Add LDAP DNS SRV record lookup support (#16201)

2025-11-07 12:52:58 -05:00 · 2022-12-12 11:27:27 -08:00
parent 2fc182d8e6
commit a469e6768d
5 changed files with 40 additions and 10 deletions
--- a/internal/config/identity/ldap/config.go
+++ b/internal/config/identity/ldap/config.go
@@ -62,6 +62,7 @@ func (l *Config) Clone() Config {
 // LDAP keys and envs.
 const (
 	ServerAddr         = "server_addr"
+	SRVRecordName      = "srv_record_name"
 	LookupBindDN       = "lookup_bind_dn"
 	LookupBindPassword = "lookup_bind_password"
 	UserDNSearchBaseDN = "user_dn_search_base_dn"
@@ -73,6 +74,7 @@ const (
 	ServerStartTLS     = "server_starttls"

 	EnvServerAddr         = "MINIO_IDENTITY_LDAP_SERVER_ADDR"
+	EnvSRVRecordName      = "MINIO_IDENTITY_LDAP_SRV_RECORD_NAME"
 	EnvTLSSkipVerify      = "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"
 	EnvServerInsecure     = "MINIO_IDENTITY_LDAP_SERVER_INSECURE"
 	EnvServerStartTLS     = "MINIO_IDENTITY_LDAP_SERVER_STARTTLS"
@@ -100,6 +102,10 @@ var (
 			Key:   ServerAddr,
 			Value: "",
 		},
+		config.KV{
+			Key:   SRVRecordName,
+			Value: "",
+		},
 		config.KV{
 			Key:   UserDNSearchBaseDN,
 			Value: "",
@@ -173,9 +179,10 @@ func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error) {
 		return l, nil
 	}
 	l.LDAP = ldap.Config{
-		Enabled:    true,
-		RootCAs:    rootCAs,
-		ServerAddr: ldapServer,
+		Enabled:       true,
+		RootCAs:       rootCAs,
+		ServerAddr:    ldapServer,
+		SRVRecordName: getCfgVal(SRVRecordName),
 	}
 	l.stsExpiryDuration = defaultLDAPExpiry

--- a/internal/config/identity/ldap/help.go
+++ b/internal/config/identity/ldap/help.go
@@ -28,10 +28,17 @@ var (
 	Help = config.HelpKVS{
 		config.HelpKV{
 			Key:         ServerAddr,
-			Description: `AD/LDAP server address e.g. "myldapserver.com:636"` + defaultHelpPostfix(ServerAddr),
+			Description: `AD/LDAP server address e.g. "myldap.com" or "myldapserver.com:636"` + defaultHelpPostfix(ServerAddr),
 			Type:        "address",
 			Sensitive:   true,
 		},
+		config.HelpKV{
+			Key:         SRVRecordName,
+			Description: `DNS SRV record name for LDAP service, if given, must be one of "ldap", "ldaps" or "on"` + defaultHelpPostfix(SRVRecordName),
+			Optional:    true,
+			Type:        "string",
+			Sensitive:   false,
+		},
 		config.HelpKV{
 			Key:         LookupBindDN,
 			Description: `DN for LDAP read-only service account used to perform DN and group lookups` + defaultHelpPostfix(LookupBindDN),