MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-10 05:59:43 -05:00
Code Issues Packages Projects Releases Wiki Activity

use LDAP config from minio/pkg to share with console (#15810)

Browse Source
This commit is contained in:
Aditya Manthramurthy
2022-10-07 22:12:36 -07:00
committed by GitHub
parent 927a879052
commit 64cf887b28
15 changed files with 107 additions and 696 deletions
Download Patch File Download Diff File Expand all files Collapse all files

166
internal/config/identity/ldap/ldap.go
View File

@@ -18,10 +18,7 @@
package ldap
import (
"crypto/tls"
"errors"
"fmt"
"net"
"strconv"
"strings"
"time"
@@ -31,121 +28,27 @@ import (
"github.com/minio/minio/internal/auth"
)
func getGroups(conn *ldap.Conn, sreq *ldap.SearchRequest) ([]string, error) {
var groups []string
sres, err := conn.Search(sreq)
if err != nil {
// Check if there is no matching result and return empty slice.
// Ref: https://ldap.com/ldap-result-code-reference/
if ldap.IsErrorWithCode(err, 32) {
return nil, nil
}
return nil, err
}
for _, entry := range sres.Entries {
// We only queried one attribute,
// so we only look up the first one.
groups = append(groups, entry.DN)
}
return groups, nil
}
func (l *Config) lookupBind(conn *ldap.Conn) error {
var err error
if l.LookupBindPassword == "" {
err = conn.UnauthenticatedBind(l.LookupBindDN)
} else {
err = conn.Bind(l.LookupBindDN, l.LookupBindPassword)
}
if ldap.IsErrorWithCode(err, 49) {
return fmt.Errorf("LDAP Lookup Bind user invalid credentials error: %w", err)
}
return err
}
// lookupUserDN searches for the DN of the user given their username. conn is
// assumed to be using the lookup bind service account. It is required that the
// search result in at most one result.
func (l *Config) lookupUserDN(conn *ldap.Conn, username string) (string, error) {
filter := strings.ReplaceAll(l.UserDNSearchFilter, "%s", ldap.EscapeFilter(username))
var foundDistNames []string
for _, userSearchBase := range l.UserDNSearchBaseDistNames {
searchRequest := ldap.NewSearchRequest(
userSearchBase,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
filter,
[]string{}, // only need DN, so no pass no attributes here
nil,
)
searchResult, err := conn.Search(searchRequest)
if err != nil {
return "", err
}
for _, entry := range searchResult.Entries {
foundDistNames = append(foundDistNames, entry.DN)
}
}
if len(foundDistNames) == 0 {
return "", fmt.Errorf("User DN for %s not found", username)
}
if len(foundDistNames) != 1 {
return "", fmt.Errorf("Multiple DNs for %s found - please fix the search filter", username)
}
return foundDistNames[0], nil
}
func (l *Config) searchForUserGroups(conn *ldap.Conn, username, bindDN string) ([]string, error) {
// User groups lookup.
var groups []string
if l.GroupSearchFilter != "" {
for _, groupSearchBase := range l.GroupSearchBaseDistNames {
filter := strings.ReplaceAll(l.GroupSearchFilter, "%s", ldap.EscapeFilter(username))
filter = strings.ReplaceAll(filter, "%d", ldap.EscapeFilter(bindDN))
searchRequest := ldap.NewSearchRequest(
groupSearchBase,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
filter,
nil,
nil,
)
var newGroups []string
newGroups, err := getGroups(conn, searchRequest)
if err != nil {
errRet := fmt.Errorf("Error finding groups of %s: %w", bindDN, err)
return nil, errRet
}
groups = append(groups, newGroups...)
}
}
return groups, nil
}
// LookupUserDN searches for the full DN and groups of a given username
func (l *Config) LookupUserDN(username string) (string, []string, error) {
conn, err := l.Connect()
conn, err := l.LDAP.Connect()
if err != nil {
return "", nil, err
}
defer conn.Close()
// Bind to the lookup user account
if err = l.lookupBind(conn); err != nil {
if err = l.LDAP.LookupBind(conn); err != nil {
return "", nil, err
}
// Lookup user DN
bindDN, err := l.lookupUserDN(conn, username)
bindDN, err := l.LDAP.LookupUserDN(conn, username)
if err != nil {
errRet := fmt.Errorf("Unable to find user DN: %w", err)
return "", nil, errRet
}
groups, err := l.searchForUserGroups(conn, username, bindDN)
groups, err := l.LDAP.SearchForUserGroups(conn, username, bindDN)
if err != nil {
return "", nil, err
}
@@ -156,7 +59,7 @@ func (l *Config) LookupUserDN(username string) (string, []string, error) {
// Bind - binds to ldap, searches LDAP and returns the distinguished name of the
// user and the list of groups.
func (l *Config) Bind(username, password string) (string, []string, error) {
conn, err := l.Connect()
conn, err := l.LDAP.Connect()
if err != nil {
return "", nil, err
}
@@ -164,12 +67,12 @@ func (l *Config) Bind(username, password string) (string, []string, error) {
var bindDN string
// Bind to the lookup user account
if err = l.lookupBind(conn); err != nil {
if err = l.LDAP.LookupBind(conn); err != nil {
return "", nil, err
}
// Lookup user DN
bindDN, err = l.lookupUserDN(conn, username)
bindDN, err = l.LDAP.LookupUserDN(conn, username)
if err != nil {
errRet := fmt.Errorf("Unable to find user DN: %w", err)
return "", nil, errRet
@@ -183,12 +86,12 @@ func (l *Config) Bind(username, password string) (string, []string, error) {
}
// Bind to the lookup user account again to perform group search.
if err = l.lookupBind(conn); err != nil {
if err = l.LDAP.LookupBind(conn); err != nil {
return "", nil, err
}
// User groups lookup.
groups, err := l.searchForUserGroups(conn, username, bindDN)
groups, err := l.LDAP.SearchForUserGroups(conn, username, bindDN)
if err != nil {
return "", nil, err
}
@@ -196,43 +99,6 @@ func (l *Config) Bind(username, password string) (string, []string, error) {
return bindDN, groups, nil
}
// Connect connect to ldap server.
func (l *Config) Connect() (ldapConn *ldap.Conn, err error) {
if l == nil {
return nil, errors.New("LDAP is not configured")
}
_, _, err = net.SplitHostPort(l.ServerAddr)
if err != nil {
// User default LDAP port if none specified "636"
l.ServerAddr = net.JoinHostPort(l.ServerAddr, "636")
}
tlsConfig := &tls.Config{
InsecureSkipVerify: l.tlsSkipVerify,
RootCAs: l.rootCAs,
}
if l.serverInsecure {
ldapConn, err = ldap.Dial("tcp", l.ServerAddr)
} else {
if l.serverStartTLS {
ldapConn, err = ldap.Dial("tcp", l.ServerAddr)
} else {
ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, tlsConfig)
}
}
if ldapConn != nil {
ldapConn.SetTimeout(30 * time.Second) // Change default timeout to 30 seconds.
if l.serverStartTLS {
err = ldapConn.StartTLS(tlsConfig)
}
}
return ldapConn, err
}
// GetExpiryDuration - return parsed expiry duration.
func (l Config) GetExpiryDuration(dsecs string) (time.Duration, error) {
if dsecs == "" {
@@ -254,7 +120,7 @@ func (l Config) GetExpiryDuration(dsecs string) (time.Duration, error) {
// IsLDAPUserDN determines if the given string could be a user DN from LDAP.
func (l Config) IsLDAPUserDN(user string) bool {
for _, baseDN := range l.UserDNSearchBaseDistNames {
for _, baseDN := range l.LDAP.UserDNSearchBaseDistNames {
if strings.HasSuffix(user, ","+baseDN) {
return true
}
@@ -265,19 +131,19 @@ func (l Config) IsLDAPUserDN(user string) bool {
// GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer
// present in the LDAP server or do not meet filter criteria anymore
func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error) {
conn, err := l.Connect()
conn, err := l.LDAP.Connect()
if err != nil {
return nil, err
}
defer conn.Close()
// Bind to the lookup user account
if err = l.lookupBind(conn); err != nil {
if err = l.LDAP.LookupBind(conn); err != nil {
return nil, err
}
// Evaluate the filter again with generic wildcard instead of specific values
filter := strings.ReplaceAll(l.UserDNSearchFilter, "%s", "*")
filter := strings.ReplaceAll(l.LDAP.UserDNSearchFilter, "%s", "*")
nonExistentUsers := []string{}
for _, dn := range userDistNames {
@@ -310,21 +176,21 @@ func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string,
// LookupGroupMemberships - for each DN finds the set of LDAP groups they are a
// member of.
func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsernameMap map[string]string) (map[string]set.StringSet, error) {
conn, err := l.Connect()
conn, err := l.LDAP.Connect()
if err != nil {
return nil, err
}
defer conn.Close()
// Bind to the lookup user account
if err = l.lookupBind(conn); err != nil {
if err = l.LDAP.LookupBind(conn); err != nil {
return nil, err
}
res := make(map[string]set.StringSet, len(userDistNames))
for _, userDistName := range userDistNames {
username := userDNToUsernameMap[userDistName]
groups, err := l.searchForUserGroups(conn, username, userDistName)
groups, err := l.LDAP.SearchForUserGroups(conn, username, userDistName)
if err != nil {
return nil, err
}