Skip non existent ldap entities while import (#20352)

Dont hard error for nonexisting LDAP entries instead of logging them report them via `mc` Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2025-11-07 12:52:58 -05:00 · 2024-09-09 22:29:28 +05:30
parent 8c9ab85cfa
commit 0b7aa6af87
5 changed files with 105 additions and 36 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1568,16 +1568,16 @@ func (sys *IAMSys) updateGroupMembershipsForLDAP(ctx context.Context) {
 // accounts) for LDAP users. This normalizes the parent user and the group names
 // whenever the parent user parses validly as a DN.
 func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap map[string]madmin.SRSvcAccCreate,
-) (err error) {
+) (skippedAccessKeys []string, err error) {
 	conn, err := sys.LDAPConfig.LDAP.Connect()
 	if err != nil {
-		return err
+		return skippedAccessKeys, err
 	}
 	defer conn.Close()

 	// Bind to the lookup user account
 	if err = sys.LDAPConfig.LDAP.LookupBind(conn); err != nil {
-		return err
+		return skippedAccessKeys, err
 	}

 	var collectedErrors []error
@@ -1602,8 +1602,7 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap
 			continue
 		}
 		if validatedParent == nil || !isUnderBaseDN {
-			err := fmt.Errorf("DN parent was not found in the LDAP directory")
-			collectedErrors = append(collectedErrors, err)
+			skippedAccessKeys = append(skippedAccessKeys, ak)
 			continue
 		}

@@ -1621,8 +1620,7 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap
 				continue
 			}
 			if validatedGroup == nil {
-				err := fmt.Errorf("DN group was not found in the LDAP directory")
-				collectedErrors = append(collectedErrors, err)
+				// DN group was not found in the LDAP directory for access-key
 				continue
 			}

@@ -1643,7 +1641,7 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap

 	// if there are any errors, return a collected error.
 	if len(collectedErrors) > 0 {
-		return fmt.Errorf("errors validating LDAP DN: %w", errors.Join(collectedErrors...))
+		return skippedAccessKeys, fmt.Errorf("errors validating LDAP DN: %w", errors.Join(collectedErrors...))
 	}

 	for k, v := range updatedKeysMap {
@@ -1651,7 +1649,7 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap
 		accessKeyMap[k] = v
 	}

-	return nil
+	return skippedAccessKeys, nil
 }

 func (sys *IAMSys) getStoredLDAPPolicyMappingKeys(ctx context.Context, isGroup bool) set.StringSet {
@@ -1677,16 +1675,16 @@ func (sys *IAMSys) getStoredLDAPPolicyMappingKeys(ctx context.Context, isGroup b
 // normalized form.
 func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,
 	policyMap map[string]MappedPolicy,
-) error {
+) ([]string, error) {
 	conn, err := sys.LDAPConfig.LDAP.Connect()
 	if err != nil {
-		return err
+		return []string{}, err
 	}
 	defer conn.Close()

 	// Bind to the lookup user account
 	if err = sys.LDAPConfig.LDAP.LookupBind(conn); err != nil {
-		return err
+		return []string{}, err
 	}

 	// We map keys that correspond to LDAP DNs and validate that they exist in
@@ -1699,6 +1697,7 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,
 	// map of normalized DN keys to original keys.
 	normalizedDNKeysMap := make(map[string][]string)
 	var collectedErrors []error
+	var skipped []string
 	for k := range policyMap {
 		_, err := ldap.NormalizeDN(k)
 		if err != nil {
@@ -1711,8 +1710,7 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,
 			continue
 		}
 		if validatedDN == nil || !underBaseDN {
-			err := fmt.Errorf("DN was not found in the LDAP directory")
-			collectedErrors = append(collectedErrors, err)
+			skipped = append(skipped, k)
 			continue
 		}

@@ -1723,7 +1721,7 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,

 	// if there are any errors, return a collected error.
 	if len(collectedErrors) > 0 {
-		return fmt.Errorf("errors validating LDAP DN: %w", errors.Join(collectedErrors...))
+		return []string{}, fmt.Errorf("errors validating LDAP DN: %w", errors.Join(collectedErrors...))
 	}

 	entityKeysInStorage := sys.getStoredLDAPPolicyMappingKeys(ctx, isGroup)
@@ -1744,7 +1742,7 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,
 			}

 			if policiesDiffer {
-				return fmt.Errorf("multiple DNs map to the same LDAP DN[%s]: %v; please remove DNs that are not needed",
+				return []string{}, fmt.Errorf("multiple DNs map to the same LDAP DN[%s]: %v; please remove DNs that are not needed",
 					normKey, origKeys)
 			}

@@ -1788,7 +1786,7 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,
 			}
 		}
 	}
-	return nil
+	return skipped, nil
 }

 // CheckKey validates the incoming accessKey