With reference to #15497 - Cannot get advanced.conf value encryption to work with LDAP

[parvvam]

Is your feature request related to a problem? Please describe.

Previously, I had generated a request for encryption of LDAP credentials in advanced.config but after following certain steps suggested by the contributors and the AI, still i was unable to resolve it and finally i found the issue that in the link here that the data type string is supported so i am unable to decrypt the values using environment variables or through a passphrase, I request to provide the encode/decode data type in the configuration mentioned here.

https://github.com/rabbitmq/rabbitmq-auth-backend-ldap/blob/f0c0a7042e30e90c9287c33de3bfeeab8411c742/priv/schema/rabbitmq_auth_backend_ldap.schema#L122

Describe the solution you'd like

I would to like to have data type as encode/decode instead of string as shown in this configuration.

https://github.com/rabbitmq/rabbitmq-auth-backend-ldap/blob/f0c0a7042e30e90c9287c33de3bfeeab8411c742/priv/schema/rabbitmq_auth_backend_ldap.schema#L122

Describe alternatives you've considered

Step followed:

https://gemini.google.com/share/677dceb476d5

configuration on the RabbitMQ side

In rabbitmq.conf, i have enabled the parameters

auth_backends.1 = rabbit_auth_backend_ldap

auth_backends.2 = rabbit_auth_backend_internal

The advanced.config file has the following configuration.

[

{rabbitmq_auth_backend_ldap, [



{servers, ["servername"]},

{port, 636},

{use_ssl, true},

{ssl_options, [{verify, verify_none}]},



{dn_lookup_bind,

{"username", "password"}},



{dn_lookup_base, "dc=domain name,dc=com"},

{dn_lookup_attribute, "sAMAccountName"},



{tag_queries, [

{management, {in_group, "cn=cn name,ou=users,dc=domain name,dc=com"}}

]}

]}

].

for the encrypted value this is the configuration

firstly, run this command

rabbitmqctl encode '<<"password">>'
Encrypting value to be used in advanced.config...
Passphrase:
'<<"password">>'
{encrypted,<<"encrypted string ">>}

[

  %% (one-time) global decoder
  {rabbit, [
    {config_entry_decoder, [
      {passphrase, {file, "/etc/rabbitmq/ldap_bind.pass"}}
    ]}
  ]},



 {rabbitmq_auth_backend_ldap, [

   {servers, ["dc server"]},
   {port, 636},
   {use_ssl, true},
   {ssl_options, [{verify, verify_none}]},

   {dn_lookup_bind,
    {"username",{encrypted, <<"encrypted string">>}}},

   {dn_lookup_base, "dc=domain name,dc=com"},
   {dn_lookup_attribute, "sAMAccountName"},

     {tag_queries, [
      {management, {in_group, "cn=cn_name,ou=Securitygroups,dc=domain name,dc=com"}}
   ]}
 ]}
].

Now define the actual password in environment variable

systemctl edit rabbitmq-server.service

[Service]
Environment=RABBITMQ_CONFIG_PASS_FILE=/etc/rabbitmq/ldap_bind.pass

in the file /etc/rabbitmq/ldap_bind.pass kept the password as

LDAP_BIND_PASSWORD=password in clear text

Additional context

No response

[michaelklishin]

@parvvam I'm not sure what you are asking for here.

advanced.config does not support environment variable interpolation as rabbitmq.conf does, it this will remain the case.

The most common point of confusion when using encrypted values in advanced.config is the data types fed to the CLI command, since "value" and <<"value">> in Erlang are not the same value (one is a string and another is a binary).

I would to like to have data type as encode/decode instead of string as shown in this configuration

It's true that the LDAP password field (auth_ldap.dn_lookup_bind.password) does not support prefixed strings via encrypted:… and there isn't a good reason for that. That can be fixed trivially.

[michaelklishin]

RabbitMQ does not support the RABBITMQ_CONFIG_PASSPHRASE_FILE env variable, that's a hallucination.

[michaelklishin]

#15808 adds support for tagged values such as encrypted:... to more keys, including auth_ldap.dn_lookup_bind.password.