2021-04-18 15:41:13 -04:00
|
|
|
// Copyright (c) 2015-2021 MinIO, Inc.
|
|
|
|
//
|
|
|
|
// This file is part of MinIO Object Storage stack
|
|
|
|
//
|
|
|
|
// This program is free software: you can redistribute it and/or modify
|
|
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
|
|
// (at your option) any later version.
|
|
|
|
//
|
|
|
|
// This program is distributed in the hope that it will be useful
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
// GNU Affero General Public License for more details.
|
|
|
|
//
|
|
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
2019-10-04 13:35:33 -04:00
|
|
|
|
|
|
|
package ldap
|
|
|
|
|
|
|
|
import (
|
2024-08-07 08:59:47 -04:00
|
|
|
"crypto/tls"
|
2019-10-04 13:35:33 -04:00
|
|
|
"crypto/x509"
|
2022-10-19 14:00:10 -04:00
|
|
|
"errors"
|
|
|
|
"sort"
|
2019-10-04 13:35:33 -04:00
|
|
|
"time"
|
|
|
|
|
2023-06-19 20:53:08 -04:00
|
|
|
"github.com/minio/madmin-go/v3"
|
2021-06-01 17:59:40 -04:00
|
|
|
"github.com/minio/minio/internal/config"
|
2024-08-07 08:59:47 -04:00
|
|
|
"github.com/minio/minio/internal/fips"
|
2024-05-24 19:05:23 -04:00
|
|
|
"github.com/minio/pkg/v3/ldap"
|
2019-10-04 13:35:33 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
defaultLDAPExpiry = time.Hour * 1
|
2021-01-25 17:26:10 -05:00
|
|
|
|
2021-07-22 15:13:21 -04:00
|
|
|
minLDAPExpiry time.Duration = 15 * time.Minute
|
|
|
|
maxLDAPExpiry time.Duration = 365 * 24 * time.Hour
|
2019-10-04 13:35:33 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
// Config contains AD/LDAP server connectivity information.
|
|
|
|
type Config struct {
|
2022-10-08 01:12:36 -04:00
|
|
|
LDAP ldap.Config
|
2021-01-25 17:26:10 -05:00
|
|
|
|
2019-10-23 01:59:13 -04:00
|
|
|
stsExpiryDuration time.Duration // contains converted value
|
2022-10-08 01:12:36 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// Enabled returns if LDAP is enabled.
|
|
|
|
func (l *Config) Enabled() bool {
|
|
|
|
return l.LDAP.Enabled
|
2019-10-04 13:35:33 -04:00
|
|
|
}
|
|
|
|
|
2022-05-25 21:32:53 -04:00
|
|
|
// Clone returns a cloned copy of LDAP config.
|
|
|
|
func (l *Config) Clone() Config {
|
|
|
|
if l == nil {
|
|
|
|
return Config{}
|
|
|
|
}
|
|
|
|
cfg := Config{
|
2022-10-08 01:12:36 -04:00
|
|
|
LDAP: l.LDAP.Clone(),
|
|
|
|
stsExpiryDuration: l.stsExpiryDuration,
|
2022-05-25 21:32:53 -04:00
|
|
|
}
|
|
|
|
return cfg
|
|
|
|
}
|
|
|
|
|
2019-10-04 13:35:33 -04:00
|
|
|
// LDAP keys and envs.
|
|
|
|
const (
|
2021-01-25 17:26:10 -05:00
|
|
|
ServerAddr = "server_addr"
|
2022-12-12 14:27:27 -05:00
|
|
|
SRVRecordName = "srv_record_name"
|
2021-01-25 17:26:10 -05:00
|
|
|
LookupBindDN = "lookup_bind_dn"
|
|
|
|
LookupBindPassword = "lookup_bind_password"
|
|
|
|
UserDNSearchBaseDN = "user_dn_search_base_dn"
|
|
|
|
UserDNSearchFilter = "user_dn_search_filter"
|
2024-05-24 19:05:23 -04:00
|
|
|
UserDNAttributes = "user_dn_attributes"
|
2021-01-25 17:26:10 -05:00
|
|
|
GroupSearchFilter = "group_search_filter"
|
|
|
|
GroupSearchBaseDN = "group_search_base_dn"
|
|
|
|
TLSSkipVerify = "tls_skip_verify"
|
|
|
|
ServerInsecure = "server_insecure"
|
|
|
|
ServerStartTLS = "server_starttls"
|
2020-03-22 01:47:26 -04:00
|
|
|
|
2021-01-18 00:54:32 -05:00
|
|
|
EnvServerAddr = "MINIO_IDENTITY_LDAP_SERVER_ADDR"
|
2022-12-12 14:27:27 -05:00
|
|
|
EnvSRVRecordName = "MINIO_IDENTITY_LDAP_SRV_RECORD_NAME"
|
2021-01-18 00:54:32 -05:00
|
|
|
EnvTLSSkipVerify = "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"
|
|
|
|
EnvServerInsecure = "MINIO_IDENTITY_LDAP_SERVER_INSECURE"
|
|
|
|
EnvServerStartTLS = "MINIO_IDENTITY_LDAP_SERVER_STARTTLS"
|
|
|
|
EnvUsernameFormat = "MINIO_IDENTITY_LDAP_USERNAME_FORMAT"
|
2021-01-25 17:26:10 -05:00
|
|
|
EnvUserDNSearchBaseDN = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN"
|
|
|
|
EnvUserDNSearchFilter = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER"
|
2024-05-24 19:05:23 -04:00
|
|
|
EnvUserDNAttributes = "MINIO_IDENTITY_LDAP_USER_DN_ATTRIBUTES"
|
2021-01-18 00:54:32 -05:00
|
|
|
EnvGroupSearchFilter = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER"
|
|
|
|
EnvGroupSearchBaseDN = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN"
|
2021-01-25 17:26:10 -05:00
|
|
|
EnvLookupBindDN = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN"
|
|
|
|
EnvLookupBindPassword = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD"
|
2019-10-04 13:35:33 -04:00
|
|
|
)
|
|
|
|
|
2021-01-26 12:53:29 -05:00
|
|
|
var removedKeys = []string{
|
2021-09-08 16:31:51 -04:00
|
|
|
"sts_expiry",
|
|
|
|
"username_format",
|
2021-01-26 12:53:29 -05:00
|
|
|
"username_search_filter",
|
|
|
|
"username_search_base_dn",
|
2021-02-10 19:52:49 -05:00
|
|
|
"group_name_attribute",
|
2021-01-26 12:53:29 -05:00
|
|
|
}
|
|
|
|
|
2019-10-23 01:59:13 -04:00
|
|
|
// DefaultKVS - default config for LDAP config
|
|
|
|
var (
|
|
|
|
DefaultKVS = config.KVS{
|
2023-03-16 14:58:59 -04:00
|
|
|
config.KV{
|
|
|
|
Key: config.Enable,
|
|
|
|
Value: "",
|
|
|
|
},
|
2019-11-20 18:10:24 -05:00
|
|
|
config.KV{
|
|
|
|
Key: ServerAddr,
|
|
|
|
Value: "",
|
|
|
|
},
|
2022-12-12 14:27:27 -05:00
|
|
|
config.KV{
|
|
|
|
Key: SRVRecordName,
|
|
|
|
Value: "",
|
|
|
|
},
|
2019-11-20 18:10:24 -05:00
|
|
|
config.KV{
|
2021-01-25 17:26:10 -05:00
|
|
|
Key: UserDNSearchBaseDN,
|
2020-03-22 01:47:26 -04:00
|
|
|
Value: "",
|
|
|
|
},
|
|
|
|
config.KV{
|
2021-01-25 17:26:10 -05:00
|
|
|
Key: UserDNSearchFilter,
|
2019-11-20 18:10:24 -05:00
|
|
|
Value: "",
|
|
|
|
},
|
2024-05-24 19:05:23 -04:00
|
|
|
config.KV{
|
|
|
|
Key: UserDNAttributes,
|
|
|
|
Value: "",
|
|
|
|
},
|
2019-11-20 18:10:24 -05:00
|
|
|
config.KV{
|
|
|
|
Key: GroupSearchFilter,
|
|
|
|
Value: "",
|
|
|
|
},
|
|
|
|
config.KV{
|
|
|
|
Key: GroupSearchBaseDN,
|
|
|
|
Value: "",
|
|
|
|
},
|
|
|
|
config.KV{
|
|
|
|
Key: TLSSkipVerify,
|
2019-12-04 18:32:37 -05:00
|
|
|
Value: config.EnableOff,
|
2019-11-20 18:10:24 -05:00
|
|
|
},
|
2020-03-19 22:20:51 -04:00
|
|
|
config.KV{
|
|
|
|
Key: ServerInsecure,
|
|
|
|
Value: config.EnableOff,
|
|
|
|
},
|
2020-05-07 18:08:33 -04:00
|
|
|
config.KV{
|
|
|
|
Key: ServerStartTLS,
|
|
|
|
Value: config.EnableOff,
|
|
|
|
},
|
2021-01-25 17:26:10 -05:00
|
|
|
config.KV{
|
|
|
|
Key: LookupBindDN,
|
|
|
|
Value: "",
|
|
|
|
},
|
|
|
|
config.KV{
|
|
|
|
Key: LookupBindPassword,
|
|
|
|
Value: "",
|
|
|
|
},
|
2019-10-23 01:59:13 -04:00
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2021-11-04 16:11:20 -04:00
|
|
|
// Enabled returns if LDAP config is enabled.
|
2019-12-04 18:32:37 -05:00
|
|
|
func Enabled(kvs config.KVS) bool {
|
|
|
|
return kvs.Get(ServerAddr) != ""
|
|
|
|
}
|
|
|
|
|
2019-10-04 13:35:33 -04:00
|
|
|
// Lookup - initializes LDAP config, overrides config, if any ENV values are set.
|
2022-10-08 01:12:36 -04:00
|
|
|
func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error) {
|
2019-10-23 01:59:13 -04:00
|
|
|
l = Config{}
|
2021-01-26 12:53:29 -05:00
|
|
|
|
|
|
|
// Purge all removed keys first
|
2022-10-08 01:12:36 -04:00
|
|
|
kvs := s[config.IdentityLDAPSubSys][config.Default]
|
|
|
|
if len(kvs) > 0 {
|
|
|
|
for _, k := range removedKeys {
|
|
|
|
kvs.Delete(k)
|
|
|
|
}
|
|
|
|
s[config.IdentityLDAPSubSys][config.Default] = kvs
|
2021-01-26 12:53:29 -05:00
|
|
|
}
|
|
|
|
|
2022-10-08 01:12:36 -04:00
|
|
|
if err := s.CheckValidKeys(config.IdentityLDAPSubSys, removedKeys); err != nil {
|
2019-10-23 01:59:13 -04:00
|
|
|
return l, err
|
|
|
|
}
|
2022-03-16 22:57:36 -04:00
|
|
|
|
2022-10-08 01:12:36 -04:00
|
|
|
getCfgVal := func(cfgParam string) string {
|
|
|
|
// As parameters are already validated, we skip checking
|
|
|
|
// if the config param was found.
|
2023-06-23 10:45:27 -04:00
|
|
|
val, _, _ := s.ResolveConfigParam(config.IdentityLDAPSubSys, config.Default, cfgParam, false)
|
2022-10-08 01:12:36 -04:00
|
|
|
return val
|
|
|
|
}
|
|
|
|
|
|
|
|
ldapServer := getCfgVal(ServerAddr)
|
2019-10-04 13:35:33 -04:00
|
|
|
if ldapServer == "" {
|
|
|
|
return l, nil
|
|
|
|
}
|
2022-10-08 01:12:36 -04:00
|
|
|
l.LDAP = ldap.Config{
|
2022-12-12 14:27:27 -05:00
|
|
|
ServerAddr: ldapServer,
|
|
|
|
SRVRecordName: getCfgVal(SRVRecordName),
|
2024-08-07 08:59:47 -04:00
|
|
|
TLS: &tls.Config{
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
NextProtos: []string{"h2", "http/1.1"},
|
|
|
|
ClientSessionCache: tls.NewLRUClientSessionCache(100),
|
|
|
|
CipherSuites: fips.TLSCiphersBackwardCompatible(), // Contains RSA key exchange
|
|
|
|
RootCAs: rootCAs,
|
|
|
|
},
|
2022-10-08 01:12:36 -04:00
|
|
|
}
|
2023-03-16 14:58:59 -04:00
|
|
|
|
2024-04-25 17:28:16 -04:00
|
|
|
// Parse explicitly set enable=on/off flag.
|
|
|
|
isEnableFlagExplicitlySet := false
|
2023-03-16 14:58:59 -04:00
|
|
|
if v := getCfgVal(config.Enable); v != "" {
|
2024-04-25 17:28:16 -04:00
|
|
|
isEnableFlagExplicitlySet = true
|
2023-03-16 14:58:59 -04:00
|
|
|
l.LDAP.Enabled, err = config.ParseBool(v)
|
|
|
|
if err != nil {
|
|
|
|
return l, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-10-04 13:35:33 -04:00
|
|
|
l.stsExpiryDuration = defaultLDAPExpiry
|
2021-01-25 17:26:10 -05:00
|
|
|
|
|
|
|
// LDAP connection configuration
|
2022-10-08 01:12:36 -04:00
|
|
|
if v := getCfgVal(ServerInsecure); v != "" {
|
|
|
|
l.LDAP.ServerInsecure, err = config.ParseBool(v)
|
2020-03-19 22:20:51 -04:00
|
|
|
if err != nil {
|
|
|
|
return l, err
|
|
|
|
}
|
|
|
|
}
|
2022-10-08 01:12:36 -04:00
|
|
|
if v := getCfgVal(ServerStartTLS); v != "" {
|
|
|
|
l.LDAP.ServerStartTLS, err = config.ParseBool(v)
|
2020-05-07 18:08:33 -04:00
|
|
|
if err != nil {
|
|
|
|
return l, err
|
|
|
|
}
|
|
|
|
}
|
2022-10-08 01:12:36 -04:00
|
|
|
if v := getCfgVal(TLSSkipVerify); v != "" {
|
2024-08-07 08:59:47 -04:00
|
|
|
l.LDAP.TLS.InsecureSkipVerify, err = config.ParseBool(v)
|
2019-10-23 01:59:13 -04:00
|
|
|
if err != nil {
|
|
|
|
return l, err
|
|
|
|
}
|
|
|
|
}
|
2021-01-25 17:26:10 -05:00
|
|
|
|
|
|
|
// Lookup bind user configuration
|
2022-10-08 01:12:36 -04:00
|
|
|
l.LDAP.LookupBindDN = getCfgVal(LookupBindDN)
|
|
|
|
l.LDAP.LookupBindPassword = getCfgVal(LookupBindPassword)
|
2021-03-04 15:17:36 -05:00
|
|
|
|
2022-01-26 18:05:59 -05:00
|
|
|
// User DN search configuration
|
2022-10-08 01:12:36 -04:00
|
|
|
l.LDAP.UserDNSearchFilter = getCfgVal(UserDNSearchFilter)
|
|
|
|
l.LDAP.UserDNSearchBaseDistName = getCfgVal(UserDNSearchBaseDN)
|
2024-05-24 19:05:23 -04:00
|
|
|
l.LDAP.UserDNAttributes = getCfgVal(UserDNAttributes)
|
2022-01-26 18:05:59 -05:00
|
|
|
|
2021-01-25 17:26:10 -05:00
|
|
|
// Group search params configuration
|
2022-10-08 01:12:36 -04:00
|
|
|
l.LDAP.GroupSearchFilter = getCfgVal(GroupSearchFilter)
|
|
|
|
l.LDAP.GroupSearchBaseDistName = getCfgVal(GroupSearchBaseDN)
|
2019-10-04 13:35:33 -04:00
|
|
|
|
2024-04-25 17:28:16 -04:00
|
|
|
// If enable flag was not explicitly set, we treat it as implicitly set at
|
|
|
|
// this point as necessary configuration is available.
|
|
|
|
if !isEnableFlagExplicitlySet && !l.LDAP.Enabled {
|
|
|
|
l.LDAP.Enabled = true
|
|
|
|
}
|
2022-03-16 22:57:36 -04:00
|
|
|
// Validate and test configuration.
|
2022-10-08 01:12:36 -04:00
|
|
|
valResult := l.LDAP.Validate()
|
2022-03-16 22:57:36 -04:00
|
|
|
if !valResult.IsOk() {
|
2024-04-25 17:28:16 -04:00
|
|
|
// Set to false if configuration fails to validate.
|
|
|
|
l.LDAP.Enabled = false
|
2022-03-16 22:57:36 -04:00
|
|
|
return l, valResult
|
2019-10-04 13:35:33 -04:00
|
|
|
}
|
2019-10-23 01:59:13 -04:00
|
|
|
|
|
|
|
return l, nil
|
2019-10-04 13:35:33 -04:00
|
|
|
}
|
2022-10-19 14:00:10 -04:00
|
|
|
|
|
|
|
// GetConfigList - returns a list of LDAP configurations.
|
|
|
|
func (l *Config) GetConfigList(s config.Config) ([]madmin.IDPListItem, error) {
|
|
|
|
ldapConfigs, err := s.GetAvailableTargets(config.IdentityLDAPSubSys)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// For now, ldapConfigs will only have a single entry for the default
|
|
|
|
// configuration.
|
|
|
|
|
|
|
|
var res []madmin.IDPListItem
|
|
|
|
for _, cfg := range ldapConfigs {
|
|
|
|
res = append(res, madmin.IDPListItem{
|
|
|
|
Type: "ldap",
|
|
|
|
Name: cfg,
|
|
|
|
Enabled: l.Enabled(),
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
return res, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// ErrProviderConfigNotFound - represents a non-existing provider error.
|
|
|
|
var ErrProviderConfigNotFound = errors.New("provider configuration not found")
|
|
|
|
|
|
|
|
// GetConfigInfo - returns config details for an LDAP configuration.
|
|
|
|
func (l *Config) GetConfigInfo(s config.Config, cfgName string) ([]madmin.IDPCfgInfo, error) {
|
|
|
|
// For now only a single LDAP config is supported.
|
|
|
|
if cfgName != madmin.Default {
|
|
|
|
return nil, ErrProviderConfigNotFound
|
|
|
|
}
|
2023-06-23 10:45:27 -04:00
|
|
|
kvsrcs, err := s.GetResolvedConfigParams(config.IdentityLDAPSubSys, cfgName, true)
|
2022-10-19 14:00:10 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
res := make([]madmin.IDPCfgInfo, 0, len(kvsrcs))
|
|
|
|
for _, kvsrc := range kvsrcs {
|
|
|
|
// skip default values.
|
|
|
|
if kvsrc.Src == config.ValueSourceDef {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
res = append(res, madmin.IDPCfgInfo{
|
|
|
|
Key: kvsrc.Key,
|
|
|
|
Value: kvsrc.Value,
|
|
|
|
IsCfg: true,
|
|
|
|
IsEnv: kvsrc.Src == config.ValueSourceEnv,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
// sort the structs by the key
|
|
|
|
sort.Slice(res, func(i, j int) bool {
|
|
|
|
return res[i].Key < res[j].Key
|
|
|
|
})
|
|
|
|
|
|
|
|
return res, nil
|
|
|
|
}
|