From 15fe108cc30bdb66fcb9862c6f3bb29922378f44 Mon Sep 17 00:00:00 2001
From: Michael Klishin <klishinm@vmware.com>
Date: Wed, 14 Aug 2024 11:57:12 -0400
Subject: [PATCH] LDAP: allow tagged values to be used for sensitive settings

Plus a drive-by Dialyzer improvement.
---
 .../priv/schema/rabbitmq_auth_backend_ldap.schema             | 4 ++--
 .../src/rabbit_auth_backend_ldap.erl                          | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema b/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema
index 669e279125..daf58bb494 100644
--- a/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema
+++ b/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema
@@ -120,7 +120,7 @@ end}.
     [{datatype, [string]}]}.
 
 {mapping, "auth_ldap.dn_lookup_bind.password", "rabbitmq_auth_backend_ldap.dn_lookup_bind",
-    [{datatype, [string]}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 %%  - as_user (to bind as the authenticated user - requires a password)
 %%  - anon    (to bind anonymously)
@@ -161,7 +161,7 @@ end}.
     [{datatype, string}]}.
 
 {mapping, "auth_ldap.other_bind.password", "rabbitmq_auth_backend_ldap.other_bind",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {translation, "rabbitmq_auth_backend_ldap.other_bind",
 fun(Conf) ->
diff --git a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
index 37d62f0dd2..f84a19a683 100644
--- a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
+++ b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
@@ -85,6 +85,7 @@ user_login_authentication(Username, _AuthProps) ->
 %% Credentials (i.e. password) maybe directly in the password attribute in AuthProps
 %% or as a Function with the attribute rabbit_auth_backend_ldap if the user was already authenticated with http backend
 %% or as a Function with the attribute rabbit_auth_backend_cache if the user was already authenticated via cache backend
+-spec extractPassword(list()) -> rabbit_types:option(binary()).
 extractPassword(AuthProps) ->
     case proplists:get_value(password, AuthProps, none) of
         none ->