mirror of
https://github.com/minio/minio.git
synced 2025-10-29 15:55:00 -04:00
fix: user DN filtering that causes some unnecessary logs (#13584)
Additionally, remove the unnecessary `isUsingLookupBind` field in the LDAP struct
This commit is contained in:
Aditya Manthramurthy
GitHub
parent
c3d24fb26d
commit
947c423824
@ -286,7 +286,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
case globalLDAPConfig.EnabledWithLookupBind():
|
case globalLDAPConfig.Enabled:
|
||||||
go func() {
|
go func() {
|
||||||
ticker := time.NewTicker(sys.iamRefreshInterval)
|
ticker := time.NewTicker(sys.iamRefreshInterval)
|
||||||
defer ticker.Stop()
|
defer ticker.Stop()
|
||||||
@ -843,7 +843,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) {
|
|||||||
allDistNames = append(allDistNames, parentUser)
|
allDistNames = append(allDistNames, parentUser)
|
||||||
}
|
}
|
||||||
|
|
||||||
expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(parentUsers)
|
expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(allDistNames)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// Log and return on error - perhaps it'll work the next time.
|
// Log and return on error - perhaps it'll work the next time.
|
||||||
logger.LogIf(GlobalContext, err)
|
logger.LogIf(GlobalContext, err)
|
||||||
|
|||||||
@ -67,7 +67,6 @@ type Config struct {
|
|||||||
tlsSkipVerify bool // allows skipping TLS verification
|
tlsSkipVerify bool // allows skipping TLS verification
|
||||||
serverInsecure bool // allows plain text connection to LDAP server
|
serverInsecure bool // allows plain text connection to LDAP server
|
||||||
serverStartTLS bool // allows using StartTLS connection to LDAP server
|
serverStartTLS bool // allows using StartTLS connection to LDAP server
|
||||||
isUsingLookupBind bool
|
|
||||||
rootCAs *x509.CertPool
|
rootCAs *x509.CertPool
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -240,10 +239,6 @@ func (l *Config) searchForUserGroups(conn *ldap.Conn, username, bindDN string) (
|
|||||||
|
|
||||||
// LookupUserDN searches for the full DN and groups of a given username
|
// LookupUserDN searches for the full DN and groups of a given username
|
||||||
func (l *Config) LookupUserDN(username string) (string, []string, error) {
|
func (l *Config) LookupUserDN(username string) (string, []string, error) {
|
||||||
if !l.isUsingLookupBind {
|
|
||||||
return "", nil, errors.New("current lookup mode does not support searching for User DN")
|
|
||||||
}
|
|
||||||
|
|
||||||
conn, err := l.Connect()
|
conn, err := l.Connect()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", nil, err
|
return "", nil, err
|
||||||
@ -386,10 +381,6 @@ func (l Config) IsLDAPUserDN(user string) bool {
|
|||||||
// GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer
|
// GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer
|
||||||
// present in the LDAP server or do not meet filter criteria anymore
|
// present in the LDAP server or do not meet filter criteria anymore
|
||||||
func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error) {
|
func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error) {
|
||||||
if !l.isUsingLookupBind {
|
|
||||||
return nil, errors.New("current LDAP configuration does not permit looking for expired user accounts")
|
|
||||||
}
|
|
||||||
|
|
||||||
conn, err := l.Connect()
|
conn, err := l.Connect()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -410,7 +401,7 @@ func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string,
|
|||||||
dn,
|
dn,
|
||||||
ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
|
ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
|
||||||
filter,
|
filter,
|
||||||
[]string{}, // only need DN, so no pass no attributes here
|
[]string{}, // only need DN, so pass no attributes here
|
||||||
nil,
|
nil,
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -435,10 +426,6 @@ func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string,
|
|||||||
// LookupGroupMemberships - for each DN finds the set of LDAP groups they are a
|
// LookupGroupMemberships - for each DN finds the set of LDAP groups they are a
|
||||||
// member of.
|
// member of.
|
||||||
func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsernameMap map[string]string) (map[string]set.StringSet, error) {
|
func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsernameMap map[string]string) (map[string]set.StringSet, error) {
|
||||||
if !l.isUsingLookupBind {
|
|
||||||
return nil, errors.New("current LDAP configuration does not permit this lookup")
|
|
||||||
}
|
|
||||||
|
|
||||||
conn, err := l.Connect()
|
conn, err := l.Connect()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -463,12 +450,7 @@ func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsername
|
|||||||
return res, nil
|
return res, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// EnabledWithLookupBind - checks if ldap IDP is enabled in lookup bind mode.
|
// Enabled returns if LDAP config is enabled.
|
||||||
func (l Config) EnabledWithLookupBind() bool {
|
|
||||||
return l.Enabled && l.isUsingLookupBind
|
|
||||||
}
|
|
||||||
|
|
||||||
// Enabled returns if jwks is enabled.
|
|
||||||
func Enabled(kvs config.KVS) bool {
|
func Enabled(kvs config.KVS) bool {
|
||||||
return kvs.Get(ServerAddr) != ""
|
return kvs.Get(ServerAddr) != ""
|
||||||
}
|
}
|
||||||
@ -516,11 +498,13 @@ func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error) {
|
|||||||
|
|
||||||
// Lookup bind user configuration
|
// Lookup bind user configuration
|
||||||
lookupBindDN := env.Get(EnvLookupBindDN, kvs.Get(LookupBindDN))
|
lookupBindDN := env.Get(EnvLookupBindDN, kvs.Get(LookupBindDN))
|
||||||
|
if lookupBindDN == "" {
|
||||||
|
return l, errors.New("Lookup Bind DN is required")
|
||||||
|
}
|
||||||
lookupBindPassword := env.Get(EnvLookupBindPassword, kvs.Get(LookupBindPassword))
|
lookupBindPassword := env.Get(EnvLookupBindPassword, kvs.Get(LookupBindPassword))
|
||||||
if lookupBindDN != "" {
|
if lookupBindDN != "" {
|
||||||
l.LookupBindDN = lookupBindDN
|
l.LookupBindDN = lookupBindDN
|
||||||
l.LookupBindPassword = lookupBindPassword
|
l.LookupBindPassword = lookupBindPassword
|
||||||
l.isUsingLookupBind = true
|
|
||||||
|
|
||||||
// User DN search configuration
|
// User DN search configuration
|
||||||
userDNSearchBaseDN := env.Get(EnvUserDNSearchBaseDN, kvs.Get(UserDNSearchBaseDN))
|
userDNSearchBaseDN := env.Get(EnvUserDNSearchBaseDN, kvs.Get(UserDNSearchBaseDN))
|
||||||
@ -532,11 +516,6 @@ func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error) {
|
|||||||
l.UserDNSearchFilter = userDNSearchFilter
|
l.UserDNSearchFilter = userDNSearchFilter
|
||||||
}
|
}
|
||||||
|
|
||||||
// Lookup bind mode is mandatory
|
|
||||||
if !l.isUsingLookupBind {
|
|
||||||
return l, errors.New("Lookup Bind mode is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Test connection to LDAP server.
|
// Test connection to LDAP server.
|
||||||
if err := l.testConnection(); err != nil {
|
if err := l.testConnection(); err != nil {
|
||||||
return l, fmt.Errorf("Connection test for LDAP server failed: %w", err)
|
return l, fmt.Errorf("Connection test for LDAP server failed: %w", err)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user