ldap: Reevalute filter when searching for non eligible users (#12953)

The previous code removes SVC/STS accounts for ldap users that do not
exist anymore in LDAP server. This commit will actually re-evaluate
filter as well if it is changed and remove all local SVC/STS accounts
beloning to the ldap user if the latter is not eligible for the
search filter anymore.

For example: the filter selects enabled users among other criteras in
the LDAP database, if one ldap user changes his status to disabled
later, then associated SVC/STS accounts will be removed because that user
does not meet the filter search anymore.
This commit is contained in:
Anis Elleuch 2021-08-13 19:40:04 +01:00 committed by GitHub
parent 7d8413a589
commit 47dfc1b1b0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 5 deletions

View File

@ -1606,7 +1606,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) {
} }
sys.store.unlock() sys.store.unlock()
expiredUsers, err := globalLDAPConfig.GetNonExistentUserDistNames(parentUsers) expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(parentUsers)
if err != nil { if err != nil {
// Log and return on error - perhaps it'll work the next time. // Log and return on error - perhaps it'll work the next time.
logger.LogIf(GlobalContext, err) logger.LogIf(GlobalContext, err)

View File

@ -478,9 +478,9 @@ func (l Config) IsLDAPUserDN(user string) bool {
return strings.HasSuffix(user, ","+l.UserDNSearchBaseDN) return strings.HasSuffix(user, ","+l.UserDNSearchBaseDN)
} }
// GetNonExistentUserDistNames - find user accounts (DNs) that are no longer // GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer
// present in the LDAP server. // present in the LDAP server or do not meet filter criteria anymore
func (l *Config) GetNonExistentUserDistNames(userDistNames []string) ([]string, error) { func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error) {
if !l.isUsingLookupBind { if !l.isUsingLookupBind {
return nil, errors.New("current LDAP configuration does not permit looking for expired user accounts") return nil, errors.New("current LDAP configuration does not permit looking for expired user accounts")
} }
@ -496,12 +496,15 @@ func (l *Config) GetNonExistentUserDistNames(userDistNames []string) ([]string,
return nil, err return nil, err
} }
// Evaluate the filter again with generic wildcard instead of specific values
filter := strings.Replace(l.UserDNSearchFilter, "%s", "*", -1)
nonExistentUsers := []string{} nonExistentUsers := []string{}
for _, dn := range userDistNames { for _, dn := range userDistNames {
searchRequest := ldap.NewSearchRequest( searchRequest := ldap.NewSearchRequest(
dn, dn,
ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false, ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
"(objectclass=*)", filter,
[]string{}, // only need DN, so no pass no attributes here []string{}, // only need DN, so no pass no attributes here
nil, nil,
) )