fix: authenticate LDAP via actual DN instead of normalized DN (#19805)

fix: authenticate LDAP via actual DN instead of normalized DN

Normalized DN is only for internal representation, not for
external communication, any communication to LDAP must be
based on actual user DN. LDAP servers do not understand
normalized DN.

fixes #19757

cmd/admin-handlers-idp-ldap.go

@@ -282,6 +282,7 @@ func (a adminAPIHandlers) AddServiceAccountLDAP(w http.ResponseWriter, r *http.R
 		}
 		targetUser = lookupResult.NormDN
 		opts.claims[ldapUser] = targetUser // DN
+		opts.claims[ldapActualUser] = lookupResult.ActualDN
 
 		// Add LDAP attributes that were looked up into the claims.
 		for attribKey, attribValue := range lookupResult.Attributes {

cmd/admin-handlers-users.go

@@ -709,6 +709,7 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
 		}
 		targetUser = lookupResult.NormDN
 		opts.claims[ldapUser] = targetUser // username DN
+		opts.claims[ldapActualUser] = lookupResult.ActualDN
 
 		// Add LDAP attributes that were looked up into the claims.
 		for attribKey, attribValue := range lookupResult.Attributes {

cmd/ftp-server-driver.go

@@ -306,6 +306,7 @@ func (driver *ftpDriver) getMinIOClient(ctx *ftp.Context) (*minio.Client, error)
 			claims[expClaim] = UTCNow().Add(expiryDur).Unix()
 
 			claims[ldapUser] = lookupResult.NormDN
+			claims[ldapActualUser] = lookupResult.ActualDN
 			claims[ldapUserN] = ctx.Sess.LoginUser()
 
 			// Add LDAP attributes that were looked up into the claims.

cmd/iam-store.go

@@ -1951,6 +1951,12 @@ func (store *IAMStoreSys) GetAllParentUsers() map[string]ParentUserInfo {
 				subClaimValue = subFromToken
 			}
 		}
+		if v, ok := claims[ldapActualUser]; ok {
+			subFromToken, ok := v.(string)
+			if ok {
+				subClaimValue = subFromToken
+			}
+		}
 
 		roleArn := openid.DummyRoleARN.String()
 		s, ok := claims[roleArnClaim]

cmd/iam.go

@@ -1351,12 +1351,17 @@ func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) {
 func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) {
 	parentUsers := sys.store.GetAllParentUsers()
 	var allDistNames []string
-	for parentUser := range parentUsers {
+	for parentUser, info := range parentUsers {
 		if !sys.LDAPConfig.IsLDAPUserDN(parentUser) {
 			continue
 		}
 
-		allDistNames = append(allDistNames, parentUser)
+		if info.subClaimValue != "" {
+			// we need to ask LDAP about the actual user DN not normalized DN.
+			allDistNames = append(allDistNames, info.subClaimValue)
+		} else {
+			allDistNames = append(allDistNames, parentUser)
+		}
 	}
 
 	expiredUsers, err := sys.LDAPConfig.GetNonEligibleUserDistNames(allDistNames)

cmd/sftp-server.go

@@ -248,8 +248,9 @@ func startSFTPServer(args []string) {
 						return nil, errAuthentication
 					}
 					criticalOptions := map[string]string{
-						ldapUser:  targetUser,
-						ldapUserN: c.User(),
+						ldapUser:       targetUser,
+						ldapActualUser: lookupResult.ActualDN,
+						ldapUserN:      c.User(),
 					}
 					for attribKey, attribValue := range lookupResult.Attributes {
 						// we skip multi-value attributes here, as they cannot

cmd/sts-handlers.go

@@ -74,8 +74,9 @@ const (
 	parentClaim = "parent"
 
 	// LDAP claim keys
-	ldapUser  = "ldapUser"     // this is a key name for a DN value
-	ldapUserN = "ldapUsername" // this is a key name for the short/login username
+	ldapUser       = "ldapUser"       // this is a key name for a normalized DN value
+	ldapActualUser = "ldapActualUser" // this is a key name for the actual DN value
+	ldapUserN      = "ldapUsername"   // this is a key name for the short/login username
 	// Claim key-prefix for LDAP attributes
 	ldapAttribPrefix = "ldapAttrib_"
 
@@ -677,6 +678,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
 		return
 	}
 	ldapUserDN := lookupResult.NormDN
+	ldapActualUserDN := lookupResult.ActualDN
 
 	// Check if this user or their groups have a policy applied.
 	ldapPolicies, err := globalIAMSys.PolicyDBGet(ldapUserDN, groupDistNames...)
@@ -687,7 +689,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
 	if len(ldapPolicies) == 0 && newGlobalAuthZPluginFn() == nil {
 		writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
 			fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request",
-				ldapUserDN, strings.Join(groupDistNames, "`,`")))
+				ldapActualUserDN, strings.Join(groupDistNames, "`,`")))
 		return
 	}
 
@@ -699,6 +701,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
 
 	claims[expClaim] = UTCNow().Add(expiryDur).Unix()
 	claims[ldapUser] = ldapUserDN
+	claims[ldapActualUser] = ldapActualUserDN
 	claims[ldapUserN] = ldapUsername
 	// Add lookup up LDAP attributes as claims.
 	for attrib, value := range lookupResult.Attributes {

cmd/sts-handlers_test.go

@@ -723,6 +723,7 @@ func TestIAMWithLDAPServerSuite(t *testing.T) {
 				suite.TestLDAPSTSServiceAccountsWithUsername(c)
 				suite.TestLDAPSTSServiceAccountsWithGroups(c)
 				suite.TestLDAPAttributesLookup(c)
+				suite.TestLDAPCyrillicUser(c)
 				suite.TearDownSuite(c)
 			},
 		)
@@ -1872,6 +1873,75 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithGroups(c *check) {
 	c.mustNotCreateSvcAccount(ctx, globalActiveCred.AccessKey, userAdmClient)
 }
 
+func (s *TestSuiteIAM) TestLDAPCyrillicUser(c *check) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	_, err := s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{
+		Policies: []string{"readwrite"},
+		User:     "uid=Пользователь,ou=people,ou=swengg,dc=min,dc=io",
+	})
+	if err != nil {
+		c.Fatalf("Unable to set policy: %v", err)
+	}
+
+	cases := []struct {
+		username string
+		dn       string
+	}{
+		{
+			username: "Пользователь",
+			dn:       "uid=Пользователь,ou=people,ou=swengg,dc=min,dc=io",
+		},
+	}
+
+	conn, err := globalIAMSys.LDAPConfig.LDAP.Connect()
+	if err != nil {
+		c.Fatalf("LDAP connect failed: %v", err)
+	}
+	defer conn.Close()
+
+	for i, testCase := range cases {
+		ldapID := cr.LDAPIdentity{
+			Client:       s.TestSuiteCommon.client,
+			STSEndpoint:  s.endPoint,
+			LDAPUsername: testCase.username,
+			LDAPPassword: "example",
+		}
+
+		value, err := ldapID.Retrieve()
+		if err != nil {
+			c.Fatalf("Expected to generate STS creds, got err: %#v", err)
+		}
+
+		// Retrieve the STS account's credential object.
+		u, ok := globalIAMSys.GetUser(ctx, value.AccessKeyID)
+		if !ok {
+			c.Fatalf("Expected to find user %s", value.AccessKeyID)
+		}
+
+		if u.Credentials.AccessKey != value.AccessKeyID {
+			c.Fatalf("Expected access key %s, got %s", value.AccessKeyID, u.Credentials.AccessKey)
+		}
+
+		// Retrieve the credential's claims.
+		secret, err := getTokenSigningKey()
+		if err != nil {
+			c.Fatalf("Error getting token signing key: %v", err)
+		}
+		claims, err := getClaimsFromTokenWithSecret(value.SessionToken, secret)
+		if err != nil {
+			c.Fatalf("Error getting claims from token: %v", err)
+		}
+
+		// Validate claims.
+		dnClaim := claims[ldapActualUser].(string)
+		if dnClaim != testCase.dn {
+			c.Fatalf("Test %d: unexpected dn claim: %s", i+1, dnClaim)
+		}
+	}
+}
+
 func (s *TestSuiteIAM) TestLDAPAttributesLookup(c *check) {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
@@ -1942,7 +2012,7 @@ func (s *TestSuiteIAM) TestLDAPAttributesLookup(c *check) {
 		}
 
 		// Validate claims. Check if the sshPublicKey claim is present.
-		dnClaim := claims[ldapUser].(string)
+		dnClaim := claims[ldapActualUser].(string)
 		if dnClaim != testCase.dn {
 			c.Fatalf("Test %d: unexpected dn claim: %s", i+1, dnClaim)
 		}