Can't have slash in AD group name to meet vhost lookup for LDAP auth

[Weiyi Wang]

Hi Team,

For ldap auth config, to have better access control for different roles (developer, vendor developer, tester, etc.) in different environments, I set the vhost access query rules to like below.

advancedConfig: |

      [{rabbitmq_auth_backend_ldap,[

           {vhost_access_query,

             {'or', [

                 {in_group, "CN=rabbitmq-nprd-admin,OU=zzz,DC=yyy,DC=xxx"},

                 {in_group, " CN=rabbitmq-nprd-${vhost}-read,OU=zzz,DC=yyy,DC=xxx  "},

                 {in_group, " CN=rabbitmq-nprd-${vhost}-write,OU=zzz,DC=yyy,DC=xxx  "}

             ]}

           },

...

however the vhost is named with a leading slash like /dev /qua /val for various environments by our developer and it seems not possible to change. Problem is AD group cant have slash in its name. Is there a way to remove the slash?

[Luke Bakken]

Hello,

There is no way to remove the slash. Ideally, you would rename your vhosts.

According to this article, the slash character is allowed, but you must escape the forward slash character when performing queries and other operations: https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx

[{rabbitmq_auth_backend_ldap,[
    {vhost_access_query,
        {'or', [
            {in_group, "CN=rabbitmq-nprd-admin,OU=zzz,DC=yyy,DC=xxx"},

            {in_group, "CN=rabbitmq-nprd-\\${vhost}-read,OU=zzz,DC=yyy,DC=xxx"},
            {in_group, "CN=rabbitmq-nprd-\\${vhost}-write,OU=zzz,DC=yyy,DC=xxx"}
        ]}
    },

You should experiment with using a single and double backslash. I'm not exactly sure which is necessary.

Of course, the above only works if it is guaranteed that your vhost name starts with the slash character. If that's not the case, you can double the entries in the "or" group, and add non-escaped entries.

Thanks,

Luke