Username with "@" character does not work with the LDAP plugin / MQTT Login

[MichaelUray]

Describe the bug

If I use the username [email protected] as uid in LDAP, then the MQTT authentication fails.
If I use just name.familyname then it works.
I guess there is a problem with the "@" character in the LDAP/MQTT authentication.

Reproduction steps

Use the following advanced.config file and set the uid of a user, which is member of cn=mqtt, ou=rabbitmq, ou=groups, dc=test, dc=com, to [email protected].

[
    %% ----------------------------------------------------------------------------
    %% LDAP plugin configuration
    %% ----------------------------------------------------------------------------
    {rabbitmq_auth_backend_ldap, [
        {group_lookup_base, "ou=rabbitmq,ou=groups,dc=test,dc=com"},

        {resource_access_query,
            {for, [
                {permission, configure, {in_group, "cn=mqtt, ou=rabbitmq, ou=groups, dc=test, dc=com", "uniqueMember"}},
                {permission, write,
                    {for, [
                        {resource, queue, {in_group, "cn=mqtt, ou=rabbitmq, ou=groups, dc=test, dc=com", "uniqueMember"}},
                        {resource, exchange, {constant, true}}
                    ]}
                },
                {permission, read,
                    {for, [
                        {resource, exchange, {in_group, "cn=mqtt, ou=rabbitmq, ou=groups, dc=test, dc=com", "uniqueMember"}},
                        {resource, queue, {constant, true}}
                    ]}
                }
            ]}
        },


        {tag_queries, [
            {administrator, {in_group, "cn=administrator, ou=rabbitmq, ou=groups,   , dc=com", "uniqueMember"}},
            {monitoring, {in_group, "cn=monitoring, ou=rabbitmq, ou=groups, dc=test,dc=com", "uniqueMember"}},
            {management, {in_group, "cn=management, ou=rabbitmq, ou=groups, dc=test, dc=com", "uniqueMember"}},
            {policymaker, {in_group, "cn=policymaker, ou=rabbitmq, ou=groups, dc=test, dc=com", "uniqueMember"}}
        ]},


        {topic_access_query,
            {for, [
                {permission, write, 
                    {'or', [
                        %% administrator can write to all topics
                        {in_group, "cn=administrator, ou=rabbitmq, ou=groups, dc=test, dc=com", "uniqueMember"},
                        %% users can only write to [project number].[customer number] from postalAddress
                        {match, {string, "${routing_key}"}, {attribute, "${user_dn}", "postalAddress"}}
                    ]}
                },
                {permission, read, 
                    {'or', [
                        {constant, true}
                    ]}
                }
            ]}
        }
    ]}
].

It will not allow the user to connect to the MQTT server

Expected behavior

I would expect that the LDAP/MQTT plugin accepts e-mail addresses as LDAP usernames/uid.

Additional context

If I create a user via the RabbitMQ web-admin, then it is possible to use "@" in the username, but it does not work via the LDAP plugin.

[lukebakken]

@MichaelUray it would help us out a LOT if you could export an entire LDAP schema we can import into OpenLDAP to reproduce this issue. Right now it would take me quite a bit of time to get an LDAP environment up and running, and that would expedite investigation.

Please let us know what version of Erlang and RabbitMQ you're using, too.

[michaelklishin]

We don't have any logs or even version information here => moving this to a discussion.

[michaelklishin]

Neither plugin explicitly validates what username is provided. @ does not have any special meaning in usernames in MQTTv3 or MQTTv5, and I could not find any examples of what LDAP implementations may treat it as a "special" character.

In fact, one Erlang LDAP client example uses an email-looking username in one of the examples.

So likely this is something specific to the environment, and without at least some LDAP schema bits, server logs and any version information, we can only guess where to begin looking. We do not guess in this community.

[MichaelUray]

I just tried to re-create this situation to get some log-files, but now it seems to work.
It looks I had another issue (lost LDAP group membership while renaming user) which caused the logon-fail,
Sorry for that.

[michaelklishin]

A fix shipped in 3.12.4.