MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
minio/internal/config/identity/ldap/config.go

686 lines
20 KiB
Go
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-18 15:41:13 -04:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
package ldap
import (
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
Test LDAP connection configuration at startup (#11684)
2021-03-04 15:17:36 -05:00
"math/rand"
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
"net"
fix: Add support for DurationSeconds in LDAP STS API (#12778)
2021-07-22 15:13:21 -04:00
"strconv"
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
"strings"
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
"time"
update dependenices for relevant projects (#11445) - minio-go -> v7.0.8 - ldap/v3 -> v3.2.4 - reedsolomon -> v1.9.11 - sio-go -> v0.3.1 - msgp -> v1.1.5 - simdjson-go, md5-simd, highwayhash
2021-02-04 16:49:52 -05:00
ldap "github.com/go-ldap/ldap/v3"
[LDAP] Support syncing user-group memberships with LDAP service (#12785) When configured in Lookup Bind mode, the server now periodically queries the LDAP IDP service to find changes to a user's group memberships, and saves this info to update the access policies for all temporary and service account credentials belonging to LDAP users.
2021-07-24 14:57:36 -04:00
"github.com/minio/minio-go/v7/pkg/set"
fix: Add support for DurationSeconds in LDAP STS API (#12778)
2021-07-22 15:13:21 -04:00
"github.com/minio/minio/internal/auth"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-01 17:59:40 -04:00
"github.com/minio/minio/internal/config"
DEPRECATION Warning: Avoid configuring default LDAP STS Expiry (#12781) - Show notice when `MINIO_IDENTITY_LDAP_STS_EXPIRY` or the corresponding to the configuration option is used at server startup. - Once support is removed, the default will be fixed at 1 hour. - Users may specify expiry directly in the STS API. - Update docs and help message - Adds example in ldap.go to configure expiry in STS API.
2021-07-22 19:43:57 -04:00
"github.com/minio/minio/internal/logger"
move the dependency to minio/pkg for common libraries (#12397)
2021-05-28 18:17:01 -04:00
"github.com/minio/pkg/env"
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
)
const (
defaultLDAPExpiry = time.Hour * 1
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
dnDelimiter = ";"
fix: Add support for DurationSeconds in LDAP STS API (#12778)
2021-07-22 15:13:21 -04:00
minLDAPExpiry time.Duration = 15 * time.Minute
maxLDAPExpiry time.Duration = 365 * 24 * time.Hour
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
)
// Config contains AD/LDAP server connectivity information.
type Config struct {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
Enabled bool `json:"enabled"`
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
// E.g. "ldap.minio.io:636"
ServerAddr string `json:"serverAddr"`
// STS credentials expiry duration
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
STSExpiryDuration string `json:"stsExpiryDuration"`
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
// Format string for usernames
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
UsernameFormat string `json:"usernameFormat"`
UsernameFormats []string `json:"-"`
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// User DN search parameters
UserDNSearchBaseDN string `json:"userDNSearchBaseDN"`
UserDNSearchFilter string `json:"userDNSearchFilter"`
// Group search parameters
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
GroupSearchBaseDistName string `json:"groupSearchBaseDN"`
GroupSearchBaseDistNames []string `json:"-"`
GroupSearchFilter string `json:"groupSearchFilter"`
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// Lookup bind LDAP service account
LookupBindDN string `json:"lookupBindDN"`
LookupBindPassword string `json:"lookupBindPassword"`
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
stsExpiryDuration time.Duration // contains converted value
tlsSkipVerify bool // allows skipping TLS verification
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
serverInsecure bool // allows plain text connection to LDAP server
serverStartTLS bool // allows using StartTLS connection to LDAP server
isUsingLookupBind bool
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
rootCAs *x509.CertPool
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
}
// LDAP keys and envs.
const (
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
ServerAddr = "server_addr"
STSExpiry = "sts_expiry"
LookupBindDN = "lookup_bind_dn"
LookupBindPassword = "lookup_bind_password"
UserDNSearchBaseDN = "user_dn_search_base_dn"
UserDNSearchFilter = "user_dn_search_filter"
UsernameFormat = "username_format"
GroupSearchFilter = "group_search_filter"
GroupSearchBaseDN = "group_search_base_dn"
TLSSkipVerify = "tls_skip_verify"
ServerInsecure = "server_insecure"
ServerStartTLS = "server_starttls"
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
EnvServerAddr = "MINIO_IDENTITY_LDAP_SERVER_ADDR"
EnvSTSExpiry = "MINIO_IDENTITY_LDAP_STS_EXPIRY"
EnvTLSSkipVerify = "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"
EnvServerInsecure = "MINIO_IDENTITY_LDAP_SERVER_INSECURE"
EnvServerStartTLS = "MINIO_IDENTITY_LDAP_SERVER_STARTTLS"
EnvUsernameFormat = "MINIO_IDENTITY_LDAP_USERNAME_FORMAT"
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
EnvUserDNSearchBaseDN = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN"
EnvUserDNSearchFilter = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER"
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
EnvGroupSearchFilter = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER"
EnvGroupSearchBaseDN = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN"
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
EnvLookupBindDN = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN"
EnvLookupBindPassword = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD"
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
)
fix: purge LDAP deprecated keys
2021-01-26 12:53:29 -05:00
var removedKeys = []string{
"username_search_filter",
"username_search_base_dn",
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-10 19:52:49 -05:00
"group_name_attribute",
fix: purge LDAP deprecated keys
2021-01-26 12:53:29 -05:00
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
// DefaultKVS - default config for LDAP config
var (
DefaultKVS = config.KVS{
Order all keys in config (#8541) New changes - return default values when sub-sys is not configured. - state is hidden parameter now - remove worm mode to be saved in config
2019-11-20 18:10:24 -05:00
config.KV{
Key: ServerAddr,
Value: "",
},
config.KV{
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
Key: UsernameFormat,
Value: "",
Order all keys in config (#8541) New changes - return default values when sub-sys is not configured. - state is hidden parameter now - remove worm mode to be saved in config
2019-11-20 18:10:24 -05:00
},
config.KV{
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
Key: UserDNSearchBaseDN,
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
Value: "",
},
config.KV{
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
Key: UserDNSearchFilter,
Order all keys in config (#8541) New changes - return default values when sub-sys is not configured. - state is hidden parameter now - remove worm mode to be saved in config
2019-11-20 18:10:24 -05:00
Value: "",
},
config.KV{
Key: GroupSearchFilter,
Value: "",
},
config.KV{
Key: GroupSearchBaseDN,
Value: "",
},
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
config.KV{
Key: STSExpiry,
Value: "1h",
},
Order all keys in config (#8541) New changes - return default values when sub-sys is not configured. - state is hidden parameter now - remove worm mode to be saved in config
2019-11-20 18:10:24 -05:00
config.KV{
Key: TLSSkipVerify,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-04 18:32:37 -05:00
Value: config.EnableOff,
Order all keys in config (#8541) New changes - return default values when sub-sys is not configured. - state is hidden parameter now - remove worm mode to be saved in config
2019-11-20 18:10:24 -05:00
},
Add an option to allow plaintext connection to LDAP/AD Server (#9151)
2020-03-19 22:20:51 -04:00
config.KV{
Key: ServerInsecure,
Value: config.EnableOff,
},
add LDAP StartTLS support (#9472)
2020-05-07 18:08:33 -04:00
config.KV{
Key: ServerStartTLS,
Value: config.EnableOff,
},
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
config.KV{
Key: LookupBindDN,
Value: "",
},
config.KV{
Key: LookupBindPassword,
Value: "",
},
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
}
)
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
func getGroups(conn *ldap.Conn, sreq *ldap.SearchRequest) ([]string, error) {
var groups []string
sres, err := conn.Search(sreq)
if err != nil {
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// Check if there is no matching result and return empty slice.
// Ref: https://ldap.com/ldap-result-code-reference/
if ldap.IsErrorWithCode(err, 32) {
return nil, nil
}
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
return nil, err
}
for _, entry := range sres.Entries {
// We only queried one attribute,
// so we only look up the first one.
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-10 19:52:49 -05:00
groups = append(groups, entry.DN)
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
}
return groups, nil
}
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
func (l *Config) lookupBind(conn *ldap.Conn) error {
Test LDAP connection configuration at startup (#11684)
2021-03-04 15:17:36 -05:00
var err error
add unauthenticated lookup-bind mode to LDAP identity (#11655) Closes #11646
2021-02-28 15:57:31 -05:00
if l.LookupBindPassword == "" {
Test LDAP connection configuration at startup (#11684)
2021-03-04 15:17:36 -05:00
err = conn.UnauthenticatedBind(l.LookupBindDN)
} else {
err = conn.Bind(l.LookupBindDN, l.LookupBindPassword)
}
if ldap.IsErrorWithCode(err, 49) {
fix: lint errors after upgrading golangci-lint (#12368)
2021-05-25 17:17:33 -04:00
return fmt.Errorf("LDAP Lookup Bind user invalid credentials error: %w", err)
add unauthenticated lookup-bind mode to LDAP identity (#11655) Closes #11646
2021-02-28 15:57:31 -05:00
}
Test LDAP connection configuration at startup (#11684)
2021-03-04 15:17:36 -05:00
return err
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
}
// usernameFormatsBind - Iterates over all given username formats and expects
// that only one will succeed if the credentials are valid. The succeeding
// bindDN is returned or an error.
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
//
// In the rare case that multiple username formats succeed, implying that two
// (or more) distinct users in the LDAP directory have the same username and
// password, we return an error as we cannot identify the account intended by
// the user.
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
func (l *Config) usernameFormatsBind(conn *ldap.Conn, username, password string) (string, error) {
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
var bindDistNames []string
var errs = make([]error, len(l.UsernameFormats))
var successCount = 0
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
for i, usernameFormat := range l.UsernameFormats {
bindDN := fmt.Sprintf(usernameFormat, username)
// Bind with user credentials to validate the password
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
errs[i] = conn.Bind(bindDN, password)
if errs[i] == nil {
bindDistNames = append(bindDistNames, bindDN)
successCount++
Test LDAP connection configuration at startup (#11684)
2021-03-04 15:17:36 -05:00
} else if !ldap.IsErrorWithCode(errs[i], 49) {
fix: lint errors after upgrading golangci-lint (#12368)
2021-05-25 17:17:33 -04:00
return "", fmt.Errorf("LDAP Bind request failed with unexpected error: %w", errs[i])
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
}
}
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
if successCount == 0 {
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
var errStrings []string
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
for _, err := range errs {
if err != nil {
errStrings = append(errStrings, err.Error())
}
}
Test LDAP connection configuration at startup (#11684)
2021-03-04 15:17:36 -05:00
outErr := fmt.Sprintf("All username formats failed due to invalid credentials: %s", strings.Join(errStrings, "; "))
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
return "", errors.New(outErr)
}
if successCount > 1 {
successDistNames := strings.Join(bindDistNames, ", ")
errMsg := fmt.Sprintf("Multiple username formats succeeded - ambiguous user login (succeeded for: %s)", successDistNames)
return "", errors.New(errMsg)
}
return bindDistNames[0], nil
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
}
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// lookupUserDN searches for the DN of the user given their username. conn is
// assumed to be using the lookup bind service account. It is required that the
// search result in at most one result.
func (l *Config) lookupUserDN(conn *ldap.Conn, username string) (string, error) {
filter := strings.Replace(l.UserDNSearchFilter, "%s", ldap.EscapeFilter(username), -1)
searchRequest := ldap.NewSearchRequest(
l.UserDNSearchBaseDN,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
filter,
[]string{}, // only need DN, so no pass no attributes here
nil,
)
searchResult, err := conn.Search(searchRequest)
if err != nil {
return "", err
}
if len(searchResult.Entries) == 0 {
return "", fmt.Errorf("User DN for %s not found", username)
}
if len(searchResult.Entries) != 1 {
return "", fmt.Errorf("Multiple DNs for %s found - please fix the search filter", username)
}
return searchResult.Entries[0].DN, nil
}
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
func (l *Config) searchForUserGroups(conn *ldap.Conn, username, bindDN string) ([]string, error) {
// User groups lookup.
var groups []string
if l.GroupSearchFilter != "" {
for _, groupSearchBase := range l.GroupSearchBaseDistNames {
filter := strings.Replace(l.GroupSearchFilter, "%s", ldap.EscapeFilter(username), -1)
filter = strings.Replace(filter, "%d", ldap.EscapeFilter(bindDN), -1)
searchRequest := ldap.NewSearchRequest(
groupSearchBase,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
filter,
nil,
nil,
)
var newGroups []string
newGroups, err := getGroups(conn, searchRequest)
if err != nil {
fix: lint errors after upgrading golangci-lint (#12368)
2021-05-25 17:17:33 -04:00
errRet := fmt.Errorf("Error finding groups of %s: %w", bindDN, err)
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
return nil, errRet
}
groups = append(groups, newGroups...)
}
}
return groups, nil
}
[LDAP] Support syncing user-group memberships with LDAP service (#12785) When configured in Lookup Bind mode, the server now periodically queries the LDAP IDP service to find changes to a user's group memberships, and saves this info to update the access policies for all temporary and service account credentials belonging to LDAP users.
2021-07-24 14:57:36 -04:00
// LookupUserDN searches for the full DN and groups of a given username
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
func (l *Config) LookupUserDN(username string) (string, []string, error) {
if !l.isUsingLookupBind {
return "", nil, errors.New("current lookup mode does not support searching for User DN")
}
conn, err := l.Connect()
if err != nil {
return "", nil, err
}
defer conn.Close()
// Bind to the lookup user account
if err = l.lookupBind(conn); err != nil {
return "", nil, err
}
// Lookup user DN
bindDN, err := l.lookupUserDN(conn, username)
if err != nil {
errRet := fmt.Errorf("Unable to find user DN: %w", err)
return "", nil, errRet
}
groups, err := l.searchForUserGroups(conn, username, bindDN)
if err != nil {
return "", nil, err
}
return bindDN, groups, nil
}
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
// Bind - binds to ldap, searches LDAP and returns the distinguished name of the
// user and the list of groups.
func (l *Config) Bind(username, password string) (string, []string, error) {
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
conn, err := l.Connect()
if err != nil {
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
return "", nil, err
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
}
defer conn.Close()
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
var bindDN string
if l.isUsingLookupBind {
// Bind to the lookup user account
if err = l.lookupBind(conn); err != nil {
return "", nil, err
}
// Lookup user DN
bindDN, err = l.lookupUserDN(conn, username)
if err != nil {
fix: lint errors after upgrading golangci-lint (#12368)
2021-05-25 17:17:33 -04:00
errRet := fmt.Errorf("Unable to find user DN: %w", err)
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
return "", nil, errRet
}
// Authenticate the user credentials.
err = conn.Bind(bindDN, password)
if err != nil {
fix: lint errors after upgrading golangci-lint (#12368)
2021-05-25 17:17:33 -04:00
errRet := fmt.Errorf("LDAP auth failed for DN %s: %w", bindDN, err)
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
return "", nil, errRet
}
Bind to lookup user after user auth to lookup ldap groups (#11357)
2021-01-27 20:31:21 -05:00
// Bind to the lookup user account again to perform group search.
if err = l.lookupBind(conn); err != nil {
return "", nil, err
}
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
} else {
// Verify login credentials by checking the username formats.
bindDN, err = l.usernameFormatsBind(conn, username, password)
if err != nil {
return "", nil, err
}
// Bind to the successful bindDN again.
err = conn.Bind(bindDN, password)
if err != nil {
fix: lint errors after upgrading golangci-lint (#12368)
2021-05-25 17:17:33 -04:00
errRet := fmt.Errorf("LDAP conn failed though auth for DN %s succeeded: %w", bindDN, err)
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
return "", nil, errRet
}
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
}
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// User groups lookup.
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 01:51:14 -04:00
groups, err := l.searchForUserGroups(conn, username, bindDN)
if err != nil {
return "", nil, err
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
}
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
return bindDN, groups, nil
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
}
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
// Connect connect to ldap server.
func (l *Config) Connect() (ldapConn *ldap.Conn, err error) {
if l == nil {
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
return nil, errors.New("LDAP is not configured")
}
support startTLS with serverName TLSConfig (#12219) fixes #12216
2021-05-04 23:13:24 -04:00
serverHost, _, err := net.SplitHostPort(l.ServerAddr)
if err != nil {
serverHost = l.ServerAddr
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
// User default LDAP port if none specified "636"
l.ServerAddr = net.JoinHostPort(l.ServerAddr, "636")
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
}
Add an option to allow plaintext connection to LDAP/AD Server (#9151)
2020-03-19 22:20:51 -04:00
if l.serverInsecure {
return ldap.Dial("tcp", l.ServerAddr)
}
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
support startTLS with serverName TLSConfig (#12219) fixes #12216
2021-05-04 23:13:24 -04:00
tlsConfig := &tls.Config{
InsecureSkipVerify: l.tlsSkipVerify,
RootCAs: l.rootCAs,
ServerName: serverHost,
}
add LDAP StartTLS support (#9472)
2020-05-07 18:08:33 -04:00
if l.serverStartTLS {
conn, err := ldap.Dial("tcp", l.ServerAddr)
if err != nil {
return nil, err
}
support startTLS with serverName TLSConfig (#12219) fixes #12216
2021-05-04 23:13:24 -04:00
err = conn.StartTLS(tlsConfig)
add LDAP StartTLS support (#9472)
2020-05-07 18:08:33 -04:00
return conn, err
}
support startTLS with serverName TLSConfig (#12219) fixes #12216
2021-05-04 23:13:24 -04:00
return ldap.DialTLS("tcp", l.ServerAddr, tlsConfig)
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
}
// GetExpiryDuration - return parsed expiry duration.
fix: Add support for DurationSeconds in LDAP STS API (#12778)
2021-07-22 15:13:21 -04:00
func (l Config) GetExpiryDuration(dsecs string) (time.Duration, error) {
if dsecs == "" {
return l.stsExpiryDuration, nil
}
d, err := strconv.Atoi(dsecs)
if err != nil {
return 0, auth.ErrInvalidDuration
}
dur := time.Duration(d) * time.Second
if dur < minLDAPExpiry || dur > maxLDAPExpiry {
return 0, auth.ErrInvalidDuration
}
return dur, nil
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
}
Test LDAP connection configuration at startup (#11684)
2021-03-04 15:17:36 -05:00
func (l Config) testConnection() error {
conn, err := l.Connect()
if err != nil {
fix: lint errors after upgrading golangci-lint (#12368)
2021-05-25 17:17:33 -04:00
return fmt.Errorf("Error creating connection to LDAP server: %w", err)
Test LDAP connection configuration at startup (#11684)
2021-03-04 15:17:36 -05:00
}
defer conn.Close()
if l.isUsingLookupBind {
if err = l.lookupBind(conn); err != nil {
fix: lint errors after upgrading golangci-lint (#12368)
2021-05-25 17:17:33 -04:00
return fmt.Errorf("Error connecting as LDAP Lookup Bind user: %w", err)
Test LDAP connection configuration at startup (#11684)
2021-03-04 15:17:36 -05:00
}
return nil
}
// Generate some random user credentials for username formats mode test.
username := fmt.Sprintf("sometestuser%09d", rand.Int31n(1000000000))
charset := []byte("abcdefghijklmnopqrstuvwxyz" +
"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
rand.Shuffle(len(charset), func(i, j int) {
charset[i], charset[j] = charset[j], charset[i]
})
password := string(charset[:20])
_, err = l.usernameFormatsBind(conn, username, password)
if err == nil {
// We don't expect to successfully guess a credential in this
// way.
return fmt.Errorf("Unexpected random credentials success for user=%s password=%s", username, password)
} else if strings.HasPrefix(err.Error(), "All username formats failed due to invalid credentials: ") {
return nil
}
fix: lint errors after upgrading golangci-lint (#12368)
2021-05-25 17:17:33 -04:00
return fmt.Errorf("LDAP connection test error: %w", err)
Test LDAP connection configuration at startup (#11684)
2021-03-04 15:17:36 -05:00
}
[IDP:LDAP] Cleanup creds for removed LDAP user entries (#12759)
2021-07-21 02:33:12 -04:00
// IsLDAPUserDN determines if the given string could be a user DN from LDAP.
func (l Config) IsLDAPUserDN(user string) bool {
return strings.HasSuffix(user, ","+l.UserDNSearchBaseDN)
}
[LDAP] Support syncing user-group memberships with LDAP service (#12785) When configured in Lookup Bind mode, the server now periodically queries the LDAP IDP service to find changes to a user's group memberships, and saves this info to update the access policies for all temporary and service account credentials belonging to LDAP users.
2021-07-24 14:57:36 -04:00
// GetNonExistentUserDistNames - find user accounts (DNs) that are no longer
// present in the LDAP server.
func (l *Config) GetNonExistentUserDistNames(userDistNames []string) ([]string, error) {
[IDP:LDAP] Cleanup creds for removed LDAP user entries (#12759)
2021-07-21 02:33:12 -04:00
if !l.isUsingLookupBind {
return nil, errors.New("current LDAP configuration does not permit looking for expired user accounts")
}
conn, err := l.Connect()
if err != nil {
return nil, err
}
defer conn.Close()
// Bind to the lookup user account
if err = l.lookupBind(conn); err != nil {
return nil, err
}
nonExistentUsers := []string{}
[LDAP] Support syncing user-group memberships with LDAP service (#12785) When configured in Lookup Bind mode, the server now periodically queries the LDAP IDP service to find changes to a user's group memberships, and saves this info to update the access policies for all temporary and service account credentials belonging to LDAP users.
2021-07-24 14:57:36 -04:00
for _, dn := range userDistNames {
[IDP:LDAP] Cleanup creds for removed LDAP user entries (#12759)
2021-07-21 02:33:12 -04:00
searchRequest := ldap.NewSearchRequest(
dn,
ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
"(objectclass=*)",
[]string{}, // only need DN, so no pass no attributes here
nil,
)
searchResult, err := conn.Search(searchRequest)
if err != nil {
// Object does not exist error?
if ldap.IsErrorWithCode(err, 32) {
nonExistentUsers = append(nonExistentUsers, dn)
continue
}
return nil, err
}
if len(searchResult.Entries) == 0 {
// DN was not found - this means this user account is
// expired.
nonExistentUsers = append(nonExistentUsers, dn)
}
}
return nonExistentUsers, nil
}
[LDAP] Support syncing user-group memberships with LDAP service (#12785) When configured in Lookup Bind mode, the server now periodically queries the LDAP IDP service to find changes to a user's group memberships, and saves this info to update the access policies for all temporary and service account credentials belonging to LDAP users.
2021-07-24 14:57:36 -04:00
// LookupGroupMemberships - for each DN finds the set of LDAP groups they are a
// member of.
func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsernameMap map[string]string) (map[string]set.StringSet, error) {
if !l.isUsingLookupBind {
return nil, errors.New("current LDAP configuration does not permit this lookup")
}
conn, err := l.Connect()
if err != nil {
return nil, err
}
defer conn.Close()
// Bind to the lookup user account
if err = l.lookupBind(conn); err != nil {
return nil, err
}
res := make(map[string]set.StringSet, len(userDistNames))
for _, userDistName := range userDistNames {
username := userDNToUsernameMap[userDistName]
groups, err := l.searchForUserGroups(conn, username, userDistName)
if err != nil {
return nil, err
}
res[userDistName] = set.CreateStringSet(groups...)
}
return res, nil
}
[IDP:LDAP] Cleanup creds for removed LDAP user entries (#12759)
2021-07-21 02:33:12 -04:00
// EnabledWithLookupBind - checks if ldap IDP is enabled in lookup bind mode.
func (l Config) EnabledWithLookupBind() bool {
return l.Enabled && l.isUsingLookupBind
}
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-04 18:32:37 -05:00
// Enabled returns if jwks is enabled.
func Enabled(kvs config.KVS) bool {
return kvs.Get(ServerAddr) != ""
}
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
// Lookup - initializes LDAP config, overrides config, if any ENV values are set.
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error) {
l = Config{}
fix: purge LDAP deprecated keys
2021-01-26 12:53:29 -05:00
// Purge all removed keys first
for _, k := range removedKeys {
kvs.Delete(k)
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
if err = config.CheckValidKeys(config.IdentityLDAPSubSys, kvs, DefaultKVS); err != nil {
return l, err
}
ldapServer := env.Get(EnvServerAddr, kvs.Get(ServerAddr))
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
if ldapServer == "" {
return l, nil
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
l.Enabled = true
LDAP Test connection was not using GlobalRootCAs (#12612) Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
2021-07-01 20:41:01 -04:00
l.rootCAs = rootCAs
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
l.ServerAddr = ldapServer
l.stsExpiryDuration = defaultLDAPExpiry
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
if v := env.Get(EnvSTSExpiry, kvs.Get(STSExpiry)); v != "" {
add deprecation notice for LDAP username format (#12849)
2021-08-02 21:20:06 -04:00
logger.Info("DEPRECATION WARNING: Support for configuring the default LDAP credentials expiry duration will be removed by October 2021. Please use the `DurationSeconds` parameter in the LDAP STS API instead.")
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
expDur, err := time.ParseDuration(v)
if err != nil {
return l, errors.New("LDAP expiry time err:" + err.Error())
}
fix: Add support for DurationSeconds in LDAP STS API (#12778)
2021-07-22 15:13:21 -04:00
if expDur < minLDAPExpiry {
return l, fmt.Errorf("LDAP expiry time must be at least %s", minLDAPExpiry)
}
if expDur > maxLDAPExpiry {
return l, fmt.Errorf("LDAP expiry time may not exceed %s", maxLDAPExpiry)
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
}
l.STSExpiryDuration = v
l.stsExpiryDuration = expDur
}
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// LDAP connection configuration
Add an option to allow plaintext connection to LDAP/AD Server (#9151)
2020-03-19 22:20:51 -04:00
if v := env.Get(EnvServerInsecure, kvs.Get(ServerInsecure)); v != "" {
l.serverInsecure, err = config.ParseBool(v)
if err != nil {
return l, err
}
}
add LDAP StartTLS support (#9472)
2020-05-07 18:08:33 -04:00
if v := env.Get(EnvServerStartTLS, kvs.Get(ServerStartTLS)); v != "" {
l.serverStartTLS, err = config.ParseBool(v)
if err != nil {
return l, err
}
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
if v := env.Get(EnvTLSSkipVerify, kvs.Get(TLSSkipVerify)); v != "" {
l.tlsSkipVerify, err = config.ParseBool(v)
if err != nil {
return l, err
}
}
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// Lookup bind user configuration
lookupBindDN := env.Get(EnvLookupBindDN, kvs.Get(LookupBindDN))
lookupBindPassword := env.Get(EnvLookupBindPassword, kvs.Get(LookupBindPassword))
add unauthenticated lookup-bind mode to LDAP identity (#11655) Closes #11646
2021-02-28 15:57:31 -05:00
if lookupBindDN != "" {
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
l.LookupBindDN = lookupBindDN
l.LookupBindPassword = lookupBindPassword
l.isUsingLookupBind = true
// User DN search configuration
userDNSearchBaseDN := env.Get(EnvUserDNSearchBaseDN, kvs.Get(UserDNSearchBaseDN))
fix: ldap config parsing issue for UserDNSearchFilter (#11437)
2021-02-04 14:07:29 -05:00
userDNSearchFilter := env.Get(EnvUserDNSearchFilter, kvs.Get(UserDNSearchFilter))
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
if userDNSearchFilter == "" || userDNSearchBaseDN == "" {
return l, errors.New("In lookup bind mode, userDN search base DN and userDN search filter are both required")
}
l.UserDNSearchBaseDN = userDNSearchBaseDN
l.UserDNSearchFilter = userDNSearchFilter
}
// Username format configuration.
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
if v := env.Get(EnvUsernameFormat, kvs.Get(UsernameFormat)); v != "" {
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
if !strings.Contains(v, "%s") {
add deprecation notice for LDAP username format (#12849)
2021-08-02 21:20:06 -04:00
return l, errors.New("LDAP username format does not support '%s' substitution")
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
}
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
l.UsernameFormats = strings.Split(v, dnDelimiter)
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
}
add deprecation notice for LDAP username format (#12849)
2021-08-02 21:20:06 -04:00
if len(l.UsernameFormats) > 0 {
logger.Info("DEPRECATION WARNING: Support for %s will be removed by October 2021, please migrate your LDAP settings to lookup bind mode", UsernameFormat)
}
// Either lookup bind mode or username format is supported, but not both.
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
if l.isUsingLookupBind && len(l.UsernameFormats) > 0 {
return l, errors.New("Lookup Bind mode and Username Format mode are not supported at the same time")
}
// At least one of bind mode or username format must be used.
if !l.isUsingLookupBind && len(l.UsernameFormats) == 0 {
add deprecation notice for LDAP username format (#12849)
2021-08-02 21:20:06 -04:00
return l, errors.New("Either Lookup Bind mode or Username Format mode is required")
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
}
Test LDAP connection configuration at startup (#11684)
2021-03-04 15:17:36 -05:00
// Test connection to LDAP server.
if err := l.testConnection(); err != nil {
fix: lint errors after upgrading golangci-lint (#12368)
2021-05-25 17:17:33 -04:00
return l, fmt.Errorf("Connection test for LDAP server failed: %w", err)
Test LDAP connection configuration at startup (#11684)
2021-03-04 15:17:36 -05:00
}
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// Group search params configuration
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
grpSearchFilter := env.Get(EnvGroupSearchFilter, kvs.Get(GroupSearchFilter))
grpSearchBaseDN := env.Get(EnvGroupSearchBaseDN, kvs.Get(GroupSearchBaseDN))
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
// Either all group params must be set or none must be set.
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-10 19:52:49 -05:00
if (grpSearchFilter != "" && grpSearchBaseDN == "") || (grpSearchFilter == "" && grpSearchBaseDN != "") {
return l, errors.New("All group related parameters must be set")
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
}
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-10 19:52:49 -05:00
if grpSearchFilter != "" {
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
l.GroupSearchFilter = grpSearchFilter
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
l.GroupSearchBaseDistName = grpSearchBaseDN
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
l.GroupSearchBaseDistNames = strings.Split(l.GroupSearchBaseDistName, dnDelimiter)
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
return l, nil
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
}