* Add support for testing TLS connections to OpenLDAP

lukebakken · lukebakken · commit a24de1824580 · 2025-08-22T16:08:19.000-07:00
* Add support for validating TLS related configuration via
`/ldap/validate/simple-bind`
diff --git a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap_mgmt.erl b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap_mgmt.erl
@@ -46,29 +46,34 @@ is_authorized(ReqData, Context) ->
 accept_content(ReqData0, Context) ->
     F = fun (_Values, BodyMap, ReqData1) ->
         Port = rabbit_mgmt_util:parse_int(maps:get(port, BodyMap, 389)),
-        _UseSsl = rabbit_mgmt_util:parse_bool(maps:get(use_ssl, BodyMap, false)),
-        _UseStartTls = rabbit_mgmt_util:parse_bool(maps:get(use_starttls, BodyMap, false)),
+        UseSsl = rabbit_mgmt_util:parse_bool(maps:get(use_ssl, BodyMap, false)),
+        UseStartTls = rabbit_mgmt_util:parse_bool(maps:get(use_starttls, BodyMap, false)),
         Servers = maps:get(servers, BodyMap, []),
         UserDN = maps:get(user_dn, BodyMap, <<"">>),
         Password = maps:get(password, BodyMap, <<"">>),
-        Options = [
+        Options0 = [
             {port, Port},
-            {timeout, 5000},
-            {ssl, false}
+            {timeout, 5000}
         ],
-        ?LOG_DEBUG("eldap:open Servers: ~tp Options: ~tp", [Servers, Options]),
-        case eldap:open(Servers, Options) of
+        {ok, Options1} = maybe_add_ssl_options(Options0, UseSsl, BodyMap),
+        ?LOG_DEBUG("eldap:open Servers: ~tp Options1: ~tp", [Servers, Options1]),
+        case eldap:open(Servers, Options1) of
             {ok, LDAP} ->
-                ?LOG_DEBUG("eldap:simple_bind UserDN: ~tp Password: ~tp", [UserDN, Password]),
-                Result = case eldap:simple_bind(LDAP, UserDN, Password) of
+                Result = case maybe_starttls(LDAP, UseStartTls, BodyMap) of
                     ok ->
-                        {true, ReqData1, Context};
-                    {error, invalidCredentials} ->
-                        rabbit_mgmt_util:not_authorised("invalid credentials", ReqData1, Context);
-                    {error, unwillingToPerform} ->
-                        rabbit_mgmt_util:not_authorised("invalid credentials", ReqData1, Context);
-                    {error, E} ->
-                        Reason = unicode_format(E),
+                        case eldap:simple_bind(LDAP, UserDN, Password) of
+                            ok ->
+                                {true, ReqData1, Context};
+                            {error, invalidCredentials} ->
+                                rabbit_mgmt_util:not_authorised("invalid credentials", ReqData1, Context);
+                            {error, unwillingToPerform} ->
+                                rabbit_mgmt_util:not_authorised("invalid credentials", ReqData1, Context);
+                            {error, E} ->
+                                Reason = unicode_format(E),
+                                rabbit_mgmt_util:bad_request(Reason, ReqData1, Context)
+                        end;
+                    Error ->
+                        Reason = unicode_format(Error),
                         rabbit_mgmt_util:bad_request(Reason, ReqData1, Context)
                 end,
                 eldap:close(LDAP),
@@ -84,3 +89,44 @@ accept_content(ReqData0, Context) ->
 
 unicode_format(Arg) ->
     rabbit_data_coercion:to_utf8_binary(io_lib:format("~tp", [Arg])).
+
+maybe_starttls(_LDAP, false, _BodyMap) ->
+    ok;
+maybe_starttls(LDAP, true, BodyMap) ->
+    {ok, TlsOptions} = tls_options(BodyMap),
+    ?LOG_DEBUG("maybe_starttls TlsOptions ~tp", [TlsOptions]),
+    eldap:start_tls(LDAP, TlsOptions, 5000).
+
+maybe_add_ssl_options(Options0, false, _BodyMap) ->
+    {ok, Options0};
+maybe_add_ssl_options(Options0, true, BodyMap) ->
+    case maps:is_key(ssl_options, BodyMap) of
+        false ->
+            {ok, Options0};
+        true ->
+            Options1 = [{ssl, true} | Options0],
+            {ok, TlsOptions} = tls_options(BodyMap),
+            Options2 = [{sslopts, TlsOptions} | Options1],
+            {ok, Options2}
+    end.
+
+tls_options(BodyMap) ->
+    case maps:get(ssl_options, BodyMap, undefined) of
+        undefined ->
+            {ok, []};
+        SslOptionsMap ->
+            %% NB: for some reason the "cacertfile" key isn't turned into an atom
+            TlsOpts0 = case maps:get(<<"cacertfile">>, SslOptionsMap, undefined) of
+                undefined ->
+                    [];
+                CaCertfile ->
+                    [{cacertfile, CaCertfile}]
+            end,
+            TlsOpts1 = case maps:get(<<"server_name_indication">>, SslOptionsMap, disable) of
+                disable ->
+                    TlsOpts0;
+                SniValue ->
+                    [{server_name_indication, SniValue} | TlsOpts0]
+            end,
+            {ok, TlsOpts1}
+    end.
diff --git a/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl b/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl
@@ -162,10 +162,23 @@ end_per_group(_, Config) ->
 init_slapd(Config) ->
     DataDir = ?config(data_dir, Config),
     PrivDir = ?config(priv_dir, Config),
+    CertsDir = ?config(rmq_certsdir, Config),
+    CaCertfile = filename:join([CertsDir, "testca", "cacert.pem"]),
+    ServerCertfile = filename:join([CertsDir, "server", "cert.pem"]),
+    ServerKeyfile = filename:join([CertsDir, "server", "key.pem"]),
     TcpPort = 25389,
+    TlsPort = 25689,
     SlapdDir = filename:join([PrivDir, "openldap"]),
     InitSlapd = filename:join([DataDir, "init-slapd.sh"]),
-    Cmd = [InitSlapd, SlapdDir, {"~b", [TcpPort]}],
+    Cmd = [
+        InitSlapd,
+        SlapdDir,
+        {"~b", [TcpPort]},
+        {"~b", [TlsPort]},
+        CaCertfile,
+        ServerCertfile,
+        ServerKeyfile
+    ],
     case rabbit_ct_helpers:exec(Cmd) of
         {ok, Stdout} ->
             {match, [SlapdPid]} = re:run(
@@ -178,7 +191,8 @@ init_slapd(Config) ->
                    [SlapdPid, TcpPort]),
             rabbit_ct_helpers:set_config(Config,
                                          [{slapd_pid, SlapdPid},
-                                          {ldap_port, TcpPort}]);
+                                          {ldap_port, TcpPort},
+                                          {ldap_tls_port, TlsPort}]);
         _ ->
             _ = rabbit_ct_helpers:exec(["pkill", "-INT", "slapd"]),
             {skip, "Failed to initialize slapd(8)"}
@@ -282,13 +296,18 @@ end_per_testcase(Testcase, Config) ->
 %% -------------------------------------------------------------------
 
 validate_ldap_configuration_via_api(Config) ->
+    CertsDir = ?config(rmq_certsdir, Config),
+    CaCertfile = filename:join([CertsDir, "testca", "cacert.pem"]),
+
     %% {user_dn_pattern, "cn=${username},ou=People,dc=rabbitmq,dc=com"},
     UserDNFmt = "cn=~ts,ou=People,dc=rabbitmq,dc=com",
     AliceUserDN = rabbit_data_coercion:to_utf8_binary(io_lib:format(UserDNFmt, [?ALICE_NAME])),
     InvalidUserDN = rabbit_data_coercion:to_utf8_binary(io_lib:format(UserDNFmt, ["NOBODY"])),
     Password = rabbit_data_coercion:to_utf8_binary("password"),
 
     LdapPort = ?config(ldap_port, Config),
+    LdapTlsPort = ?config(ldap_tls_port, Config),
+
     %% NB: bad resource name
     http_put(Config, "/ldap/validate/bad-bind-name",
         #{
@@ -310,7 +329,31 @@ validate_ldap_configuration_via_api(Config) ->
             'password' => Password,
             'servers' => ["localhost"],
             'port' => LdapPort
-        }, ?NOT_AUTHORISED).
+        }, ?NOT_AUTHORISED),
+    http_put(Config, "/ldap/validate/simple-bind",
+        #{
+            'user_dn' => AliceUserDN,
+            'password' => Password,
+            'servers' => ["localhost"],
+            'port' => LdapTlsPort,
+            'use_ssl' => true,
+            'ssl_options' => #{
+                'cacertfile' => CaCertfile
+            }
+        }, ?NO_CONTENT),
+    http_put(Config, "/ldap/validate/simple-bind",
+        #{
+            'user_dn' => AliceUserDN,
+            'password' => Password,
+            'servers' => ["localhost"],
+            'port' => LdapPort,
+            'use_ssl' => false,
+            'use_starttls' => true,
+            'ssl_options' => #{
+                'server_name_indication' => "localhost",
+                'cacertfile' => CaCertfile
+            }
+        }, ?NO_CONTENT).
 
 purge_connection(Config) ->
     {ok, _} = rabbit_ct_broker_helpers:rpc(Config, 0,
diff --git a/deps/rabbitmq_auth_backend_ldap/test/system_SUITE_data/init-slapd.sh b/deps/rabbitmq_auth_backend_ldap/test/system_SUITE_data/init-slapd.sh
@@ -1,13 +1,18 @@
 #!/bin/sh
 # vim:sw=4:et:
 
-set -ex
+set -eux
 
 readonly slapd_data_dir="$1"
 readonly tcp_port="$2"
+readonly tls_port="$3"
+readonly cacertfile="$4"
+readonly server_certfile="$5"
+readonly server_keyfile="$6"
 
 readonly pidfile="$slapd_data_dir/slapd.pid"
-readonly uri="ldap://localhost:$tcp_port"
+readonly tcp_uri="ldap://localhost:$tcp_port"
+readonly tls_uri="ldaps://localhost:$tls_port"
 
 readonly binddn="cn=config"
 readonly passwd=secret
@@ -68,6 +73,10 @@ loglevel        7
 database        config
 rootdn          "$binddn"
 rootpw          $passwd
+
+TLSCACertificateFile  $cacertfile
+TLSCertificateFile    $server_certfile
+TLSCertificateKeyFile $server_keyfile
 EOF
 
 cat "$conf_file"
@@ -79,15 +88,15 @@ mkdir -p "$conf_dir"
 "$slapd" \
     -f "$conf_file" \
     -F "$conf_dir" \
-    -h "$uri"
+    -h "$tcp_uri $tls_uri"
 
 readonly auth="-x -D $binddn -w $passwd"
 
 # We wait for the server to start.
 # shellcheck disable=SC2034
 for seconds in 1 2 3 4 5 6 7 8 9 10; do
     # shellcheck disable=SC2086
-    ldapsearch $auth -H "$uri" -LLL -b cn=config dn && break;
+    ldapsearch $auth -H "$tcp_uri" -LLL -b cn=config dn && break;
     sleep 1
 done
 
@@ -106,22 +115,22 @@ mkdir -p "$example_data_dir"
 # shellcheck disable=SC2086
 sed -E -e "s,^olcDbDirectory:.*,olcDbDirectory: $example_data_dir," \
     < "$example_ldif_dir/global.ldif" | \
-    ldapadd $auth -H "$uri"
+    ldapadd $auth -H "$tcp_uri"
 
 # We remove the module path from the example LDIF as it was already
 # configured.
 # shellcheck disable=SC2086
 sed -E -e "s,^olcModulePath:.*,olcModulePath: $modulepath," \
     < "$example_ldif_dir/memberof_init.ldif" | \
-    ldapadd $auth -H "$uri"
+    ldapadd $auth -H "$tcp_uri"
 
 # shellcheck disable=SC2086
-ldapmodify $auth -H "$uri" -f "$example_ldif_dir/refint_1.ldif"
+ldapmodify $auth -H "$tcp_uri" -f "$example_ldif_dir/refint_1.ldif"
 
 # shellcheck disable=SC2086
-ldapadd $auth -H "$uri" -f "$example_ldif_dir/refint_2.ldif"
+ldapadd $auth -H "$tcp_uri" -f "$example_ldif_dir/refint_2.ldif"
 
 # shellcheck disable=SC2086
-ldapsearch $auth -H "$uri" -LLL -b cn=config dn
+ldapsearch $auth -H "$tcp_uri" -LLL -b cn=config dn
 
 echo SLAPD_PID="$(cat "$pidfile")"
