MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

ldap: Add user DN attributes list config param (#19758)

Browse Source 
This change uses the updated ldap library in minio/pkg (bumped
up to v3). A new config parameter is added for LDAP configuration to
specify extra user attributes to load from the LDAP server and to store
them as additional claims for the user.

A test is added in sts_handlers.go that shows how to access the LDAP
attributes as a claim.

This is in preparation for adding SSH pubkey authentication to MinIO's SFTP
integration.
This commit is contained in:
Aditya Manthramurthy
2024-05-24 16:05:23 -07:00
committed by GitHub
parent a591e06ae5
commit 5f78691fcf
179 changed files with 524 additions and 362 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
cmd/sts-handlers.go
View File

@@ -36,8 +36,8 @@ import (
xhttp "github.com/minio/minio/internal/http"
"github.com/minio/minio/internal/logger"
"github.com/minio/mux"
"github.com/minio/pkg/v2/policy"
"github.com/minio/pkg/v2/wildcard"
"github.com/minio/pkg/v3/policy"
"github.com/minio/pkg/v3/wildcard"
)
const (
@@ -76,6 +76,8 @@ const (
// LDAP claim keys
ldapUser = "ldapUser" // this is a key name for a DN value
ldapUserN = "ldapUsername" // this is a key name for the short/login username
// Claim key-prefix for LDAP attributes
ldapAttribPrefix = "ldapAttrib_"
// Role Claim key
roleArnClaim = "roleArn"
@@ -668,12 +670,13 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
return
}
ldapUserDN, groupDistNames, err := globalIAMSys.LDAPConfig.Bind(ldapUsername, ldapPassword)
lookupResult, groupDistNames, err := globalIAMSys.LDAPConfig.Bind(ldapUsername, ldapPassword)
if err != nil {
err = fmt.Errorf("LDAP server error: %w", err)
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
return
}
ldapUserDN := lookupResult.NormDN
// Check if this user or their groups have a policy applied.
ldapPolicies, err := globalIAMSys.PolicyDBGet(ldapUserDN, groupDistNames...)
@@ -697,6 +700,10 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
claims[expClaim] = UTCNow().Add(expiryDur).Unix()
claims[ldapUser] = ldapUserDN
claims[ldapUserN] = ldapUsername
// Add lookup up LDAP attributes as claims.
for attrib, value := range lookupResult.Attributes {
claims[ldapAttribPrefix+attrib] = value
}
if len(sessionPolicyStr) > 0 {
claims[policy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))