ldap: Add user DN attributes list config param (#19758)

This change uses the updated ldap library in minio/pkg (bumped up to v3). A new config parameter is added for LDAP configuration to specify extra user attributes to load from the LDAP server and to store them as additional claims for the user. A test is added in sts_handlers.go that shows how to access the LDAP attributes as a claim. This is in preparation for adding SSH pubkey authentication to MinIO's SFTP integration.
2025-11-07 12:52:58 -05:00 · 2024-05-24 16:05:23 -07:00
parent a591e06ae5
commit 5f78691fcf
179 changed files with 524 additions and 362 deletions
--- a/cmd/sftp-server.go
+++ b/cmd/sftp-server.go
@@ -30,7 +30,7 @@ import (
 	"time"

 	"github.com/minio/minio/internal/logger"
-	xsftp "github.com/minio/pkg/v2/sftp"
+	xsftp "github.com/minio/pkg/v3/sftp"
 	"github.com/pkg/sftp"
 	"golang.org/x/crypto/ssh"
 )
@@ -238,20 +238,30 @@ func startSFTPServer(args []string) {
 					return nil, err
 				}
 				if errors.Is(err, errNoSuchServiceAccount) {
-					targetUser, targetGroups, err := globalIAMSys.LDAPConfig.Bind(c.User(), string(pass))
+					lookupResult, targetGroups, err := globalIAMSys.LDAPConfig.Bind(c.User(), string(pass))
 					if err != nil {
 						return nil, err
 					}
+					targetUser := lookupResult.NormDN
 					ldapPolicies, _ := globalIAMSys.PolicyDBGet(targetUser, targetGroups...)
 					if len(ldapPolicies) == 0 {
 						return nil, errAuthentication
 					}
+					criticalOptions := map[string]string{
+						ldapUser:  targetUser,
+						ldapUserN: c.User(),
+					}
+					for attribKey, attribValue := range lookupResult.Attributes {
+						// we skip multi-value attributes here, as they cannot
+						// be stored in the critical options.
+						if len(attribValue) == 1 {
+							criticalOptions[ldapAttribPrefix+attribKey] = attribValue[0]
+						}
+					}
+
 					return &ssh.Permissions{
-						CriticalOptions: map[string]string{
-							ldapUser:  targetUser,
-							ldapUserN: c.User(),
-						},
-						Extensions: make(map[string]string),
+						CriticalOptions: criticalOptions,
+						Extensions:      make(map[string]string),
 					}, nil
 				}
 				if subtle.ConstantTimeCompare([]byte(sa.Credentials.SecretKey), pass) == 1 {