ldap: Reevalute filter when searching for non eligible users (#12953)

The previous code removes SVC/STS accounts for ldap users that do not
exist anymore in LDAP server. This commit will actually re-evaluate
filter as well if it is changed and remove all local SVC/STS accounts
beloning to the ldap user if the latter is not eligible for the
search filter anymore.

For example: the filter selects enabled users among other criteras in
the LDAP database, if one ldap user changes his status to disabled
later, then associated SVC/STS accounts will be removed because that user
does not meet the filter search anymore.
This commit is contained in:
Anis Elleuch 2021-08-13 19:40:04 +01:00 committed by GitHub
parent 7d8413a589
commit 47dfc1b1b0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 5 deletions

View File

@ -1606,7 +1606,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) {
}
sys.store.unlock()
expiredUsers, err := globalLDAPConfig.GetNonExistentUserDistNames(parentUsers)
expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(parentUsers)
if err != nil {
// Log and return on error - perhaps it'll work the next time.
logger.LogIf(GlobalContext, err)

View File

@ -478,9 +478,9 @@ func (l Config) IsLDAPUserDN(user string) bool {
return strings.HasSuffix(user, ","+l.UserDNSearchBaseDN)
}
// GetNonExistentUserDistNames - find user accounts (DNs) that are no longer
// present in the LDAP server.
func (l *Config) GetNonExistentUserDistNames(userDistNames []string) ([]string, error) {
// GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer
// present in the LDAP server or do not meet filter criteria anymore
func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error) {
if !l.isUsingLookupBind {
return nil, errors.New("current LDAP configuration does not permit looking for expired user accounts")
}
@ -496,12 +496,15 @@ func (l *Config) GetNonExistentUserDistNames(userDistNames []string) ([]string,
return nil, err
}
// Evaluate the filter again with generic wildcard instead of specific values
filter := strings.Replace(l.UserDNSearchFilter, "%s", "*", -1)
nonExistentUsers := []string{}
for _, dn := range userDistNames {
searchRequest := ldap.NewSearchRequest(
dn,
ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
"(objectclass=*)",
filter,
[]string{}, // only need DN, so no pass no attributes here
nil,
)