Skip to content
This repository was archived by the owner on Nov 17, 2020. It is now read-only.

Commit bf33853

Browse files
lukebakkenlukebakken
committed
Tokenize NetBIOS logins on the backslash character
Fixes #98 This allows `Domain\User` to be used in templates via `${ad_domain}` and `{$ad_user}` See the following discussion: https://groups.google.com/d/topic/rabbitmq-users/mK87YcRy4vQ/discussion
1 parent 18b394e commit bf33853

File tree

1 file changed

+21
-7
lines changed

1 file changed

+21
-7
lines changed

src/rabbit_auth_backend_ldap.erl

Lines changed: 21 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -98,9 +98,10 @@ user_login_authorization(Username, AuthProps) ->
9898
check_vhost_access(User = #auth_user{username = Username,
9999
impl = #impl{user_dn = UserDN}},
100100
VHost, _Sock) ->
101+
ADArgs = get_active_directory_args(Username),
101102
Args = [{username, Username},
102103
{user_dn, UserDN},
103-
{vhost, VHost}],
104+
{vhost, VHost}] ++ ADArgs,
104105
?L("CHECK: ~s for ~s", [log_vhost(Args), log_user(User)]),
105106
R = evaluate_ldap(env(vhost_access_query), Args, User),
106107
?L("DECISION: ~s for ~s: ~p",
@@ -111,12 +112,13 @@ check_resource_access(User = #auth_user{username = Username,
111112
impl = #impl{user_dn = UserDN}},
112113
#resource{virtual_host = VHost, kind = Type, name = Name},
113114
Permission) ->
115+
ADArgs = get_active_directory_args(Username),
114116
Args = [{username, Username},
115117
{user_dn, UserDN},
116118
{vhost, VHost},
117119
{resource, Type},
118120
{name, Name},
119-
{permission, Permission}],
121+
{permission, Permission}] ++ ADArgs,
120122
?L("CHECK: ~s for ~s", [log_resource(Args), log_user(User)]),
121123
R = evaluate_ldap(env(resource_access_query), Args, User),
122124
?L("DECISION: ~s for ~s: ~p",
@@ -129,12 +131,13 @@ check_topic_access(User = #auth_user{username = Username,
129131
Permission,
130132
Context) ->
131133
OptionsArgs = topic_context_as_options(Context, undefined),
134+
ADArgs = get_active_directory_args(Username),
132135
Args = [{username, Username},
133136
{user_dn, UserDN},
134137
{vhost, VHost},
135138
{resource, Resource},
136139
{name, Name},
137-
{permission, Permission}] ++ OptionsArgs,
140+
{permission, Permission}] ++ OptionsArgs ++ ADArgs,
138141
?L("CHECK: ~s for ~s", [log_resource(Args), log_user(User)]),
139142
R = evaluate_ldap(env(topic_access_query), Args, User),
140143
?L("DECISION: ~s for ~s: ~p",
@@ -705,9 +708,10 @@ do_login(Username, PrebindUserDN, Password, VHost, LDAP) ->
705708
do_tag_queries(Username, UserDN, User, VHost, LDAP) ->
706709
{ok, [begin
707710
?L1("CHECK: does ~s have tag ~s?", [Username, Tag]),
708-
R = evaluate(Q, [{username, Username},
709-
{user_dn, UserDN} | vhost_if_defined(VHost)],
710-
User, LDAP),
711+
VhostArgs = vhost_if_defined(VHost),
712+
ADArgs = get_active_directory_args(Username),
713+
EvalArgs = [{username, Username}, {user_dn, UserDN}] ++ VhostArgs ++ ADArgs,
714+
R = evaluate(Q, EvalArgs, User, LDAP),
711715
?L1("DECISION: does ~s have tag ~s? ~p",
712716
[Username, Tag, R]),
713717
{Tag, R}
@@ -752,7 +756,8 @@ dn_lookup(Username, LDAP) ->
752756
end.
753757

754758
fill_user_dn_pattern(Username) ->
755-
fill(env(user_dn_pattern), [{username, Username}]).
759+
ADArgs = get_active_directory_args(Username),
760+
fill(env(user_dn_pattern), [{username, Username}] ++ ADArgs).
756761

757762
creds(User) -> creds(User, env(other_bind)).
758763

@@ -826,6 +831,15 @@ fill(Fmt, Args) ->
826831
?L2("template result: \"~s\"", [R]),
827832
R.
828833

834+
get_active_directory_args([ADUser, ADDomain]) ->
835+
[{ad_user, ADUser}, {ad_domain, ADDomain}];
836+
get_active_directory_args(Parts) when is_list(Parts) ->
837+
[];
838+
get_active_directory_args(Username) when is_binary(Username) ->
839+
% If Username is in Domain\User format, provide additional fill
840+
% template arguments
841+
get_active_directory_args(binary:split(Username, <<"\\">>, [trim_all])).
842+
829843
log_result({ok, #auth_user{}}) -> ok;
830844
log_result(true) -> ok;
831845
log_result(false) -> denied;

0 commit comments

Comments
 (0)