MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-10 14:09:48 -05:00
Code Issues Packages Projects Releases Wiki Activity

ldap: Reevalute filter when searching for non eligible users (#12953)

Browse Source 
The previous code removes SVC/STS accounts for ldap users that do not
exist anymore in LDAP server. This commit will actually re-evaluate
filter as well if it is changed and remove all local SVC/STS accounts
beloning to the ldap user if the latter is not eligible for the
search filter anymore.

For example: the filter selects enabled users among other criteras in
the LDAP database, if one ldap user changes his status to disabled
later, then associated SVC/STS accounts will be removed because that user
does not meet the filter search anymore.
This commit is contained in:
Anis Elleuch
2021-08-13 19:40:04 +01:00
committed by GitHub
parent 7d8413a589
commit 47dfc1b1b0
2 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/iam.go
View File

@@ -1606,7 +1606,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) {
}
sys.store.unlock()
expiredUsers, err := globalLDAPConfig.GetNonExistentUserDistNames(parentUsers)
expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(parentUsers)
if err != nil {
// Log and return on error - perhaps it'll work the next time.
logger.LogIf(GlobalContext, err)