Add extra LDAP configuration validation (#14535)

- The result now contains suggestions on fixing common configuration issues. - These suggestions will subsequently be exposed in console/mc
2025-11-26 04:26:12 -05:00 · 2022-03-16 19:57:36 -07:00
parent 7b81967a3c
commit ce97313fda
5 changed files with 805 additions and 357 deletions
--- a/internal/config/identity/ldap/config-validator_test.go
+++ b/internal/config/identity/ldap/config-validator_test.go
@@ -0,0 +1,189 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package ldap
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/minio/minio-go/v7/pkg/set"
+)
+
+const (
+	EnvTestLDAPServer = "LDAP_TEST_SERVER"
+)
+
+func TestConfigValidator(t *testing.T) {
+	ldapServer := os.Getenv(EnvTestLDAPServer)
+	if ldapServer == "" {
+		t.Skip()
+	}
+	testCases := []struct {
+		cfg            Config
+		expectedResult Result
+	}{
+		{
+			cfg: func() Config {
+				v := Config{Enabled: true}
+				return v
+			}(),
+			expectedResult: ConnectivityError,
+		},
+		{
+			cfg: func() Config {
+				v := Config{Enabled: true}
+				v.ServerAddr = ldapServer
+				return v
+			}(),
+			expectedResult: ConnectivityError,
+		},
+		{
+			cfg: func() Config {
+				v := Config{Enabled: true}
+				v.ServerAddr = ldapServer
+				v.serverInsecure = true
+				return v
+			}(),
+			expectedResult: LookupBindError,
+		},
+		{
+			cfg: func() Config {
+				v := Config{Enabled: true}
+				v.ServerAddr = ldapServer
+				v.serverInsecure = true
+				v.LookupBindDN = "cn=admin,dc=min,dc=io"
+				v.LookupBindPassword = "admin1"
+				return v
+			}(),
+			expectedResult: LookupBindError,
+		},
+		{ // Case 4
+			cfg: func() Config {
+				v := Config{Enabled: true}
+				v.ServerAddr = ldapServer
+				v.serverInsecure = true
+				v.LookupBindDN = "cn=admin,dc=min,dc=io"
+				v.LookupBindPassword = "admin"
+				return v
+			}(),
+			expectedResult: UserSearchParamsMisconfigured,
+		},
+		{
+			cfg: func() Config {
+				v := Config{Enabled: true}
+				v.ServerAddr = ldapServer
+				v.serverInsecure = true
+				v.LookupBindDN = "cn=admin,dc=min,dc=io"
+				v.LookupBindPassword = "admin"
+				v.UserDNSearchFilter = "(uid=x)"
+				v.UserDNSearchBaseDistName = "dc=min,dc=io"
+				return v
+			}(),
+			expectedResult: UserSearchParamsMisconfigured,
+		},
+		{
+			cfg: func() Config {
+				v := Config{Enabled: true}
+				v.ServerAddr = ldapServer
+				v.serverInsecure = true
+				v.LookupBindDN = "cn=admin,dc=min,dc=io"
+				v.LookupBindPassword = "admin"
+				v.UserDNSearchFilter = "(uid=%s)"
+				v.UserDNSearchBaseDistName = "dc=min,dc=io"
+				return v
+			}(),
+			expectedResult: ConfigOk,
+		},
+		{ // Case 7
+			cfg: func() Config {
+				v := Config{Enabled: true}
+				v.ServerAddr = ldapServer
+				v.serverInsecure = true
+				v.LookupBindDN = "cn=admin,dc=min,dc=io"
+				v.LookupBindPassword = "admin"
+				v.UserDNSearchFilter = "(uid=%s)"
+				v.UserDNSearchBaseDistName = "dc=min,dc=io"
+				v.GroupSearchBaseDistName = "ou=swengg,dc=min,dc=io"
+				v.GroupSearchFilter = "(&(objectclass=groupofnames)(member=x))"
+				return v
+			}(),
+			expectedResult: GroupSearchParamsMisconfigured,
+		},
+		{
+			cfg: func() Config {
+				v := Config{Enabled: true}
+				v.ServerAddr = ldapServer
+				v.serverInsecure = true
+				v.LookupBindDN = "cn=admin,dc=min,dc=io"
+				v.LookupBindPassword = "admin"
+				v.UserDNSearchFilter = "(uid=%s)"
+				v.UserDNSearchBaseDistName = "dc=min,dc=io"
+				v.GroupSearchFilter = "(&(objectclass=groupofnames)(member=x))"
+				return v
+			}(),
+			expectedResult: GroupSearchParamsMisconfigured,
+		},
+		{ // Case 9
+			cfg: func() Config {
+				v := Config{Enabled: true}
+				v.ServerAddr = ldapServer
+				v.serverInsecure = true
+				v.LookupBindDN = "cn=admin,dc=min,dc=io"
+				v.LookupBindPassword = "admin"
+				v.UserDNSearchFilter = "(uid=%s)"
+				v.UserDNSearchBaseDistName = "dc=min,dc=io"
+				v.GroupSearchBaseDistName = "ou=swengg,dc=min,dc=io"
+				v.GroupSearchFilter = "(&(objectclass=groupofnames)(member=%d))"
+				return v
+			}(),
+			expectedResult: ConfigOk,
+		},
+	}
+
+	expectedDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
+	expectedGroups := set.CreateStringSet(
+		"cn=projecta,ou=groups,ou=swengg,dc=min,dc=io",
+		"cn=projectb,ou=groups,ou=swengg,dc=min,dc=io",
+	)
+
+	for i, test := range testCases {
+		result := test.cfg.Validate()
+		if result.Result != test.expectedResult {
+			fmt.Printf("Result: %#v\n", result)
+			t.Fatalf("Case %d: Got `%s` expected `%s`", i, result.Result, string(test.expectedResult))
+		}
+		if result.IsOk() {
+			lookupResult, validationResult := test.cfg.ValidateLookup("dillon")
+			if !validationResult.IsOk() {
+				t.Fatalf("Case %d: Got unexpected validation failure: %#v\n", i, validationResult)
+			}
+			if lookupResult.DN != expectedDN {
+				t.Fatalf("Case %d: Got unexpected DN: %v", i, lookupResult.DN)
+			}
+
+			if test.cfg.GroupSearchFilter == "" {
+				continue
+			}
+
+			if !set.CreateStringSet(lookupResult.GroupDNMemberships...).Equals(expectedGroups) {
+				t.Fatalf("Case %d: Got unexpected groups: %v", i, lookupResult.GroupDNMemberships)
+			}
+		}
+	}
+}