mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
ldap: Reevalute filter when searching for non eligible users (#12953)
The previous code removes SVC/STS accounts for ldap users that do not exist anymore in LDAP server. This commit will actually re-evaluate filter as well if it is changed and remove all local SVC/STS accounts beloning to the ldap user if the latter is not eligible for the search filter anymore. For example: the filter selects enabled users among other criteras in the LDAP database, if one ldap user changes his status to disabled later, then associated SVC/STS accounts will be removed because that user does not meet the filter search anymore.
This commit is contained in:
parent
7d8413a589
commit
47dfc1b1b0
@ -1606,7 +1606,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) {
|
|||||||
}
|
}
|
||||||
sys.store.unlock()
|
sys.store.unlock()
|
||||||
|
|
||||||
expiredUsers, err := globalLDAPConfig.GetNonExistentUserDistNames(parentUsers)
|
expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(parentUsers)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// Log and return on error - perhaps it'll work the next time.
|
// Log and return on error - perhaps it'll work the next time.
|
||||||
logger.LogIf(GlobalContext, err)
|
logger.LogIf(GlobalContext, err)
|
||||||
|
@ -478,9 +478,9 @@ func (l Config) IsLDAPUserDN(user string) bool {
|
|||||||
return strings.HasSuffix(user, ","+l.UserDNSearchBaseDN)
|
return strings.HasSuffix(user, ","+l.UserDNSearchBaseDN)
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetNonExistentUserDistNames - find user accounts (DNs) that are no longer
|
// GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer
|
||||||
// present in the LDAP server.
|
// present in the LDAP server or do not meet filter criteria anymore
|
||||||
func (l *Config) GetNonExistentUserDistNames(userDistNames []string) ([]string, error) {
|
func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error) {
|
||||||
if !l.isUsingLookupBind {
|
if !l.isUsingLookupBind {
|
||||||
return nil, errors.New("current LDAP configuration does not permit looking for expired user accounts")
|
return nil, errors.New("current LDAP configuration does not permit looking for expired user accounts")
|
||||||
}
|
}
|
||||||
@ -496,12 +496,15 @@ func (l *Config) GetNonExistentUserDistNames(userDistNames []string) ([]string,
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Evaluate the filter again with generic wildcard instead of specific values
|
||||||
|
filter := strings.Replace(l.UserDNSearchFilter, "%s", "*", -1)
|
||||||
|
|
||||||
nonExistentUsers := []string{}
|
nonExistentUsers := []string{}
|
||||||
for _, dn := range userDistNames {
|
for _, dn := range userDistNames {
|
||||||
searchRequest := ldap.NewSearchRequest(
|
searchRequest := ldap.NewSearchRequest(
|
||||||
dn,
|
dn,
|
||||||
ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
|
ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
|
||||||
"(objectclass=*)",
|
filter,
|
||||||
[]string{}, // only need DN, so no pass no attributes here
|
[]string{}, // only need DN, so no pass no attributes here
|
||||||
nil,
|
nil,
|
||||||
)
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user