[rabbitmq-discuss] OpenLDAP-based auth with 'other_bind' option: no DN attribute?
Simon MacMullen
simon at rabbitmq.com
Fri Dec 6 12:21:04 GMT 2013
On 05/12/2013 13:53, Jan Kaliszewski wrote:
> It seems that 'distinguishedName' (DN) is not treated (by OpenLDAP?) as
> a real LDAP attribute.
First of all, thanks for the detailed investigation.
> When I patched that function by replacing the lines:
>
> {ok, #eldap_search_result{entries = [#eldap_entry{attributes = A}]}} ->
> [DN] = pget("distinguishedName", A),
> with:
> {ok, #eldap_search_result{entries = [#eldap_entry{object_name = DN}]}} ->
>
> ...everything started working.
>
>
> Am I missing something or is it the only way to make the stuff work, at
> least with OpenLDAP 2.4.31?
Yes, I've been able to replicate this. Most of the LDAP plugin was
developed against OpenLDAP, but the dn_lookup_attribute / dn_lookup_base
feature was added to address the common idiom of logging in with a
non-DN username in Active Directory, and I guess I never tested it
against OpenLDAP. So I'll file a bug for this (your fix looks correct,
but I want to make sure it doesn't break against AD).
Out of curiosity, is there a reason why you don't set
ssl_cert_login_from to distinguished_name and skip this lookup step? Or
do the DNs in the certs not match the DNs in LDAP?
Cheers, Simon
More information about the rabbitmq-discuss
mailing list