
token in a period delimited string.

Any thoughts?

Thank you,
James M.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130920/85589553/attachment.htm>


More information about the rabbitmq-discuss mailing list