e0dda13ef6
Allow auth_ldap.dn_lookup_bind to be set to anon in rabbitmq.conf, closes #94
...
[#158471902 ]
2018-06-19 21:45:30 +03:00
c4b32a9961
Log message wording
...
[#157966354 ]
2018-05-31 01:58:20 +03:00
cdd7deeb6e
Purge defunct connections in more cases
...
Fixes #92
This PR will purge defunct connections in a few more cases than before.
2018-05-30 15:02:02 -07:00
3ffc1255b1
Log this as a warning
2018-03-28 18:44:52 +03:00
e9e9d7ea2a
Extract a constant
2018-03-28 00:20:45 +03:00
4eb46af59d
Handle gen_tcp errors here, too
2018-03-28 00:12:28 +03:00
62b259873c
Retry LDAP operations on eldap reported connection errors
...
* This will retry up to 10 times when eldap reports a connection
or gen_tcp error.
Closes #90 , references #82 .
[#156324176 ]
2018-03-27 23:21:32 +03:00
72864e84fb
Recreate LDAP connection and retry on all TCP socket errors
...
Not just 'closed'. Per discussion with @hairyhum, @lukebakken and @kjnilsson.
Closes #82 .
[#155865547 ]
2018-03-13 18:51:27 +03:00
344aba30d5
Handle map when in template arguments
...
An Erlang map is turned into several arguments. E.g.
{variable_map, #{username => guest, vhost = some-vhost}} is converted
into 2 arguments: variable_map.username=guest and variable_map.vhost=some-vhost.
Fixes #71
2017-06-30 16:38:50 +02:00
f20f4c0193
Merge branch 'stable'
2017-05-10 21:54:53 +03:00
e8a79c06bd
Add option to enable anonymous authentication
...
This will allow the user to enable the anon_auth flag in eldap in order
to be able to do a dn lookup by using anonymous authentication instead
of using a dedicated bind user.
2017-05-10 17:05:01 +00:00
6f487f5f5b
Replace dicts with maps for internal structures
2017-04-24 13:49:07 +01:00
32d566f362
Merge branch 'stable'
2017-04-22 01:10:06 +02:00
6bfa455084
Compile in non-test environment
...
Otherwise we are getting an unused function warning that's treated
as an error.
2017-04-22 01:05:34 +02:00
aa9a2a40aa
Remove a debug trace
2017-04-22 01:04:04 +02:00
4f4ff6c13e
Fix badmatch exception when purging connections
...
The exception stops timed out connections from
reconnecting successfully.
[#144015233 ]
2017-04-20 14:12:24 +01:00
2d0afdcf8e
Merge branch 'stable'
2017-04-02 21:55:36 +03:00
33d51d0a8d
(c) year
2017-04-02 21:47:12 +03:00
f3c75f6b2e
Revert "Wording"
...
This reverts commit 1a554a3530
2017-02-20 15:03:53 +03:00
1a554a3530
Wording
2017-02-20 14:49:51 +03:00
aa4088a118
Hide LDAP error from clients
...
LDAP errors are logged to LDAP log,
so we can replace errors with generic messages like
`ldap_connect_error` to be reported to clients.
2017-02-20 11:11:56 +00:00
590c738639
Add tests for topic authorisation consumption
...
Part of rabbitmq/rabbitmq-server#1085
2017-01-20 13:37:51 +01:00
7d28a27966
Merge branch 'stable'
...
Conflicts:
test/system_SUITE.erl
2017-01-13 13:29:10 +01:00
65fa7d6c74
Handle plain string cases in match query
...
Fixes #56
2017-01-13 10:04:20 +01:00
b7c2fe7f24
Do not always match bidirectionnaly
...
Fixes #56
2017-01-12 10:39:20 +01:00
aa1bf987c8
Implement check_topic_access callback
...
References rabbitmq/rabbitmq-server#505
2016-12-29 08:55:58 +01:00
f13e6ac834
Destructure resource kind in function head
2016-12-26 15:32:15 +01:00
ea72800353
Support topic authorisation
...
Add all the resource options in the candidate variables for string substitutions.
This includes the routing key when publishing to an exchange topic. Let pass
when there is no match in the for clause for a topic resource (for backward
compatibility). This a best effort as some queries could fail when publishing
to a topic exchange, but we cannot know whether it's an omission of
the topic case in the query or the query actually blocks the topic.
Part of rabbitmq/rabbitmq-server#505
2016-12-26 11:28:29 +01:00
d05c53f2a0
merge from stable
2016-12-14 20:03:34 +00:00
636fb21b40
Move from .app.src to Makefile variables
...
This is the recommended way with Erlang.mk.
By default, the version is inherited from rabbitmq-server-release when
the source archive is created, or computed from git-describe(1) (see
`rabbitmq-components.mk`). One can override the version from the command
line by setting the `PROJECT_VERSION` variable.
[#130992027 ]
2016-12-06 15:32:08 +01:00
219ad71c81
Idle connection expiry tests
2016-12-01 18:03:46 +00:00
600c1b476d
Configure no timeout as infinity
2016-12-01 15:04:13 +00:00
881a5b3783
Close idle connections after timeout
2016-12-01 13:38:24 +00:00
9c1bfc0f4e
rabbitmq_auth_backend_ldap.app: Depend on rabbit_common
2016-09-19 13:07:12 +02:00
9331760d9e
Treat noSuchObject responses as 'false` during 'or' and 'and' clause evaluations
2016-06-30 11:06:18 +01:00
2461f04795
move to common test
2016-06-29 10:18:46 +01:00
412d3a11c4
onelevel => single_level; compile from scratch
2016-05-22 21:42:55 +03:00
6c8e911a2e
Make search scope for nested groups configurable
2016-05-12 15:50:22 +01:00
a0f0f5f6e7
Testing and refactoring
2016-05-12 13:53:54 +01:00
9dbbd38494
Recursive search for parent groups
2016-05-12 11:09:09 +01:00
396e55dfdc
Line feeds after connection logs
2016-05-11 15:07:24 +01:00
9da1237841
Wording
2016-05-03 14:26:37 +03:00
61aef2f452
Log LDAP connection error with rabbit_log:warning
2016-05-03 12:14:48 +01:00
36b9a4d761
Wording
2016-05-03 14:03:25 +03:00
6ad5f20a50
Workaround for closing already closed ldap connection
2016-05-03 11:43:22 +01:00
9d27275180
Merge pull request #39 from rabbitmq/rabbitmq-auth-backend-ldap-35
...
Bumps up default LDAP connection worker pool size to 64.
2016-04-29 11:02:36 -05:00
2733f84235
Ignore scrubbing operations for 'false' log level.
2016-04-29 13:13:48 +01:00
d9f66b31c4
Extends scrubbing of bind request credentials to be
...
carried out on all log levels, except 'network_unsafe'.
2016-04-29 12:18:28 +01:00
15d27896e5
Bumps up default connection worker pool size from 10, to 64.
2016-04-29 10:59:45 +01:00
37711e839e
Introduces and adds handling of 'network_unsafe' log type
...
option.
2016-04-28 17:43:42 +01:00
24ca70c7d6
Adds functionality to scrub credentials in LDAP network
...
traffic logs, for bind requests.
2016-04-28 17:43:42 +01:00
826a2493b1
Adds handling of VHost substitution for tag_queries.
...
Ref: #13 .
2016-04-20 12:27:55 +01:00
8406c0cf77
Merge branch 'stable' into rabbitmq-auth-backend-ldap-15
2016-04-20 11:04:55 +01:00
1ce53182f0
Updates multi atrributes formatting to use string:join/2.
...
Updates is_multi_attr_member/2 to use a short-circuit expression.
Ref: #16 .
2016-04-18 14:23:00 +01:00
15b692ed3c
Updates LDAP 'match' query to carry out a bidirectional match, in
...
case the REQuery returned multiple attributes, i.e. RE strings.
Adds a format_multi_attr/3 match all clause.
Ref: #16 .
2016-04-18 14:23:00 +01:00
cdef94e5ac
Adds handling of multiple attribute values, and
...
multiple LDAP entries for the 'attribute' query.
Ref: #16
2016-04-18 14:23:00 +01:00
b19915b617
Discard error tuples in the result of a tag query
...
A single `{error, ...}` meant that a user wouldn't have any tags
attributed to them. Their authorization would fail entirely if any one
of the tag queries failed with an error tuple.
2016-03-29 11:08:05 +00:00
83c22ce905
Update (c) info
2016-01-01 12:59:16 +03:00
8a454c5452
Initial move to erlang.mk
2015-10-19 17:28:08 +02:00
cd59c66c5a
Merge branch 'stable'
2015-10-05 21:56:33 +03:00
018fae0c3f
Return the permission tags from an explicit separate authorization call.
2015-09-30 18:39:04 +02:00
5fa779cdfa
(c) year
2015-05-24 04:48:04 +03:00
b50b8be85d
(c) year
2015-05-24 04:47:53 +03:00
5342ca95e3
Move connection error detection up a level to catch anon access error.
2015-03-30 17:45:10 +01:00
cf9789cf40
Move LDAP pool creation from app init to a boot step.
2015-03-30 16:45:44 +01:00
54ac8655d6
Recover from closed connection to server.
2015-03-30 15:11:25 +01:00
ecf97d5024
Minor cleanups
...
Factor out the rebinding bit to stop the function getting out of hand,
reinstate a TODO since while better it is still not perfect, clean up
a few indent issues to conform to our poorly documented code standards.
2015-03-27 12:38:19 +00:00
c8e08397e9
Merge branch 'master' into pull-request-83-fixups
2015-03-27 12:21:53 +00:00
4d2cb36283
Make LDAP worker pool size configurable.
2015-03-25 17:15:11 +00:00
1ea66f0ce9
use worker_pool from rabbitmq-server
...
...instead of the NIH worker pool implementation. This assumes an as-yet
hypothetical modification to rabbitmq-server.
2015-03-24 18:18:02 +00:00
f0d6fa4094
Fix crash when performing tag query using invalid other_bind creds
...
Not actually harmful since the crash was caught higher up and
reinterpreted as "permission denied" anyway, but this give us cleaner
logs.
2015-03-10 11:15:38 +00:00
afb38b8747
use a pool of workers which cache connections
2015-03-06 17:41:05 +00:00
07b93ff379
Merge branch 'stable'
...
Conflicts:
src/rabbit_auth_backend_ldap.erl
2015-02-19 14:08:12 +00:00
0e4b00fc80
If other_bind is not set to as_user, establish a new LDAP connection to perform tag queries against.
2015-02-19 13:31:01 +00:00
a748c62326
stable to default
2015-01-09 13:23:46 +00:00
6989477b6e
Oops
2015-01-09 13:23:21 +00:00
3afc96688f
stable to default
2015-01-09 13:14:23 +00:00
20644f08d1
Fix fill escaping, plus a test.
2015-01-09 13:04:19 +00:00
253f3a2f46
API changes.
2014-11-14 14:18:10 +00:00
0013748edd
API changes.
2014-11-13 16:14:20 +00:00
0493972c89
Fix the SSL options for TLS too. Make sure we compare the unfixed version with [], since the fixed version will never be [].
2014-10-20 16:11:12 +01:00
6896285abf
Disable SSLv3.
2014-10-20 14:47:21 +01:00
c10afcca73
We do xref checks against R13B03, stop breaking them.
2014-07-02 16:01:44 +01:00
6118a1598e
Ooops
2014-07-01 17:05:26 +01:00
e62de3b49a
StartTLS support
2014-07-01 17:02:23 +01:00
843a9bc76c
ensure_ssl/0 if we need to, and move a comment to where it should be.
2014-05-19 17:41:44 +01:00
09d4acdc82
Update copyright for 2014
2014-03-17 17:25:20 +00:00
e97a0d3b08
stable to default
2014-03-05 14:20:10 +00:00
f99e437af3
Ban unauthenticated logins.
2014-03-05 13:06:55 +00:00
4d18d982c1
Support connection timeout.
2014-02-19 11:08:41 +00:00
d49de1519a
Continue on our quest towards the world's most verbose logging.
2014-01-29 11:14:42 +00:00
f586ddd335
dn_lookup_bind option, and rather more tests for the login phase.
2014-01-28 17:56:25 +00:00
a4f581e9ed
Not sure of the value of this warning, but let's unbreak it anyway.
2014-01-20 15:16:15 +00:00
3a2986929a
stable to default
2014-01-14 16:08:34 +00:00
cc3f9c6b68
OpenLDAP is not guaranteed to return the DN as an attribute. AFAICS the object_name field should always be filled though, and always be the DN (RFC 4511, 4.5.2).
2014-01-14 16:08:10 +00:00
9cf92dbe3e
stable to default
2013-11-13 11:19:42 +00:00
e52bc903ac
Re-add the app module to do the backend check
2013-11-13 11:19:02 +00:00
fcfa83154a
stable to default (not like normal, many conflicts...)
2013-11-12 17:44:12 +00:00
c87a2e4d85
Merge in default.
2013-11-12 09:54:54 +00:00
de1c0d3c88
Merge in default.
2013-11-04 17:50:52 +00:00
Michael Klishin
Luke Bakken
Arnaud Cogoluègnes
William Tan
Daniil Fedotov
Michael Klishin
kjnilsson
Jean-Sébastien Pédron
Michael Klishin
Ayanda Dube
Joseph Yiasemides
Robby Raschke
Alex Thomas
Simon MacMullen
ash-lshift