Allow auth_ldap.dn_lookup_bind to be set to anon in rabbitmq.conf, closes #94

[#158471902]

Author: michaelklishin

priv/schema/rabbitmq_auth_backend_ldap.schema

@@ -106,18 +106,25 @@ end}.
     [{datatype, [{enum, [none]}, string]}]}.
 
 {mapping, "auth_ldap.dn_lookup_bind", "rabbitmq_auth_backend_ldap.dn_lookup_bind",
-    [{datatype, [{enum, [as_user]}]}]}.
+    [{datatype, [{enum, [as_user, anon]}]}]}.
 
 {mapping, "auth_ldap.dn_lookup_bind.user_dn", "rabbitmq_auth_backend_ldap.dn_lookup_bind",
     [{datatype, [string]}]}.
 
 {mapping, "auth_ldap.dn_lookup_bind.password", "rabbitmq_auth_backend_ldap.dn_lookup_bind",
     [{datatype, [string]}]}.
 
+%%  - as_user (to bind as the authenticated user - requires a password)
+%%  - anon    (to bind anonymously)
+%%  - {UserDN, Password} (to bind with a specified user name and password)
+%%
+%% Defaults to 'as_user'.
+
 {translation, "rabbitmq_auth_backend_ldap.dn_lookup_bind",
 fun(Conf) ->
     case cuttlefish:conf_get("auth_ldap.dn_lookup_bind", Conf, undefined) of
         as_user -> as_user;
+        anon    -> anon;
         _       ->
             User = cuttlefish:conf_get("auth_ldap.dn_lookup_bind.user_dn", Conf),
             Pass = cuttlefish:conf_get("auth_ldap.dn_lookup_bind.password", Conf),
@@ -138,8 +145,6 @@ end}.
 %%  - {UserDN, Password} (to bind with a specified user name and password)
 %%
 %% Defaults to 'as_user'.
-%%
-%% {other_bind, as_user},
 
 {mapping, "auth_ldap.other_bind", "rabbitmq_auth_backend_ldap.other_bind",
     [{datatype, {enum, [as_user, anon]}}]}.

src/rabbit_auth_backend_ldap.erl

@@ -719,8 +719,11 @@ vhost_if_defined(VHost) -> [{vhost, VHost}].
 
 dn_lookup_when() -> case {env(dn_lookup_attribute), env(dn_lookup_bind)} of
                         {none, _}       -> never;
-                        {_,    as_user} -> postbind;
-                        {_,    _}       -> prebind
+                        {_,    as_user}   -> postbind;
+                        %% make it more obvious what the invariants are,
+                        %% see rabbitmq/rabbitmq-auth-backend-ldap#94. MK.
+                        {_,    anon}      -> prebind;
+                        {_,    _}         -> prebind
                     end.
 
 username_to_dn_prebind(Username) ->

test/config_schema_SUITE_data/rabbitmq_auth_backend_ldap.snippets

@@ -109,10 +109,20 @@
    auth_ldap.dn_lookup_bind.password = password",
   [{rabbitmq_auth_backend_ldap,[{dn_lookup_bind,{"username","password"}}]}],
   [rabbitmq_auth_backend_ldap]},
+ {db_lookup_bind_anon,
+  "auth_ldap.dn_lookup_bind = anon",
+  [{rabbitmq_auth_backend_ldap,[{dn_lookup_bind,anon}]}],
+  [rabbitmq_auth_backend_ldap]},
  {other_bind_anon,
   "auth_ldap.other_bind = anon",
   [{rabbitmq_auth_backend_ldap,[{other_bind,anon}]}],
   [rabbitmq_auth_backend_ldap]},
+ {both_binds_anon,
+  "auth_ldap.dn_lookup_bind = anon
+   auth_ldap.other_bind = anon",
+  [{rabbitmq_auth_backend_ldap,[{dn_lookup_bind,anon},
+                                {other_bind,anon}]}],
+  [rabbitmq_auth_backend_ldap]},
  {other_bind_as_user,
   "auth_ldap.other_bind = as_user",
   [{rabbitmq_auth_backend_ldap,[{other_bind,as_user}]}],