diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go
index e324b8c46..42ef378fb 100644
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@@ -657,7 +657,7 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
// In case of LDAP we need to resolve the targetUser to a DN and
// query their groups:
- if globalLDAPConfig.Enabled {
+ if globalLDAPConfig.Enabled() {
opts.claims[ldapUserN] = targetUser // simple username
targetUser, targetGroups, err = globalLDAPConfig.LookupUserDN(targetUser)
if err != nil {
@@ -2086,7 +2086,7 @@ func (a adminAPIHandlers) ImportIAM(w http.ResponseWriter, r *http.Request) {
// In case of LDAP we need to resolve the targetUser to a DN and
// query their groups:
- if globalLDAPConfig.Enabled {
+ if globalLDAPConfig.Enabled() {
opts.claims[ldapUserN] = svcAcctReq.AccessKey // simple username
targetUser, _, err := globalLDAPConfig.LookupUserDN(svcAcctReq.AccessKey)
if err != nil {
diff --git a/cmd/admin-handlers.go b/cmd/admin-handlers.go
index 25e8a0686..ec3f0dae8 100644
--- a/cmd/admin-handlers.go
+++ b/cmd/admin-handlers.go
@@ -1798,8 +1798,8 @@ func getServerInfo(ctx context.Context, r *http.Request) madmin.InfoMessage {
kmsStat := fetchKMSStatus()
ldap := madmin.LDAP{}
- if globalLDAPConfig.Enabled {
- ldapConn, err := globalLDAPConfig.Connect()
+ if globalLDAPConfig.Enabled() {
+ ldapConn, err := globalLDAPConfig.LDAP.Connect()
//nolint:gocritic
if err != nil {
ldap.Status = string(madmin.ItemOffline)
diff --git a/cmd/common-main.go b/cmd/common-main.go
index 48ee22a9d..556fc5542 100644
--- a/cmd/common-main.go
+++ b/cmd/common-main.go
@@ -202,7 +202,7 @@ func minioConfigToConsoleFeatures() {
}
}
// Enable if LDAP is enabled.
- if globalLDAPConfig.Enabled {
+ if globalLDAPConfig.Enabled() {
os.Setenv("CONSOLE_LDAP_ENABLED", config.EnableOn)
}
os.Setenv("CONSOLE_MINIO_REGION", globalSite.Region)
diff --git a/cmd/config-current.go b/cmd/config-current.go
index 8404d7f42..0414ce3b7 100644
--- a/cmd/config-current.go
+++ b/cmd/config-current.go
@@ -335,12 +335,12 @@ func validateSubSysConfig(s config.Config, subSys string, objAPI ObjectLayer) er
return err
}
case config.IdentityLDAPSubSys:
- cfg, err := xldap.Lookup(s[config.IdentityLDAPSubSys][config.Default], globalRootCAs)
+ cfg, err := xldap.Lookup(s, globalRootCAs)
if err != nil {
return err
}
- if cfg.Enabled {
- conn, cerr := cfg.Connect()
+ if cfg.Enabled() {
+ conn, cerr := cfg.LDAP.Connect()
if cerr != nil {
return cerr
}
diff --git a/cmd/config-versions.go b/cmd/config-versions.go
index 370026f2e..5176adcc3 100644
--- a/cmd/config-versions.go
+++ b/cmd/config-versions.go
@@ -855,5 +855,5 @@ type serverConfigV33 struct {
// Add new external policy enforcements here.
} `json:"policy"`
- LDAPServerConfig xldap.Config `json:"ldapserverconfig"`
+ LDAPServerConfig xldap.LegacyConfig `json:"ldapserverconfig"`
}
diff --git a/cmd/iam.go b/cmd/iam.go
index 6c1c738a6..e7096f65a 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -163,7 +163,7 @@ func (sys *IAMSys) LoadServiceAccount(ctx context.Context, accessKey string) err
// initStore initializes IAM stores
func (sys *IAMSys) initStore(objAPI ObjectLayer, etcdClient *etcd.Client) {
- if sys.ldapConfig.Enabled {
+ if sys.ldapConfig.Enabled() {
sys.SetUsersSysType(LDAPUsersSysType)
}
@@ -222,8 +222,6 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
s := globalServerConfig
globalServerConfigMu.RUnlock()
- ldapCfg := s[config.IdentityLDAPSubSys][config.Default]
-
var err error
globalOpenIDConfig, err = openid.LookupConfig(s,
NewGatewayHTTPTransport(), xhttp.DrainBody, globalSite.Region)
@@ -232,7 +230,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
}
// Initialize if LDAP is enabled
- globalLDAPConfig, err = xldap.Lookup(ldapCfg, globalRootCAs)
+ globalLDAPConfig, err = xldap.Lookup(s, globalRootCAs)
if err != nil {
logger.LogIf(ctx, fmt.Errorf("Unable to parse LDAP configuration: %w", err))
}
@@ -347,7 +345,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
}
}
}()
- case sys.ldapConfig.Enabled:
+ case sys.ldapConfig.Enabled():
go func() {
timer := time.NewTimer(refreshInterval)
defer timer.Stop()
diff --git a/cmd/site-replication.go b/cmd/site-replication.go
index 274c42409..966c2ea53 100644
--- a/cmd/site-replication.go
+++ b/cmd/site-replication.go
@@ -577,11 +577,11 @@ func (c *SiteReplicationSys) PeerJoinReq(ctx context.Context, arg madmin.SRPeerJ
func (c *SiteReplicationSys) GetIDPSettings(ctx context.Context) madmin.IDPSettings {
s := madmin.IDPSettings{}
s.LDAP = madmin.LDAPSettings{
- IsLDAPEnabled: globalLDAPConfig.Enabled,
- LDAPUserDNSearchBase: globalLDAPConfig.UserDNSearchBaseDistName,
- LDAPUserDNSearchFilter: globalLDAPConfig.UserDNSearchFilter,
- LDAPGroupSearchBase: globalLDAPConfig.GroupSearchBaseDistName,
- LDAPGroupSearchFilter: globalLDAPConfig.GroupSearchFilter,
+ IsLDAPEnabled: globalLDAPConfig.Enabled(),
+ LDAPUserDNSearchBase: globalLDAPConfig.LDAP.UserDNSearchBaseDistName,
+ LDAPUserDNSearchFilter: globalLDAPConfig.LDAP.UserDNSearchFilter,
+ LDAPGroupSearchBase: globalLDAPConfig.LDAP.GroupSearchBaseDistName,
+ LDAPGroupSearchFilter: globalLDAPConfig.LDAP.GroupSearchFilter,
}
s.OpenID = globalOpenIDConfig.GetSettings()
if s.OpenID.Enabled {
diff --git a/go.mod b/go.mod
index af2777aaf..772ec9f7c 100644
--- a/go.mod
+++ b/go.mod
@@ -50,7 +50,7 @@ require (
github.com/minio/kes v0.21.0
github.com/minio/madmin-go v1.5.3
github.com/minio/minio-go/v7 v7.0.40-0.20220928095841-8848d8affe8a
- github.com/minio/pkg v1.4.5
+ github.com/minio/pkg v1.5.0
github.com/minio/selfupdate v0.5.0
github.com/minio/sha256-simd v1.0.0
github.com/minio/simdjson-go v0.4.2
diff --git a/go.sum b/go.sum
index 4ff64d057..36c79889c 100644
--- a/go.sum
+++ b/go.sum
@@ -662,8 +662,8 @@ github.com/minio/minio-go/v7 v7.0.23/go.mod h1:ei5JjmxwHaMrgsMrn4U/+Nmg+d8MKS1U2
github.com/minio/minio-go/v7 v7.0.40-0.20220928095841-8848d8affe8a h1:COFh7S3tOKmJNYtKKFAuHQFH7MAaXxg4aAluXC9KQgc=
github.com/minio/minio-go/v7 v7.0.40-0.20220928095841-8848d8affe8a/go.mod h1:nCrRzjoSUQh8hgKKtu3Y708OLvRLtuASMg2/nvmbarw=
github.com/minio/pkg v1.1.20/go.mod h1:Xo7LQshlxGa9shKwJ7NzQbgW4s8T/Wc1cOStR/eUiMY=
-github.com/minio/pkg v1.4.5 h1:XE3o8XWc+oQSs9LXLtImfRrAfxRfI3dq9tJ0PerhOk8=
-github.com/minio/pkg v1.4.5/go.mod h1:mxCLAG+fOGIQr6odQ5Ukqc6qv9Zj6v1d6TD3NP82B7Y=
+github.com/minio/pkg v1.5.0 h1:517jxphvCLSNE8vbctMY4avaRDZXiGT7lX+cXPXFb98=
+github.com/minio/pkg v1.5.0/go.mod h1:koF2J2Ep/zpd//k+3UYdh6ySZKjqzy9C6RCZRX7uRY8=
github.com/minio/selfupdate v0.5.0 h1:0UH1HlL49+2XByhovKl5FpYTjKfvrQ2sgL1zEXK6mfI=
github.com/minio/selfupdate v0.5.0/go.mod h1:mcDkzMgq8PRcpCRJo/NlPY7U45O5dfYl2Y0Rg7IustY=
github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM=
diff --git a/internal/config/config.go b/internal/config/config.go
index cd3d63780..09a959e61 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -1069,7 +1069,7 @@ func getEnvVarName(subSys, target, param string) string {
Default, target)
}
-var resolvableSubsystems = set.CreateStringSet(IdentityOpenIDSubSys)
+var resolvableSubsystems = set.CreateStringSet(IdentityOpenIDSubSys, IdentityLDAPSubSys)
// ValueSource represents the source of a config parameter value.
type ValueSource uint8
diff --git a/internal/config/identity/ldap/config-validator.go b/internal/config/identity/ldap/config-validator.go
deleted file mode 100644
index 6b5a71b10..000000000
--- a/internal/config/identity/ldap/config-validator.go
+++ /dev/null
@@ -1,271 +0,0 @@
-// Copyright (c) 2015-2022 MinIO, Inc.
-//
-// This file is part of MinIO Object Storage stack
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program. If not, see .
-
-package ldap
-
-import (
- "fmt"
- "strings"
-)
-
-// Result - type for high-level names for the validation status of the config.
-type Result string
-
-// Constant values for Result type.
-const (
- ConfigOk Result = "Config OK"
- ConnectivityError Result = "LDAP Server Connection Error"
- LookupBindError Result = "LDAP Lookup Bind Error"
- UserSearchParamsMisconfigured Result = "User Search Parameters Misconfigured"
- GroupSearchParamsMisconfigured Result = "Group Search Parameters Misconfigured"
- UserDNLookupError Result = "User DN Lookup Error"
- GroupMembershipsLookupError Result = "Group Memberships Lookup Error"
-)
-
-// Validation returns feedback on the configuration. The `Suggestion` field
-// needs to be "printed" for friendly display (it can contain escaped newlines
-// `\n`).
-type Validation struct {
- Result Result
- Detail string
- Suggestion string
- ErrCause error
-}
-
-// Error instance for Validation.
-func (v Validation) Error() string {
- if v.Result == ConfigOk {
- return ""
- }
- return fmt.Sprintf("%s: %s", string(v.Result), v.Detail)
-}
-
-// IsOk - returns if the validation succeeded.
-func (v Validation) IsOk() bool {
- return v.Result == ConfigOk
-}
-
-// UserLookupResult returns the DN found for the test user and their group
-// memberships.
-type UserLookupResult struct {
- DN string
- GroupDNMemberships []string
-}
-
-// Validate validates the LDAP configuration. It can be called with any subset
-// of configuration parameters provided by the user - it will return
-// information on what needs to be done to fix the problem if any.
-//
-// This function updates the UserDNSearchBaseDistNames and
-// GroupSearchBaseDistNames fields of the Config - however this an idempotent
-// operation. This is done to support configuration validation in Console/mc and
-// for tests.
-func (l *Config) Validate() Validation {
- if !l.Enabled {
- return Validation{Result: ConfigOk, Detail: "Config is not enabled"}
- }
-
- if l.ServerAddr == "" {
- return Validation{
- Result: ConnectivityError,
- Detail: "Address is empty",
- Suggestion: "Set a server address.",
- }
- }
-
- conn, err := l.Connect()
- if err != nil {
- return Validation{
- Result: ConnectivityError,
- Detail: fmt.Sprintf("Could not connect to LDAP server: %v", err),
- ErrCause: err,
- Suggestion: `Check:
- (1) server address
- (2) TLS parameters, and
- (3) LDAP server's TLS certificate is trusted by MinIO (when using TLS - highly recommended)`,
- }
- }
- defer conn.Close()
-
- if l.LookupBindDN == "" {
- return Validation{
- Result: LookupBindError,
- Detail: "Lookup Bind UserDN not specified",
- Suggestion: "Specify LDAP service account credentials for performing lookups.",
- }
- }
- if err := l.lookupBind(conn); err != nil {
- return Validation{
- Result: LookupBindError,
- ErrCause: err,
- Detail: fmt.Sprintf("Error connecting as LDAP Lookup Bind user: %v", err),
- Suggestion: "Check LDAP Lookup Bind user credentials and if user is allowed to login",
- }
- }
-
- // Validate User Lookup parameters
- if l.UserDNSearchBaseDistName == "" {
- return Validation{
- Result: UserSearchParamsMisconfigured,
- Detail: "UserDN search base is empty",
- Suggestion: "Set the UserDN search base to the DN of the directory subtree where users are present",
- }
- }
- l.UserDNSearchBaseDistNames = strings.Split(l.UserDNSearchBaseDistName, dnDelimiter)
-
- if l.UserDNSearchFilter == "" {
- return Validation{
- Result: UserSearchParamsMisconfigured,
- Detail: "UserDN search filter is empty",
- Suggestion: `Set the UserDN search filter template:
- Use "%s" - it will be replaced by the login user name and sent to the LDAP server.
- For example: "(uid=%s)"`,
- }
- }
- if strings.Contains(l.UserDNSearchFilter, "%d") {
- return Validation{
- Result: UserSearchParamsMisconfigured,
- Detail: "User DN search filter contains `%d`",
- Suggestion: `User DN search filter is a template where "%s" is replaced by the login username.
- "%d" is not supported here.
- Please provide a search filter containing "%s"`,
- }
- }
- if !strings.Contains(l.UserDNSearchFilter, "%s") {
- return Validation{
- Result: UserSearchParamsMisconfigured,
- Detail: "User DN search filter does not contain `%s`",
- Suggestion: `During login, the user's DN is looked up using the search filter template:
- "%s" gets replaced by the given username - it must be used.
- Enter an LDAP search filter containing "%s"`,
- }
- }
-
- // If group lookup is not configured, it's ok.
- if l.GroupSearchBaseDistName != "" || l.GroupSearchFilter != "" {
-
- // Validate Group Search parameters as they are given.
- if l.GroupSearchBaseDistName == "" {
- return Validation{
- Result: GroupSearchParamsMisconfigured,
- Detail: "Group Search Base DN is required.",
- Suggestion: `Since you entered a value for the Group Search Filter - enter a value for the Group Search Base DN too:
- Enter this value as the DN of the subtree where groups will be found.`,
- }
- }
- l.GroupSearchBaseDistNames = strings.Split(l.GroupSearchBaseDistName, dnDelimiter)
-
- if l.GroupSearchFilter == "" {
- return Validation{
- Result: GroupSearchParamsMisconfigured,
- Detail: "Group Search Filter is required.",
- Suggestion: `Since you entered a value for the Group Search Base DN - enter a value for the Group Search Filter too. This is a template where, before the query is sent to the server:
- "%s" is replaced with the login username;
- "%d" is replaced with the DN of the login user.
- For example: "(&(objectclass=groupOfNames)(memberUid=%s))"`,
- }
- }
-
- if !strings.Contains(l.GroupSearchFilter, "%d") && !strings.Contains(l.GroupSearchFilter, "%s") {
- return Validation{
- Result: GroupSearchParamsMisconfigured,
- Detail: `GroupSearchFilter must contain at least one of "%s" or "%d"`,
- Suggestion: `During group membership lookup the group search filter template is used:
- "%s" gets replaced by the given username, and
- "%d" gets replaced by the user's DN.
- Either one is needed to find only groups that the user is a member of.
- Enter an LDAP search filter template using at least one of these.`,
- }
- }
- }
-
- return Validation{
- Result: ConfigOk,
- }
-}
-
-// ValidateLookup takes a test username and performs user and group lookup (if
-// configured) and returns the result. It is to validate the LDAP configuration.
-// The lookup is performed without requiring the password for the test user -
-// and so can be used to test any LDAP user intending to use MinIO.
-func (l *Config) ValidateLookup(testUsername string) (*UserLookupResult, Validation) {
- if testUsername == "" {
- return nil, Validation{
- Result: UserDNLookupError,
- Detail: "Provided username is empty",
- }
- }
-
- if r := l.Validate(); !r.IsOk() {
- return nil, r
- }
-
- conn, err := l.Connect()
- if err != nil {
- return nil, Validation{
- Result: ConnectivityError,
- Detail: fmt.Sprintf("Could not connect to LDAP server: %v", err),
- ErrCause: err,
- Suggestion: `Check:
- (1) server address
- (2) TLS parameters, and
- (3) LDAP server's TLS certificate is trusted by MinIO (when using TLS - highly recommended)`,
- }
- }
- defer conn.Close()
-
- if err := l.lookupBind(conn); err != nil {
- return nil, Validation{
- Result: LookupBindError,
- ErrCause: err,
- Detail: fmt.Sprintf("Error connecting as LDAP Lookup Bind user: %v", err),
- Suggestion: "Check LDAP Lookup Bind user credentials and if user is allowed to login",
- }
- }
-
- // Lookup the given username.
- dn, err := l.lookupUserDN(conn, testUsername)
- if err != nil {
- return nil, Validation{
- Result: UserDNLookupError,
- Detail: fmt.Sprintf("Got an error when looking up user (%s) DN: %v", testUsername, err),
- ErrCause: err,
- Suggestion: `Check if this is a temporary error and try again.
- Perhaps there is an error in the user search filter or user search base DN.`,
- }
- }
-
- // Lookup groups.
- groups, err := l.searchForUserGroups(conn, testUsername, dn)
- if err != nil {
- return nil, Validation{
- Result: GroupMembershipsLookupError,
- Detail: fmt.Sprintf("Got an error when looking up groups for user(=>%s, dn=>%s): %v", testUsername, dn, err),
- ErrCause: err,
- Suggestion: `Check if this is a temporary error and try again.
- Perhaps there is an error in the group search filter or group search base DN.`,
- }
- }
-
- return &UserLookupResult{
- DN: dn,
- GroupDNMemberships: groups,
- }, Validation{
- Result: ConfigOk,
- Detail: "User lookup done.",
- }
-}
diff --git a/internal/config/identity/ldap/config-validator_test.go b/internal/config/identity/ldap/config-validator_test.go
deleted file mode 100644
index 26f7d2866..000000000
--- a/internal/config/identity/ldap/config-validator_test.go
+++ /dev/null
@@ -1,189 +0,0 @@
-// Copyright (c) 2015-2022 MinIO, Inc.
-//
-// This file is part of MinIO Object Storage stack
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program. If not, see .
-
-package ldap
-
-import (
- "fmt"
- "os"
- "testing"
-
- "github.com/minio/minio-go/v7/pkg/set"
-)
-
-const (
- EnvTestLDAPServer = "LDAP_TEST_SERVER"
-)
-
-func TestConfigValidator(t *testing.T) {
- ldapServer := os.Getenv(EnvTestLDAPServer)
- if ldapServer == "" {
- t.Skip()
- }
- testCases := []struct {
- cfg Config
- expectedResult Result
- }{
- {
- cfg: func() Config {
- v := Config{Enabled: true}
- return v
- }(),
- expectedResult: ConnectivityError,
- },
- {
- cfg: func() Config {
- v := Config{Enabled: true}
- v.ServerAddr = ldapServer
- return v
- }(),
- expectedResult: ConnectivityError,
- },
- {
- cfg: func() Config {
- v := Config{Enabled: true}
- v.ServerAddr = ldapServer
- v.serverInsecure = true
- return v
- }(),
- expectedResult: LookupBindError,
- },
- {
- cfg: func() Config {
- v := Config{Enabled: true}
- v.ServerAddr = ldapServer
- v.serverInsecure = true
- v.LookupBindDN = "cn=admin,dc=min,dc=io"
- v.LookupBindPassword = "admin1"
- return v
- }(),
- expectedResult: LookupBindError,
- },
- { // Case 4
- cfg: func() Config {
- v := Config{Enabled: true}
- v.ServerAddr = ldapServer
- v.serverInsecure = true
- v.LookupBindDN = "cn=admin,dc=min,dc=io"
- v.LookupBindPassword = "admin"
- return v
- }(),
- expectedResult: UserSearchParamsMisconfigured,
- },
- {
- cfg: func() Config {
- v := Config{Enabled: true}
- v.ServerAddr = ldapServer
- v.serverInsecure = true
- v.LookupBindDN = "cn=admin,dc=min,dc=io"
- v.LookupBindPassword = "admin"
- v.UserDNSearchFilter = "(uid=x)"
- v.UserDNSearchBaseDistName = "dc=min,dc=io"
- return v
- }(),
- expectedResult: UserSearchParamsMisconfigured,
- },
- {
- cfg: func() Config {
- v := Config{Enabled: true}
- v.ServerAddr = ldapServer
- v.serverInsecure = true
- v.LookupBindDN = "cn=admin,dc=min,dc=io"
- v.LookupBindPassword = "admin"
- v.UserDNSearchFilter = "(uid=%s)"
- v.UserDNSearchBaseDistName = "dc=min,dc=io"
- return v
- }(),
- expectedResult: ConfigOk,
- },
- { // Case 7
- cfg: func() Config {
- v := Config{Enabled: true}
- v.ServerAddr = ldapServer
- v.serverInsecure = true
- v.LookupBindDN = "cn=admin,dc=min,dc=io"
- v.LookupBindPassword = "admin"
- v.UserDNSearchFilter = "(uid=%s)"
- v.UserDNSearchBaseDistName = "dc=min,dc=io"
- v.GroupSearchBaseDistName = "ou=swengg,dc=min,dc=io"
- v.GroupSearchFilter = "(&(objectclass=groupofnames)(member=x))"
- return v
- }(),
- expectedResult: GroupSearchParamsMisconfigured,
- },
- {
- cfg: func() Config {
- v := Config{Enabled: true}
- v.ServerAddr = ldapServer
- v.serverInsecure = true
- v.LookupBindDN = "cn=admin,dc=min,dc=io"
- v.LookupBindPassword = "admin"
- v.UserDNSearchFilter = "(uid=%s)"
- v.UserDNSearchBaseDistName = "dc=min,dc=io"
- v.GroupSearchFilter = "(&(objectclass=groupofnames)(member=x))"
- return v
- }(),
- expectedResult: GroupSearchParamsMisconfigured,
- },
- { // Case 9
- cfg: func() Config {
- v := Config{Enabled: true}
- v.ServerAddr = ldapServer
- v.serverInsecure = true
- v.LookupBindDN = "cn=admin,dc=min,dc=io"
- v.LookupBindPassword = "admin"
- v.UserDNSearchFilter = "(uid=%s)"
- v.UserDNSearchBaseDistName = "dc=min,dc=io"
- v.GroupSearchBaseDistName = "ou=swengg,dc=min,dc=io"
- v.GroupSearchFilter = "(&(objectclass=groupofnames)(member=%d))"
- return v
- }(),
- expectedResult: ConfigOk,
- },
- }
-
- expectedDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
- expectedGroups := set.CreateStringSet(
- "cn=projecta,ou=groups,ou=swengg,dc=min,dc=io",
- "cn=projectb,ou=groups,ou=swengg,dc=min,dc=io",
- )
-
- for i, test := range testCases {
- result := test.cfg.Validate()
- if result.Result != test.expectedResult {
- fmt.Printf("Result: %#v\n", result)
- t.Fatalf("Case %d: Got `%s` expected `%s`", i, result.Result, string(test.expectedResult))
- }
- if result.IsOk() {
- lookupResult, validationResult := test.cfg.ValidateLookup("dillon")
- if !validationResult.IsOk() {
- t.Fatalf("Case %d: Got unexpected validation failure: %#v\n", i, validationResult)
- }
- if lookupResult.DN != expectedDN {
- t.Fatalf("Case %d: Got unexpected DN: %v", i, lookupResult.DN)
- }
-
- if test.cfg.GroupSearchFilter == "" {
- continue
- }
-
- if !set.CreateStringSet(lookupResult.GroupDNMemberships...).Equals(expectedGroups) {
- t.Fatalf("Case %d: Got unexpected groups: %v", i, lookupResult.GroupDNMemberships)
- }
- }
- }
-}
diff --git a/internal/config/identity/ldap/config.go b/internal/config/identity/ldap/config.go
index ae3034d28..1f48cf377 100644
--- a/internal/config/identity/ldap/config.go
+++ b/internal/config/identity/ldap/config.go
@@ -22,44 +22,26 @@ import (
"time"
"github.com/minio/minio/internal/config"
- "github.com/minio/pkg/env"
+ "github.com/minio/pkg/ldap"
)
const (
defaultLDAPExpiry = time.Hour * 1
- dnDelimiter = ";"
-
minLDAPExpiry time.Duration = 15 * time.Minute
maxLDAPExpiry time.Duration = 365 * 24 * time.Hour
)
// Config contains AD/LDAP server connectivity information.
type Config struct {
- Enabled bool `json:"enabled"`
-
- // E.g. "ldap.minio.io:636"
- ServerAddr string `json:"serverAddr"`
-
- // User DN search parameters
- UserDNSearchBaseDistName string `json:"userDNSearchBaseDN"`
- UserDNSearchBaseDistNames []string `json:"-"` // Generated field
- UserDNSearchFilter string `json:"userDNSearchFilter"`
-
- // Group search parameters
- GroupSearchBaseDistName string `json:"groupSearchBaseDN"`
- GroupSearchBaseDistNames []string `json:"-"` // Generated field
- GroupSearchFilter string `json:"groupSearchFilter"`
-
- // Lookup bind LDAP service account
- LookupBindDN string `json:"lookupBindDN"`
- LookupBindPassword string `json:"lookupBindPassword"`
+ LDAP ldap.Config
stsExpiryDuration time.Duration // contains converted value
- tlsSkipVerify bool // allows skipping TLS verification
- serverInsecure bool // allows plain text connection to LDAP server
- serverStartTLS bool // allows using StartTLS connection to LDAP server
- rootCAs *x509.CertPool
+}
+
+// Enabled returns if LDAP is enabled.
+func (l *Config) Enabled() bool {
+ return l.LDAP.Enabled
}
// Clone returns a cloned copy of LDAP config.
@@ -68,21 +50,8 @@ func (l *Config) Clone() Config {
return Config{}
}
cfg := Config{
- Enabled: l.Enabled,
- ServerAddr: l.ServerAddr,
- UserDNSearchBaseDistName: l.UserDNSearchBaseDistName,
- UserDNSearchBaseDistNames: l.UserDNSearchBaseDistNames,
- UserDNSearchFilter: l.UserDNSearchFilter,
- GroupSearchBaseDistName: l.GroupSearchBaseDistName,
- GroupSearchBaseDistNames: l.GroupSearchBaseDistNames,
- GroupSearchFilter: l.GroupSearchFilter,
- LookupBindDN: l.LookupBindDN,
- LookupBindPassword: l.LookupBindPassword,
- stsExpiryDuration: l.stsExpiryDuration,
- tlsSkipVerify: l.tlsSkipVerify,
- serverInsecure: l.serverInsecure,
- serverStartTLS: l.serverStartTLS,
- rootCAs: l.rootCAs,
+ LDAP: l.LDAP.Clone(),
+ stsExpiryDuration: l.stsExpiryDuration,
}
return cfg
}
@@ -173,61 +142,74 @@ func Enabled(kvs config.KVS) bool {
}
// Lookup - initializes LDAP config, overrides config, if any ENV values are set.
-func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error) {
+func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error) {
l = Config{}
// Purge all removed keys first
- for _, k := range removedKeys {
- kvs.Delete(k)
+ kvs := s[config.IdentityLDAPSubSys][config.Default]
+ if len(kvs) > 0 {
+ for _, k := range removedKeys {
+ kvs.Delete(k)
+ }
+ s[config.IdentityLDAPSubSys][config.Default] = kvs
}
- if err = config.CheckValidKeys(config.IdentityLDAPSubSys, kvs, DefaultKVS); err != nil {
+ if err := s.CheckValidKeys(config.IdentityLDAPSubSys, removedKeys); err != nil {
return l, err
}
- ldapServer := env.Get(EnvServerAddr, kvs.Get(ServerAddr))
+ getCfgVal := func(cfgParam string) string {
+ // As parameters are already validated, we skip checking
+ // if the config param was found.
+ val, _ := s.ResolveConfigParam(config.IdentityLDAPSubSys, config.Default, cfgParam)
+ return val
+ }
+
+ ldapServer := getCfgVal(ServerAddr)
if ldapServer == "" {
return l, nil
}
- l.Enabled = true
- l.rootCAs = rootCAs
- l.ServerAddr = ldapServer
+ l.LDAP = ldap.Config{
+ Enabled: true,
+ RootCAs: rootCAs,
+ ServerAddr: ldapServer,
+ }
l.stsExpiryDuration = defaultLDAPExpiry
// LDAP connection configuration
- if v := env.Get(EnvServerInsecure, kvs.Get(ServerInsecure)); v != "" {
- l.serverInsecure, err = config.ParseBool(v)
+ if v := getCfgVal(ServerInsecure); v != "" {
+ l.LDAP.ServerInsecure, err = config.ParseBool(v)
if err != nil {
return l, err
}
}
- if v := env.Get(EnvServerStartTLS, kvs.Get(ServerStartTLS)); v != "" {
- l.serverStartTLS, err = config.ParseBool(v)
+ if v := getCfgVal(ServerStartTLS); v != "" {
+ l.LDAP.ServerStartTLS, err = config.ParseBool(v)
if err != nil {
return l, err
}
}
- if v := env.Get(EnvTLSSkipVerify, kvs.Get(TLSSkipVerify)); v != "" {
- l.tlsSkipVerify, err = config.ParseBool(v)
+ if v := getCfgVal(TLSSkipVerify); v != "" {
+ l.LDAP.TLSSkipVerify, err = config.ParseBool(v)
if err != nil {
return l, err
}
}
// Lookup bind user configuration
- l.LookupBindDN = env.Get(EnvLookupBindDN, kvs.Get(LookupBindDN))
- l.LookupBindPassword = env.Get(EnvLookupBindPassword, kvs.Get(LookupBindPassword))
+ l.LDAP.LookupBindDN = getCfgVal(LookupBindDN)
+ l.LDAP.LookupBindPassword = getCfgVal(LookupBindPassword)
// User DN search configuration
- l.UserDNSearchFilter = env.Get(EnvUserDNSearchFilter, kvs.Get(UserDNSearchFilter))
- l.UserDNSearchBaseDistName = env.Get(EnvUserDNSearchBaseDN, kvs.Get(UserDNSearchBaseDN))
+ l.LDAP.UserDNSearchFilter = getCfgVal(UserDNSearchFilter)
+ l.LDAP.UserDNSearchBaseDistName = getCfgVal(UserDNSearchBaseDN)
// Group search params configuration
- l.GroupSearchFilter = env.Get(EnvGroupSearchFilter, kvs.Get(GroupSearchFilter))
- l.GroupSearchBaseDistName = env.Get(EnvGroupSearchBaseDN, kvs.Get(GroupSearchBaseDN))
+ l.LDAP.GroupSearchFilter = getCfgVal(GroupSearchFilter)
+ l.LDAP.GroupSearchBaseDistName = getCfgVal(GroupSearchBaseDN)
// Validate and test configuration.
- valResult := l.Validate()
+ valResult := l.LDAP.Validate()
if !valResult.IsOk() {
return l, valResult
}
diff --git a/internal/config/identity/ldap/ldap.go b/internal/config/identity/ldap/ldap.go
index 4421e96ad..18c8890a5 100644
--- a/internal/config/identity/ldap/ldap.go
+++ b/internal/config/identity/ldap/ldap.go
@@ -18,10 +18,7 @@
package ldap
import (
- "crypto/tls"
- "errors"
"fmt"
- "net"
"strconv"
"strings"
"time"
@@ -31,121 +28,27 @@ import (
"github.com/minio/minio/internal/auth"
)
-func getGroups(conn *ldap.Conn, sreq *ldap.SearchRequest) ([]string, error) {
- var groups []string
- sres, err := conn.Search(sreq)
- if err != nil {
- // Check if there is no matching result and return empty slice.
- // Ref: https://ldap.com/ldap-result-code-reference/
- if ldap.IsErrorWithCode(err, 32) {
- return nil, nil
- }
- return nil, err
- }
- for _, entry := range sres.Entries {
- // We only queried one attribute,
- // so we only look up the first one.
- groups = append(groups, entry.DN)
- }
- return groups, nil
-}
-
-func (l *Config) lookupBind(conn *ldap.Conn) error {
- var err error
- if l.LookupBindPassword == "" {
- err = conn.UnauthenticatedBind(l.LookupBindDN)
- } else {
- err = conn.Bind(l.LookupBindDN, l.LookupBindPassword)
- }
- if ldap.IsErrorWithCode(err, 49) {
- return fmt.Errorf("LDAP Lookup Bind user invalid credentials error: %w", err)
- }
- return err
-}
-
-// lookupUserDN searches for the DN of the user given their username. conn is
-// assumed to be using the lookup bind service account. It is required that the
-// search result in at most one result.
-func (l *Config) lookupUserDN(conn *ldap.Conn, username string) (string, error) {
- filter := strings.ReplaceAll(l.UserDNSearchFilter, "%s", ldap.EscapeFilter(username))
- var foundDistNames []string
- for _, userSearchBase := range l.UserDNSearchBaseDistNames {
- searchRequest := ldap.NewSearchRequest(
- userSearchBase,
- ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
- filter,
- []string{}, // only need DN, so no pass no attributes here
- nil,
- )
-
- searchResult, err := conn.Search(searchRequest)
- if err != nil {
- return "", err
- }
-
- for _, entry := range searchResult.Entries {
- foundDistNames = append(foundDistNames, entry.DN)
- }
- }
- if len(foundDistNames) == 0 {
- return "", fmt.Errorf("User DN for %s not found", username)
- }
- if len(foundDistNames) != 1 {
- return "", fmt.Errorf("Multiple DNs for %s found - please fix the search filter", username)
- }
- return foundDistNames[0], nil
-}
-
-func (l *Config) searchForUserGroups(conn *ldap.Conn, username, bindDN string) ([]string, error) {
- // User groups lookup.
- var groups []string
- if l.GroupSearchFilter != "" {
- for _, groupSearchBase := range l.GroupSearchBaseDistNames {
- filter := strings.ReplaceAll(l.GroupSearchFilter, "%s", ldap.EscapeFilter(username))
- filter = strings.ReplaceAll(filter, "%d", ldap.EscapeFilter(bindDN))
- searchRequest := ldap.NewSearchRequest(
- groupSearchBase,
- ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
- filter,
- nil,
- nil,
- )
-
- var newGroups []string
- newGroups, err := getGroups(conn, searchRequest)
- if err != nil {
- errRet := fmt.Errorf("Error finding groups of %s: %w", bindDN, err)
- return nil, errRet
- }
-
- groups = append(groups, newGroups...)
- }
- }
-
- return groups, nil
-}
-
// LookupUserDN searches for the full DN and groups of a given username
func (l *Config) LookupUserDN(username string) (string, []string, error) {
- conn, err := l.Connect()
+ conn, err := l.LDAP.Connect()
if err != nil {
return "", nil, err
}
defer conn.Close()
// Bind to the lookup user account
- if err = l.lookupBind(conn); err != nil {
+ if err = l.LDAP.LookupBind(conn); err != nil {
return "", nil, err
}
// Lookup user DN
- bindDN, err := l.lookupUserDN(conn, username)
+ bindDN, err := l.LDAP.LookupUserDN(conn, username)
if err != nil {
errRet := fmt.Errorf("Unable to find user DN: %w", err)
return "", nil, errRet
}
- groups, err := l.searchForUserGroups(conn, username, bindDN)
+ groups, err := l.LDAP.SearchForUserGroups(conn, username, bindDN)
if err != nil {
return "", nil, err
}
@@ -156,7 +59,7 @@ func (l *Config) LookupUserDN(username string) (string, []string, error) {
// Bind - binds to ldap, searches LDAP and returns the distinguished name of the
// user and the list of groups.
func (l *Config) Bind(username, password string) (string, []string, error) {
- conn, err := l.Connect()
+ conn, err := l.LDAP.Connect()
if err != nil {
return "", nil, err
}
@@ -164,12 +67,12 @@ func (l *Config) Bind(username, password string) (string, []string, error) {
var bindDN string
// Bind to the lookup user account
- if err = l.lookupBind(conn); err != nil {
+ if err = l.LDAP.LookupBind(conn); err != nil {
return "", nil, err
}
// Lookup user DN
- bindDN, err = l.lookupUserDN(conn, username)
+ bindDN, err = l.LDAP.LookupUserDN(conn, username)
if err != nil {
errRet := fmt.Errorf("Unable to find user DN: %w", err)
return "", nil, errRet
@@ -183,12 +86,12 @@ func (l *Config) Bind(username, password string) (string, []string, error) {
}
// Bind to the lookup user account again to perform group search.
- if err = l.lookupBind(conn); err != nil {
+ if err = l.LDAP.LookupBind(conn); err != nil {
return "", nil, err
}
// User groups lookup.
- groups, err := l.searchForUserGroups(conn, username, bindDN)
+ groups, err := l.LDAP.SearchForUserGroups(conn, username, bindDN)
if err != nil {
return "", nil, err
}
@@ -196,43 +99,6 @@ func (l *Config) Bind(username, password string) (string, []string, error) {
return bindDN, groups, nil
}
-// Connect connect to ldap server.
-func (l *Config) Connect() (ldapConn *ldap.Conn, err error) {
- if l == nil {
- return nil, errors.New("LDAP is not configured")
- }
-
- _, _, err = net.SplitHostPort(l.ServerAddr)
- if err != nil {
- // User default LDAP port if none specified "636"
- l.ServerAddr = net.JoinHostPort(l.ServerAddr, "636")
- }
-
- tlsConfig := &tls.Config{
- InsecureSkipVerify: l.tlsSkipVerify,
- RootCAs: l.rootCAs,
- }
-
- if l.serverInsecure {
- ldapConn, err = ldap.Dial("tcp", l.ServerAddr)
- } else {
- if l.serverStartTLS {
- ldapConn, err = ldap.Dial("tcp", l.ServerAddr)
- } else {
- ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, tlsConfig)
- }
- }
-
- if ldapConn != nil {
- ldapConn.SetTimeout(30 * time.Second) // Change default timeout to 30 seconds.
- if l.serverStartTLS {
- err = ldapConn.StartTLS(tlsConfig)
- }
- }
-
- return ldapConn, err
-}
-
// GetExpiryDuration - return parsed expiry duration.
func (l Config) GetExpiryDuration(dsecs string) (time.Duration, error) {
if dsecs == "" {
@@ -254,7 +120,7 @@ func (l Config) GetExpiryDuration(dsecs string) (time.Duration, error) {
// IsLDAPUserDN determines if the given string could be a user DN from LDAP.
func (l Config) IsLDAPUserDN(user string) bool {
- for _, baseDN := range l.UserDNSearchBaseDistNames {
+ for _, baseDN := range l.LDAP.UserDNSearchBaseDistNames {
if strings.HasSuffix(user, ","+baseDN) {
return true
}
@@ -265,19 +131,19 @@ func (l Config) IsLDAPUserDN(user string) bool {
// GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer
// present in the LDAP server or do not meet filter criteria anymore
func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error) {
- conn, err := l.Connect()
+ conn, err := l.LDAP.Connect()
if err != nil {
return nil, err
}
defer conn.Close()
// Bind to the lookup user account
- if err = l.lookupBind(conn); err != nil {
+ if err = l.LDAP.LookupBind(conn); err != nil {
return nil, err
}
// Evaluate the filter again with generic wildcard instead of specific values
- filter := strings.ReplaceAll(l.UserDNSearchFilter, "%s", "*")
+ filter := strings.ReplaceAll(l.LDAP.UserDNSearchFilter, "%s", "*")
nonExistentUsers := []string{}
for _, dn := range userDistNames {
@@ -310,21 +176,21 @@ func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string,
// LookupGroupMemberships - for each DN finds the set of LDAP groups they are a
// member of.
func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsernameMap map[string]string) (map[string]set.StringSet, error) {
- conn, err := l.Connect()
+ conn, err := l.LDAP.Connect()
if err != nil {
return nil, err
}
defer conn.Close()
// Bind to the lookup user account
- if err = l.lookupBind(conn); err != nil {
+ if err = l.LDAP.LookupBind(conn); err != nil {
return nil, err
}
res := make(map[string]set.StringSet, len(userDistNames))
for _, userDistName := range userDistNames {
username := userDNToUsernameMap[userDistName]
- groups, err := l.searchForUserGroups(conn, username, userDistName)
+ groups, err := l.LDAP.SearchForUserGroups(conn, username, userDistName)
if err != nil {
return nil, err
}
diff --git a/internal/config/identity/ldap/legacy.go b/internal/config/identity/ldap/legacy.go
index 8b98bc789..13fe4f9c0 100644
--- a/internal/config/identity/ldap/legacy.go
+++ b/internal/config/identity/ldap/legacy.go
@@ -17,10 +17,35 @@
package ldap
-import "github.com/minio/minio/internal/config"
+import (
+ "github.com/minio/minio/internal/config"
+)
+
+// LegacyConfig contains AD/LDAP server connectivity information from old config
+// V33.
+type LegacyConfig struct {
+ Enabled bool `json:"enabled"`
+
+ // E.g. "ldap.minio.io:636"
+ ServerAddr string `json:"serverAddr"`
+
+ // User DN search parameters
+ UserDNSearchBaseDistName string `json:"userDNSearchBaseDN"`
+ UserDNSearchBaseDistNames []string `json:"-"` // Generated field
+ UserDNSearchFilter string `json:"userDNSearchFilter"`
+
+ // Group search parameters
+ GroupSearchBaseDistName string `json:"groupSearchBaseDN"`
+ GroupSearchBaseDistNames []string `json:"-"` // Generated field
+ GroupSearchFilter string `json:"groupSearchFilter"`
+
+ // Lookup bind LDAP service account
+ LookupBindDN string `json:"lookupBindDN"`
+ LookupBindPassword string `json:"lookupBindPassword"`
+}
// SetIdentityLDAP - One time migration code needed, for migrating from older config to new for LDAPConfig.
-func SetIdentityLDAP(s config.Config, ldapArgs Config) {
+func SetIdentityLDAP(s config.Config, ldapArgs LegacyConfig) {
if !ldapArgs.Enabled {
// ldap not enabled no need to preserve it in new settings.
return