MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 21:02:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

ldap: Add user DN attributes list config param (#19758)

Browse Source 
This change uses the updated ldap library in minio/pkg (bumped
up to v3). A new config parameter is added for LDAP configuration to
specify extra user attributes to load from the LDAP server and to store
them as additional claims for the user.

A test is added in sts_handlers.go that shows how to access the LDAP
attributes as a claim.

This is in preparation for adding SSH pubkey authentication to MinIO's SFTP
integration.
This commit is contained in:
Aditya Manthramurthy
2024-05-24 16:05:23 -07:00
committed by GitHub
parent a591e06ae5
commit 5f78691fcf
179 changed files with 524 additions and 362 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
cmd/sftp-server-driver.go
View File

@@ -34,7 +34,7 @@ import (
"github.com/minio/minio-go/v7/pkg/credentials"
"github.com/minio/minio/internal/auth"
xioutil "github.com/minio/minio/internal/ioutil"
"github.com/minio/pkg/v2/mimedb"
"github.com/minio/pkg/v3/mimedb"
"github.com/pkg/sftp"
"golang.org/x/crypto/ssh"
)
@@ -101,7 +101,7 @@ func (f *sftpDriver) getMinIOClient() (*minio.Client, error) {
}
var mcreds *credentials.Credentials
if errors.Is(err, errNoSuchServiceAccount) {
targetUser, targetGroups, err := globalIAMSys.LDAPConfig.LookupUserDN(f.AccessKey())
lookupResult, targetGroups, err := globalIAMSys.LDAPConfig.LookupUserDN(f.AccessKey())
if err != nil {
return nil, err
}
@@ -115,6 +115,14 @@ func (f *sftpDriver) getMinIOClient() (*minio.Client, error) {
claims[k] = v
}
// Set LDAP claims.
claims[ldapUserN] = f.AccessKey()
claims[ldapUser] = lookupResult.NormDN
// Add LDAP attributes that were looked up into the claims.
for attribKey, attribValue := range lookupResult.Attributes {
claims[ldapAttribPrefix+attribKey] = attribValue
}
cred, err := auth.GetNewCredentialsWithMetadata(claims, globalActiveCred.SecretKey)
if err != nil {
return nil, err
@@ -122,7 +130,7 @@ func (f *sftpDriver) getMinIOClient() (*minio.Client, error) {
// Set the parent of the temporary access key, this is useful
// in obtaining service accounts by this cred.
cred.ParentUser = targetUser
cred.ParentUser = lookupResult.NormDN
// Set this value to LDAP groups, LDAP user can be part
// of large number of groups