[rabbitmq-discuss] OpenLDAP-based auth with 'other_bind' option: no DN attribute?

Simon MacMullen simon at rabbitmq.com
Fri Dec 6 12:21:04 GMT 2013

On 05/12/2013 13:53, Jan Kaliszewski wrote:
> It seems that 'distinguishedName' (DN) is not treated (by OpenLDAP?) as
> a real LDAP attribute.

First of all, thanks for the detailed investigation.

> When I patched that function by replacing the lines:
>           {ok, #eldap_search_result{entries = [#eldap_entry{attributes = A}]}} ->
>               [DN] = pget("distinguishedName", A),
> with:
>           {ok, #eldap_search_result{entries = [#eldap_entry{object_name = DN}]}} ->
> ...everything started working.
> Am I missing something or is it the only way to make the stuff work, at
> least with OpenLDAP 2.4.31?

Yes, I've been able to replicate this. Most of the LDAP plugin was 
developed against OpenLDAP, but the dn_lookup_attribute / dn_lookup_base 
feature was added to address the common idiom of logging in with a 
non-DN username in Active Directory, and I guess I never tested it 
against OpenLDAP. So I'll file a bug for this (your fix looks correct, 
but I want to make sure it doesn't break against AD).

Out of curiosity, is there a reason why you don't set 
ssl_cert_login_from to distinguished_name and skip this lookup step? Or 
do the DNs in the certs not match the DNs in LDAP?

Cheers, Simon

More information about the rabbitmq-discuss mailing list