MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: authenticate LDAP via actual DN instead of normalized DN (#19805)

Browse Source 
fix: authenticate LDAP via actual DN instead of normalized DN

Normalized DN is only for internal representation, not for
external communication, any communication to LDAP must be
based on actual user DN. LDAP servers do not understand
normalized DN.

fixes #19757
This commit is contained in:
Harshavardhana
2024-05-25 06:43:06 -07:00
committed by GitHub
parent 7d75b1e758
commit 597a785253
11 changed files with 118 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
internal/config/identity/ldap/ldap.go
View File

@@ -51,7 +51,7 @@ func (l *Config) LookupUserDN(username string) (*xldap.DNSearchResult, []string,
return nil, nil, errRet
}
groups, err := l.LDAP.SearchForUserGroups(conn, username, lookupRes.NormDN)
groups, err := l.LDAP.SearchForUserGroups(conn, username, lookupRes.ActualDN)
if err != nil {
return nil, nil, err
}
@@ -200,9 +200,9 @@ func (l *Config) Bind(username, password string) (*xldap.DNSearchResult, []strin
}
// Authenticate the user credentials.
err = conn.Bind(lookupResult.NormDN, password)
err = conn.Bind(lookupResult.ActualDN, password)
if err != nil {
errRet := fmt.Errorf("LDAP auth failed for DN %s: %w", lookupResult.NormDN, err)
errRet := fmt.Errorf("LDAP auth failed for DN %s: %w", lookupResult.ActualDN, err)
return nil, nil, errRet
}
@@ -212,7 +212,7 @@ func (l *Config) Bind(username, password string) (*xldap.DNSearchResult, []strin
}
// User groups lookup.
groups, err := l.LDAP.SearchForUserGroups(conn, username, lookupResult.NormDN)
groups, err := l.LDAP.SearchForUserGroups(conn, username, lookupResult.ActualDN)
if err != nil {
return nil, nil, err
}
@@ -288,7 +288,7 @@ func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string,
return nil, err
}
// Evaluate the filter again with generic wildcard instead of specific values
// Evaluate the filter again with generic wildcard instead of specific values
filter := strings.ReplaceAll(l.LDAP.UserDNSearchFilter, "%s", "*")
nonExistentUsers := []string{}
@@ -305,7 +305,11 @@ func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string,
if err != nil {
// Object does not exist error?
if ldap.IsErrorWithCode(err, 32) {
nonExistentUsers = append(nonExistentUsers, dn)
ndn, err := ldap.ParseDN(dn)
if err != nil {
return nil, err
}
nonExistentUsers = append(nonExistentUsers, ndn.String())
continue
}
return nil, err
@@ -313,7 +317,11 @@ func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string,
if len(searchResult.Entries) == 0 {
// DN was not found - this means this user account is
// expired.
nonExistentUsers = append(nonExistentUsers, dn)
ndn, err := ldap.ParseDN(dn)
if err != nil {
return nil, err
}
nonExistentUsers = append(nonExistentUsers, ndn.String())
}
}
return nonExistentUsers, nil