MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: authenticate LDAP via actual DN instead of normalized DN (#19805)

Browse Source 
fix: authenticate LDAP via actual DN instead of normalized DN

Normalized DN is only for internal representation, not for
external communication, any communication to LDAP must be
based on actual user DN. LDAP servers do not understand
normalized DN.

fixes #19757
This commit is contained in:
Harshavardhana
2024-05-25 06:43:06 -07:00
committed by GitHub
parent 7d75b1e758
commit 597a785253
11 changed files with 118 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
cmd/sts-handlers.go
View File

@@ -74,8 +74,9 @@ const (
parentClaim = "parent"
// LDAP claim keys
ldapUser = "ldapUser" // this is a key name for a DN value
ldapUserN = "ldapUsername" // this is a key name for the short/login username
ldapUser = "ldapUser" // this is a key name for a normalized DN value
ldapActualUser = "ldapActualUser" // this is a key name for the actual DN value
ldapUserN = "ldapUsername" // this is a key name for the short/login username
// Claim key-prefix for LDAP attributes
ldapAttribPrefix = "ldapAttrib_"
@@ -677,6 +678,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
return
}
ldapUserDN := lookupResult.NormDN
ldapActualUserDN := lookupResult.ActualDN
// Check if this user or their groups have a policy applied.
ldapPolicies, err := globalIAMSys.PolicyDBGet(ldapUserDN, groupDistNames...)
@@ -687,7 +689,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
if len(ldapPolicies) == 0 && newGlobalAuthZPluginFn() == nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request",
ldapUserDN, strings.Join(groupDistNames, "`,`")))
ldapActualUserDN, strings.Join(groupDistNames, "`,`")))
return
}
@@ -699,6 +701,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
claims[expClaim] = UTCNow().Add(expiryDur).Unix()
claims[ldapUser] = ldapUserDN
claims[ldapActualUser] = ldapActualUserDN
claims[ldapUserN] = ldapUsername
// Add lookup up LDAP attributes as claims.
for attrib, value := range lookupResult.Attributes {