MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-25 12:34:03 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix LDAP TLS support to use custom CAs (#8352)

Browse Source
This commit is contained in:
Harshavardhana 2019-10-02 13:14:57 -07:00 committed by kannappanr
parent 8b80eca184
commit 90bfa6260a
6 changed files with 18 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/config-current.go
View File

@ -305,7 +305,7 @@ func (s *serverConfig) loadFromEnvs() {
} }
var err error var err error
s.LDAPServerConfig, err = newLDAPConfigFromEnv() s.LDAPServerConfig, err = newLDAPConfigFromEnv(globalRootCAs)
if err != nil { if err != nil {
logger.FatalIf(err, "Unable to parse LDAP configuration from env") logger.FatalIf(err, "Unable to parse LDAP configuration from env")
} }

2
cmd/gateway/s3/gateway-s3.go
View File

@ -442,7 +442,7 @@ func (l *s3Objects) GetObject(ctx context.Context, bucket string, key string, st
return minio.ErrorRespToObjectError(err, bucket, key) return minio.ErrorRespToObjectError(err, bucket, key)
} }
} }
object, _, err := l.Client.GetObject(bucket, key, opts) object, _, _, err := l.Client.GetObject(bucket, key, opts)
if err != nil { if err != nil {
return minio.ErrorRespToObjectError(err, bucket, key) return minio.ErrorRespToObjectError(err, bucket, key)
} }

20
cmd/ldap-ops.go
View File

@ -18,6 +18,7 @@ package cmd
import ( import (
"crypto/tls" "crypto/tls"
"crypto/x509"
"errors" "errors"
"fmt" "fmt"
"log" "log"
@ -40,8 +41,9 @@ type ldapServerConfig struct {
ServerAddr string `json:"serverAddr"` ServerAddr string `json:"serverAddr"`
// STS credentials expiry duration // STS credentials expiry duration
STSExpiryDuration string `json:"stsExpiryDuration"` STSExpiryDuration string `json:"stsExpiryDuration"`
stsExpiryDuration time.Duration // contains converted value stsExpiryDuration time.Duration // contains converted value
rootCAs *x509.CertPool // contains custom CAs for ldaps server.
// Skips TLS verification (for testing, not // Skips TLS verification (for testing, not
// recommended in production). // recommended in production).
@ -61,22 +63,22 @@ func (l *ldapServerConfig) Connect() (ldapConn *ldap.Conn, err error) {
return return
} }
if l.SkipTLSVerify { if l.SkipTLSVerify {
ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{InsecureSkipVerify: true}) ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{RootCAs: l.rootCAs, InsecureSkipVerify: true})
} else { } else {
ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{}) ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{RootCAs: l.rootCAs})
} }
return return
} }
// newLDAPConfigFromEnv loads configuration from the environment // newLDAPConfigFromEnv loads configuration from the environment
func newLDAPConfigFromEnv() (l ldapServerConfig, err error) { func newLDAPConfigFromEnv(rootCAs *x509.CertPool) (l ldapServerConfig, err error) {
if ldapServer, ok := os.LookupEnv("MINIO_IDENTITY_LDAP_SERVER_ADDR"); ok { if ldapServer, ok := os.LookupEnv("MINIO_IDENTITY_LDAP_SERVER_ADDR"); ok {
l.IsEnabled = true l.IsEnabled = ok
l.ServerAddr = ldapServer l.ServerAddr = ldapServer
if v := os.Getenv("MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"); v == "true" { // Save root CAs
l.SkipTLSVerify = true l.rootCAs = rootCAs
} l.SkipTLSVerify = os.Getenv("MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY") == "true"
if v := os.Getenv("MINIO_IDENTITY_LDAP_STS_EXPIRY"); v != "" { if v := os.Getenv("MINIO_IDENTITY_LDAP_STS_EXPIRY"); v != "" {
expDur, err := time.ParseDuration(v) expDur, err := time.ParseDuration(v)

4
docs/sts/ldap.md
View File

@ -106,7 +106,7 @@ The group search filter looks like `(&(objectclass=group)(member=${usernamedn}))
Thus the key configuration parameters look like: Thus the key configuration parameters look like:
``` ```
MINIO_IDENTITY_LDAP_SERVER_ADDR='ldaps://my.ldap-active-dir-server.com:636' MINIO_IDENTITY_LDAP_SERVER_ADDR='my.ldap-active-dir-server.com:636'
MINIO_IDENTITY_LDAP_USERNAME_FORMAT='cn=${username},cn=users,dc=minioad,dc=local' MINIO_IDENTITY_LDAP_USERNAME_FORMAT='cn=${username},cn=users,dc=minioad,dc=local'
MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN='dc=minioad,dc=local' MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN='dc=minioad,dc=local'
MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER='(&(objectclass=group)(member=${usernamedn}))' MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER='(&(objectclass=group)(member=${usernamedn}))'
@ -211,7 +211,7 @@ http://minio.cluster:9000?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=foouser
``` ```
$ export MINIO_ACCESS_KEY=minio $ export MINIO_ACCESS_KEY=minio
$ export MINIO_SECRET_KEY=minio123 $ export MINIO_SECRET_KEY=minio123
$ export MINIO_IDENTITY_LDAP_SERVER_ADDR='ldaps://my.ldap-active-dir-server.com:636' $ export MINIO_IDENTITY_LDAP_SERVER_ADDR='my.ldap-active-dir-server.com:636'
$ export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='cn=${username},cn=users,dc=minioad,dc=local' $ export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='cn=${username},cn=users,dc=minioad,dc=local'
$ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN='dc=minioad,dc=local' $ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN='dc=minioad,dc=local'
$ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER='(&(objectclass=group)(member=${usernamedn}))' $ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER='(&(objectclass=group)(member=${usernamedn}))'

2
go.mod
View File

@ -44,7 +44,7 @@ require (
github.com/minio/lsync v1.0.1 github.com/minio/lsync v1.0.1
github.com/minio/mc v0.0.0-20190924013003-643835013047 github.com/minio/mc v0.0.0-20190924013003-643835013047
github.com/minio/minio-go v0.0.0-20190327203652-5325257a208f github.com/minio/minio-go v0.0.0-20190327203652-5325257a208f
github.com/minio/minio-go/v6 v6.0.37 github.com/minio/minio-go/v6 v6.0.38
github.com/minio/parquet-go v0.0.0-20190318185229-9d767baf1679 github.com/minio/parquet-go v0.0.0-20190318185229-9d767baf1679
github.com/minio/sha256-simd v0.1.1 github.com/minio/sha256-simd v0.1.1
github.com/minio/sio v0.2.0 github.com/minio/sio v0.2.0

2
go.sum
View File

@ -436,6 +436,8 @@ github.com/minio/minio-go/v6 v6.0.29 h1:p4YPxK1beY13reFJjCE5QwCnXUMT9D5sV5wl0BSy
github.com/minio/minio-go/v6 v6.0.29/go.mod h1:vaNT59cWULS37E+E9zkuN/BVnKHyXtVGS+b04Boc66Y= github.com/minio/minio-go/v6 v6.0.29/go.mod h1:vaNT59cWULS37E+E9zkuN/BVnKHyXtVGS+b04Boc66Y=
github.com/minio/minio-go/v6 v6.0.37 h1:rqot4cO9+mLpf56q+yumA0xZlncbkFpqa4A8jw1Y2XE= github.com/minio/minio-go/v6 v6.0.37 h1:rqot4cO9+mLpf56q+yumA0xZlncbkFpqa4A8jw1Y2XE=
github.com/minio/minio-go/v6 v6.0.37/go.mod h1:qD0lajrGW49lKZLtXKtCB4X/qkMf0a5tBvN2PaZg7Gg= github.com/minio/minio-go/v6 v6.0.37/go.mod h1:qD0lajrGW49lKZLtXKtCB4X/qkMf0a5tBvN2PaZg7Gg=
github.com/minio/minio-go/v6 v6.0.38 h1:zd3yagckaBVAMJT+HsbpURx9ndqYQp/N/udc1UVS72E=
github.com/minio/minio-go/v6 v6.0.38/go.mod h1:qD0lajrGW49lKZLtXKtCB4X/qkMf0a5tBvN2PaZg7Gg=
github.com/minio/parquet-go v0.0.0-20190318185229-9d767baf1679 h1:OMKaN/82sBHUZPvjYNBFituHExa1OGY63eACDGtetKs= github.com/minio/parquet-go v0.0.0-20190318185229-9d767baf1679 h1:OMKaN/82sBHUZPvjYNBFituHExa1OGY63eACDGtetKs=
github.com/minio/parquet-go v0.0.0-20190318185229-9d767baf1679/go.mod h1:J+goXSuzlte5imWMqb6cUWC/tbYYysUHctwmKXomYzM= github.com/minio/parquet-go v0.0.0-20190318185229-9d767baf1679/go.mod h1:J+goXSuzlte5imWMqb6cUWC/tbYYysUHctwmKXomYzM=
github.com/minio/sha256-simd v0.0.0-20190131020904-2d45a736cd16/go.mod h1:2FMWW+8GMoPweT6+pI63m9YE3Lmw4J71hV56Chs1E/U= github.com/minio/sha256-simd v0.0.0-20190131020904-2d45a736cd16/go.mod h1:2FMWW+8GMoPweT6+pI63m9YE3Lmw4J71hV56Chs1E/U=