From 02e7de6367874b320c7ddee3f96a706fe322bfa7 Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Mon, 22 Feb 2021 13:20:36 -0800 Subject: [PATCH] LDAP config: fix substitution variables (#11586) - In username search filter and username format variables we support %s for replacing with the username. - In group search filter we support %s for username and %d for the full DN of the username. --- cmd/config/identity/ldap/config.go | 3 ++- docs/sts/ldap.md | 8 +++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/cmd/config/identity/ldap/config.go b/cmd/config/identity/ldap/config.go index 7c758261e..c18b357c0 100644 --- a/cmd/config/identity/ldap/config.go +++ b/cmd/config/identity/ldap/config.go @@ -301,7 +301,8 @@ func (l *Config) Bind(username, password string) (string, []string, error) { var groups []string if l.GroupSearchFilter != "" { for _, groupSearchBase := range l.GroupSearchBaseDistNames { - filter := strings.Replace(l.GroupSearchFilter, "%s", ldap.EscapeFilter(bindDN), -1) + filter := strings.Replace(l.GroupSearchFilter, "%s", ldap.EscapeFilter(username), -1) + filter = strings.Replace(filter, "%d", ldap.EscapeFilter(bindDN), -1) searchRequest := ldap.NewSearchRequest( groupSearchBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, diff --git a/docs/sts/ldap.md b/docs/sts/ldap.md index 27750ee59..fc41e785c 100644 --- a/docs/sts/ldap.md +++ b/docs/sts/ldap.md @@ -123,7 +123,13 @@ export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on ### Variable substitution in AD/LDAP configuration strings ### -`%s` is replaced with *username* automatically for construction bind_dn, search_filter and group_search_filter. +In the configuration variables, `%s` is substituted with the *username* from the STS request and `%d` is substituted with the *distinguished username (user DN)* of the LDAP user. Please see the following table for which configuration variables support these substitution variables: + +| Variable | Supported substitutions | +|---------------------------------------------|-------------------------| +| `MINIO_IDENTITY_LDAP_USERNAME_FORMAT` | `%s` | +| `MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER` | `%s` | +| `MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER` | `%s` and `%d` | ## Managing User/Group Access Policy