fix(ldap-authn): remove slat-related configs since they conflict with RFC 3123

apps/emqx_authn/src/emqx_authn_password_hashing.erl

@@ -53,8 +53,7 @@
 
 -export([
     type_ro/1,
-    type_rw/1,
+    type_rw/1
-    salt_position/1
 ]).
 
 -export([

apps/emqx_ldap/src/emqx_ldap_authn.erl

@@ -50,8 +50,6 @@ fields(ldap) ->
         {mechanism, emqx_authn_schema:mechanism(password_based)},
         {backend, emqx_authn_schema:backend(ldap)},
         {password_attribute, fun password_attribute/1},
-        {salt_attribute, fun salt_attribute/1},
-        {salt_position, fun emqx_authn_password_hashing:salt_position/1},
         {is_superuser_attribute, fun is_superuser_attribute/1},
         {query_timeout, fun query_timeout/1}
     ] ++ emqx_authn_schema:common_fields() ++ emqx_ldap:fields(config).
@@ -66,11 +64,6 @@ password_attribute(desc) -> ?DESC(?FUNCTION_NAME);
 password_attribute(default) -> <<"userPassword">>;
 password_attribute(_) -> undefined.
 
-salt_attribute(type) -> string();
-salt_attribute(desc) -> ?DESC(?FUNCTION_NAME);
-salt_attribute(default) -> <<"passwordSalt">>;
-salt_attribute(_) -> undefined.
-
 is_superuser_attribute(type) -> string();
 is_superuser_attribute(desc) -> ?DESC(?FUNCTION_NAME);
 is_superuser_attribute(default) -> <<"isSuperuser">>;
@@ -116,7 +109,6 @@ authenticate(
     #{password := Password} = Credential,
     #{
         password_attribute := PasswordAttr,
-        salt_attribute := SaltAttr,
         is_superuser_attribute := IsSuperuserAttr,
         query_timeout := Timeout,
         resource_id := ResourceId
@@ -125,7 +117,7 @@ authenticate(
     case
         emqx_resource:simple_sync_query(
             ResourceId,
-            {query, Credential, [PasswordAttr, SaltAttr, IsSuperuserAttr, ?ISENABLED_ATTR], Timeout}
+            {query, Credential, [PasswordAttr, IsSuperuserAttr, ?ISENABLED_ATTR], Timeout}
         )
     of
         {ok, []} ->
@@ -154,7 +146,7 @@ parse_config(Config) ->
             Acc#{Key => Value}
         end,
         #{},
-        [password_attribute, salt_attribute, salt_position, is_superuser_attribute, query_timeout]
+        [password_attribute, is_superuser_attribute, query_timeout]
     ),
     {Config, State}.
 
@@ -200,6 +192,7 @@ extract_hash_algorithm(LDAPPassword, Password, OnFail, Entry, State) ->
             OnFail(LDAPPassword, Password, Entry, State)
     end.
 
+%% this password is in LDIF format which is base64 encoding
 try_decode_passowrd(LDAPPassword, Password, Entry, State) ->
     case safe_base64_decode(LDAPPassword) of
         {ok, Decode} ->
@@ -218,7 +211,7 @@ try_decode_passowrd(LDAPPassword, Password, Entry, State) ->
 
 verify_password(ssha, PasswordData, Password, Entry, State) ->
     case safe_base64_decode(PasswordData) of
-        {ok, <<PasswordHash:20, Salt/binary>>} ->
+        {ok, <<PasswordHash:20/binary, Salt/binary>>} ->
             verify_password(sha, PasswordHash, Salt, suffix, Password, Entry, State);
         {ok, _} ->
             {error, invalid_ssha_password};
@@ -230,10 +223,9 @@ verify_password(
     PasswordHash,
     Password,
     Entry,
-    #{salt_attribute := Attr, salt_position := Position} = State
+    State
 ) ->
-    Salt = get_bin_value(Attr, Entry#eldap_entry.attributes, <<>>),
+    verify_password(Algorithm, PasswordHash, <<>>, disable, Password, Entry, State).
-    verify_password(Algorithm, PasswordHash, Salt, Position, Password, Entry, State).
 
 verify_password(Algorithm, PasswordHash, Salt, Position, Password, Entry, State) ->
     Result = emqx_passwd:check_pass(
@@ -265,9 +257,5 @@ get_lower_bin_value(Key, Proplists, Default) ->
     [Value | _] = get_value(Key, Proplists, [Default]),
     to_binary(string:to_lower(Value)).
 
-get_bin_value(Key, Proplists, Default) ->
-    [Value | _] = get_value(Key, Proplists, [Default]),
-    to_binary(Value).
-
 to_binary(Value) ->
     erlang:list_to_binary(Value).