fix: IAM LDAP access key import bug (#19608)

When importing access keys (i.e. service accounts) for LDAP accounts, we are requiring groups to exist under one of the configured group base DNs. This is not correct. This change fixes this by only checking for existence and storing the normalized form of the group DN - we do not return an error if the group is not under a base DN. Test is updated to illustrate an import failure that would happen without this change.
2025-11-07 12:52:58 -05:00 · 2024-04-25 08:50:16 -07:00
parent 3212d0c8cd
commit 62c3cdee75
6 changed files with 62 additions and 38 deletions
--- a/cmd/sts-handlers_test.go
+++ b/cmd/sts-handlers_test.go
@@ -829,12 +829,14 @@ func TestIAMImportAssetWithLDAP(t *testing.T) {
  }
 }
 `,
+		// The `cn=projecty,..` group below is not under a configured DN, but we
+		// should still import without an error.
 		allSvcAcctsFile: `{
    "u4ccRswj62HV3Ifwima7": {
        "parent": "uid=svc.algorithm,OU=swengg,DC=min,DC=io",
        "accessKey": "u4ccRswj62HV3Ifwima7",
        "secretKey": "ZoEoZdLlzVbOlT9rbhD7ZN7TLyiYXSAlB79uGEge",
-        "groups": ["cn=project.c,ou=groups,OU=swengg,DC=min,DC=io"],
+        "groups": ["cn=project.c,ou=groups,OU=swengg,DC=min,DC=io", "cn=projecty,ou=groups,ou=hwengg,dc=min,dc=io"],
        "claims": {
            "accessKey": "u4ccRswj62HV3Ifwima7",
            "ldapUser": "uid=svc.algorithm,ou=swengg,dc=min,dc=io",