MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 21:02:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix support for multiple LDAP user formats (#11276)

Browse Source 
Fixes support for using multiple base DNs for user search in the LDAP directory
allowing users from different subtrees in the LDAP hierarchy to request
credentials.

- The username in the produced credentials is now the full DN of the LDAP user
to disambiguate users in different base DNs.
This commit is contained in:
Aditya Manthramurthy
2021-01-17 21:54:32 -08:00
committed by GitHub
parent 0dadfd1b3d
commit 3163a660aa
4 changed files with 70 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/sts-handlers.go
View File

@@ -490,9 +490,9 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
}
}
groups, err := globalLDAPConfig.Bind(ldapUsername, ldapPassword)
ldapUserDN, groups, err := globalLDAPConfig.Bind(ldapUsername, ldapPassword)
if err != nil {
err = fmt.Errorf("LDAP server connection failure: %w", err)
err = fmt.Errorf("LDAP server error: %w", err)
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return
}
@@ -500,7 +500,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
expiryDur := globalLDAPConfig.GetExpiryDuration()
m := map[string]interface{}{
expClaim: UTCNow().Add(expiryDur).Unix(),
ldapUser: ldapUsername,
ldapUser: ldapUserDN,
}
if len(sessionPolicyStr) > 0 {
@@ -516,7 +516,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
// Set the parent of the temporary access key, this is useful
// in obtaining service accounts by this cred.
cred.ParentUser = ldapUsername
cred.ParentUser = ldapUserDN
// Set this value to LDAP groups, LDAP user can be part
// of large number of groups