From 47dfc1b1b09a3ef6bc21d7f39636fbbe81e2c16f Mon Sep 17 00:00:00 2001 From: Anis Elleuch Date: Fri, 13 Aug 2021 19:40:04 +0100 Subject: [PATCH] ldap: Reevalute filter when searching for non eligible users (#12953) The previous code removes SVC/STS accounts for ldap users that do not exist anymore in LDAP server. This commit will actually re-evaluate filter as well if it is changed and remove all local SVC/STS accounts beloning to the ldap user if the latter is not eligible for the search filter anymore. For example: the filter selects enabled users among other criteras in the LDAP database, if one ldap user changes his status to disabled later, then associated SVC/STS accounts will be removed because that user does not meet the filter search anymore. --- cmd/iam.go | 2 +- internal/config/identity/ldap/config.go | 11 +++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/cmd/iam.go b/cmd/iam.go index 525242131..f5e12a1d0 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1606,7 +1606,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) { } sys.store.unlock() - expiredUsers, err := globalLDAPConfig.GetNonExistentUserDistNames(parentUsers) + expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(parentUsers) if err != nil { // Log and return on error - perhaps it'll work the next time. logger.LogIf(GlobalContext, err) diff --git a/internal/config/identity/ldap/config.go b/internal/config/identity/ldap/config.go index d974077e3..7ebb8b791 100644 --- a/internal/config/identity/ldap/config.go +++ b/internal/config/identity/ldap/config.go @@ -478,9 +478,9 @@ func (l Config) IsLDAPUserDN(user string) bool { return strings.HasSuffix(user, ","+l.UserDNSearchBaseDN) } -// GetNonExistentUserDistNames - find user accounts (DNs) that are no longer -// present in the LDAP server. -func (l *Config) GetNonExistentUserDistNames(userDistNames []string) ([]string, error) { +// GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer +// present in the LDAP server or do not meet filter criteria anymore +func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error) { if !l.isUsingLookupBind { return nil, errors.New("current LDAP configuration does not permit looking for expired user accounts") } @@ -496,12 +496,15 @@ func (l *Config) GetNonExistentUserDistNames(userDistNames []string) ([]string, return nil, err } + // Evaluate the filter again with generic wildcard instead of specific values + filter := strings.Replace(l.UserDNSearchFilter, "%s", "*", -1) + nonExistentUsers := []string{} for _, dn := range userDistNames { searchRequest := ldap.NewSearchRequest( dn, ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false, - "(objectclass=*)", + filter, []string{}, // only need DN, so no pass no attributes here nil, )