MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
minio/internal/config/identity/ldap/config.go

237 lines
6.8 KiB
Go
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-18 15:41:13 -04:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
package ldap
import (
"crypto/x509"
"time"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-01 17:59:40 -04:00
"github.com/minio/minio/internal/config"
move the dependency to minio/pkg for common libraries (#12397)
2021-05-28 18:17:01 -04:00
"github.com/minio/pkg/env"
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
)
const (
defaultLDAPExpiry = time.Hour * 1
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
dnDelimiter = ";"
fix: Add support for DurationSeconds in LDAP STS API (#12778)
2021-07-22 15:13:21 -04:00
minLDAPExpiry time.Duration = 15 * time.Minute
maxLDAPExpiry time.Duration = 365 * 24 * time.Hour
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
)
// Config contains AD/LDAP server connectivity information.
type Config struct {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
Enabled bool `json:"enabled"`
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
// E.g. "ldap.minio.io:636"
ServerAddr string `json:"serverAddr"`
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// User DN search parameters
Identity LDAP: Allow multiple search base DNs (#14191) This change allows the MinIO server to lookup users in different directory sub-trees by allowing specification of multiple search bases separated by semicolons.
2022-01-26 18:05:59 -05:00
UserDNSearchBaseDistName string `json:"userDNSearchBaseDN"`
Add extra LDAP configuration validation (#14535) - The result now contains suggestions on fixing common configuration issues. - These suggestions will subsequently be exposed in console/mc
2022-03-16 22:57:36 -04:00
UserDNSearchBaseDistNames []string `json:"-"` // Generated field
Identity LDAP: Allow multiple search base DNs (#14191) This change allows the MinIO server to lookup users in different directory sub-trees by allowing specification of multiple search bases separated by semicolons.
2022-01-26 18:05:59 -05:00
UserDNSearchFilter string `json:"userDNSearchFilter"`
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// Group search parameters
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
GroupSearchBaseDistName string `json:"groupSearchBaseDN"`
Add extra LDAP configuration validation (#14535) - The result now contains suggestions on fixing common configuration issues. - These suggestions will subsequently be exposed in console/mc
2022-03-16 22:57:36 -04:00
GroupSearchBaseDistNames []string `json:"-"` // Generated field
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
GroupSearchFilter string `json:"groupSearchFilter"`
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// Lookup bind LDAP service account
LookupBindDN string `json:"lookupBindDN"`
LookupBindPassword string `json:"lookupBindPassword"`
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
stsExpiryDuration time.Duration // contains converted value
tlsSkipVerify bool // allows skipping TLS verification
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
serverInsecure bool // allows plain text connection to LDAP server
serverStartTLS bool // allows using StartTLS connection to LDAP server
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
rootCAs *x509.CertPool
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
}
fix: some races when accessing ldap/openid config globally (#14978)
2022-05-25 21:32:53 -04:00
// Clone returns a cloned copy of LDAP config.
func (l *Config) Clone() Config {
if l == nil {
return Config{}
}
cfg := Config{
Enabled: l.Enabled,
ServerAddr: l.ServerAddr,
UserDNSearchBaseDistName: l.UserDNSearchBaseDistName,
UserDNSearchBaseDistNames: l.UserDNSearchBaseDistNames,
UserDNSearchFilter: l.UserDNSearchFilter,
GroupSearchBaseDistName: l.GroupSearchBaseDistName,
GroupSearchBaseDistNames: l.GroupSearchBaseDistNames,
GroupSearchFilter: l.GroupSearchFilter,
LookupBindDN: l.LookupBindDN,
LookupBindPassword: l.LookupBindPassword,
stsExpiryDuration: l.stsExpiryDuration,
tlsSkipVerify: l.tlsSkipVerify,
serverInsecure: l.serverInsecure,
serverStartTLS: l.serverStartTLS,
rootCAs: l.rootCAs,
}
return cfg
}
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
// LDAP keys and envs.
const (
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
ServerAddr = "server_addr"
LookupBindDN = "lookup_bind_dn"
LookupBindPassword = "lookup_bind_password"
UserDNSearchBaseDN = "user_dn_search_base_dn"
UserDNSearchFilter = "user_dn_search_filter"
GroupSearchFilter = "group_search_filter"
GroupSearchBaseDN = "group_search_base_dn"
TLSSkipVerify = "tls_skip_verify"
ServerInsecure = "server_insecure"
ServerStartTLS = "server_starttls"
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
EnvServerAddr = "MINIO_IDENTITY_LDAP_SERVER_ADDR"
EnvTLSSkipVerify = "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"
EnvServerInsecure = "MINIO_IDENTITY_LDAP_SERVER_INSECURE"
EnvServerStartTLS = "MINIO_IDENTITY_LDAP_SERVER_STARTTLS"
EnvUsernameFormat = "MINIO_IDENTITY_LDAP_USERNAME_FORMAT"
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
EnvUserDNSearchBaseDN = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN"
EnvUserDNSearchFilter = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER"
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
EnvGroupSearchFilter = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER"
EnvGroupSearchBaseDN = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN"
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
EnvLookupBindDN = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN"
EnvLookupBindPassword = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD"
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
)
fix: purge LDAP deprecated keys
2021-01-26 12:53:29 -05:00
var removedKeys = []string{
fix: remove deprecated LDAP username format support (#13165)
2021-09-08 16:31:51 -04:00
"sts_expiry",
"username_format",
fix: purge LDAP deprecated keys
2021-01-26 12:53:29 -05:00
"username_search_filter",
"username_search_base_dn",
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-10 19:52:49 -05:00
"group_name_attribute",
fix: purge LDAP deprecated keys
2021-01-26 12:53:29 -05:00
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
// DefaultKVS - default config for LDAP config
var (
DefaultKVS = config.KVS{
Order all keys in config (#8541) New changes - return default values when sub-sys is not configured. - state is hidden parameter now - remove worm mode to be saved in config
2019-11-20 18:10:24 -05:00
config.KV{
Key: ServerAddr,
Value: "",
},
config.KV{
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
Key: UserDNSearchBaseDN,
Support multiple LDAP OU's, smAccountName support (#9139) Fixes #8532
2020-03-22 01:47:26 -04:00
Value: "",
},
config.KV{
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
Key: UserDNSearchFilter,
Order all keys in config (#8541) New changes - return default values when sub-sys is not configured. - state is hidden parameter now - remove worm mode to be saved in config
2019-11-20 18:10:24 -05:00
Value: "",
},
config.KV{
Key: GroupSearchFilter,
Value: "",
},
config.KV{
Key: GroupSearchBaseDN,
Value: "",
},
config.KV{
Key: TLSSkipVerify,
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-04 18:32:37 -05:00
Value: config.EnableOff,
Order all keys in config (#8541) New changes - return default values when sub-sys is not configured. - state is hidden parameter now - remove worm mode to be saved in config
2019-11-20 18:10:24 -05:00
},
Add an option to allow plaintext connection to LDAP/AD Server (#9151)
2020-03-19 22:20:51 -04:00
config.KV{
Key: ServerInsecure,
Value: config.EnableOff,
},
add LDAP StartTLS support (#9472)
2020-05-07 18:08:33 -04:00
config.KV{
Key: ServerStartTLS,
Value: config.EnableOff,
},
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
config.KV{
Key: LookupBindDN,
Value: "",
},
config.KV{
Key: LookupBindPassword,
Value: "",
},
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
}
)
fix: user DN filtering that causes some unnecessary logs (#13584) Additionally, remove the unnecessary `isUsingLookupBind` field in the LDAP struct
2021-11-04 16:11:20 -04:00
// Enabled returns if LDAP config is enabled.
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-04 18:32:37 -05:00
func Enabled(kvs config.KVS) bool {
return kvs.Get(ServerAddr) != ""
}
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
// Lookup - initializes LDAP config, overrides config, if any ENV values are set.
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error) {
l = Config{}
fix: purge LDAP deprecated keys
2021-01-26 12:53:29 -05:00
// Purge all removed keys first
for _, k := range removedKeys {
kvs.Delete(k)
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
if err = config.CheckValidKeys(config.IdentityLDAPSubSys, kvs, DefaultKVS); err != nil {
return l, err
}
Add extra LDAP configuration validation (#14535) - The result now contains suggestions on fixing common configuration issues. - These suggestions will subsequently be exposed in console/mc
2022-03-16 22:57:36 -04:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
ldapServer := env.Get(EnvServerAddr, kvs.Get(ServerAddr))
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
if ldapServer == "" {
return l, nil
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
l.Enabled = true
LDAP Test connection was not using GlobalRootCAs (#12612) Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
2021-07-01 20:41:01 -04:00
l.rootCAs = rootCAs
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
l.ServerAddr = ldapServer
l.stsExpiryDuration = defaultLDAPExpiry
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// LDAP connection configuration
Add an option to allow plaintext connection to LDAP/AD Server (#9151)
2020-03-19 22:20:51 -04:00
if v := env.Get(EnvServerInsecure, kvs.Get(ServerInsecure)); v != "" {
l.serverInsecure, err = config.ParseBool(v)
if err != nil {
return l, err
}
}
add LDAP StartTLS support (#9472)
2020-05-07 18:08:33 -04:00
if v := env.Get(EnvServerStartTLS, kvs.Get(ServerStartTLS)); v != "" {
l.serverStartTLS, err = config.ParseBool(v)
if err != nil {
return l, err
}
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
if v := env.Get(EnvTLSSkipVerify, kvs.Get(TLSSkipVerify)); v != "" {
l.tlsSkipVerify, err = config.ParseBool(v)
if err != nil {
return l, err
}
}
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// Lookup bind user configuration
Add extra LDAP configuration validation (#14535) - The result now contains suggestions on fixing common configuration issues. - These suggestions will subsequently be exposed in console/mc
2022-03-16 22:57:36 -04:00
l.LookupBindDN = env.Get(EnvLookupBindDN, kvs.Get(LookupBindDN))
l.LookupBindPassword = env.Get(EnvLookupBindPassword, kvs.Get(LookupBindPassword))
Test LDAP connection configuration at startup (#11684)
2021-03-04 15:17:36 -05:00
Identity LDAP: Allow multiple search base DNs (#14191) This change allows the MinIO server to lookup users in different directory sub-trees by allowing specification of multiple search bases separated by semicolons.
2022-01-26 18:05:59 -05:00
// User DN search configuration
Add extra LDAP configuration validation (#14535) - The result now contains suggestions on fixing common configuration issues. - These suggestions will subsequently be exposed in console/mc
2022-03-16 22:57:36 -04:00
l.UserDNSearchFilter = env.Get(EnvUserDNSearchFilter, kvs.Get(UserDNSearchFilter))
l.UserDNSearchBaseDistName = env.Get(EnvUserDNSearchBaseDN, kvs.Get(UserDNSearchBaseDN))
Identity LDAP: Allow multiple search base DNs (#14191) This change allows the MinIO server to lookup users in different directory sub-trees by allowing specification of multiple search bases separated by semicolons.
2022-01-26 18:05:59 -05:00
Add LDAP Lookup-Bind mode (#11318) This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, the username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behavior is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
2021-01-25 17:26:10 -05:00
// Group search params configuration
Add extra LDAP configuration validation (#14535) - The result now contains suggestions on fixing common configuration issues. - These suggestions will subsequently be exposed in console/mc
2022-03-16 22:57:36 -04:00
l.GroupSearchFilter = env.Get(EnvGroupSearchFilter, kvs.Get(GroupSearchFilter))
l.GroupSearchBaseDistName = env.Get(EnvGroupSearchBaseDN, kvs.Get(GroupSearchBaseDN))
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
Add extra LDAP configuration validation (#14535) - The result now contains suggestions on fixing common configuration issues. - These suggestions will subsequently be exposed in console/mc
2022-03-16 22:57:36 -04:00
// Validate and test configuration.
valResult := l.Validate()
if !valResult.IsOk() {
return l, valResult
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
return l, nil
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 13:35:33 -04:00
}