diff --git a/cmd/admin-handlers-idp-config.go b/cmd/admin-handlers-idp-config.go index 26569665b..dc64476c6 100644 --- a/cmd/admin-handlers-idp-config.go +++ b/cmd/admin-handlers-idp-config.go @@ -180,7 +180,7 @@ func handleCreateUpdateValidation(s config.Config, subSys, cfgTarget string, isU case madmin.IdentityOpenIDSubSys: cfgInfos, _ = globalOpenIDConfig.GetConfigInfo(s, cfgTarget) case madmin.IdentityLDAPSubSys: - cfgInfos, _ = globalLDAPConfig.GetConfigInfo(s, cfgTarget) + cfgInfos, _ = globalIAMSys.LDAPConfig.GetConfigInfo(s, cfgTarget) } if len(cfgInfos) > 0 && !isUpdate { @@ -243,7 +243,7 @@ func (a adminAPIHandlers) ListIdentityProviderCfg(w http.ResponseWriter, r *http cfgList, err = globalOpenIDConfig.GetConfigList(cfg) case madmin.LDAPIDPCfg: cfg := globalServerConfig.Clone() - cfgList, err = globalLDAPConfig.GetConfigList(cfg) + cfgList, err = globalIAMSys.LDAPConfig.GetConfigList(cfg) default: writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) @@ -298,7 +298,7 @@ func (a adminAPIHandlers) GetIdentityProviderCfg(w http.ResponseWriter, r *http. case madmin.OpenidIDPCfg: cfgInfos, err = globalOpenIDConfig.GetConfigInfo(cfg, cfgName) case madmin.LDAPIDPCfg: - cfgInfos, err = globalLDAPConfig.GetConfigInfo(cfg, cfgName) + cfgInfos, err = globalIAMSys.LDAPConfig.GetConfigInfo(cfg, cfgName) } if err != nil { if errors.Is(err, openid.ErrProviderConfigNotFound) || errors.Is(err, cfgldap.ErrProviderConfigNotFound) { @@ -380,7 +380,7 @@ func (a adminAPIHandlers) DeleteIdentityProviderCfg(w http.ResponseWriter, r *ht } case madmin.LDAPIDPCfg: subSys = config.IdentityLDAPSubSys - cfgInfos, err := globalLDAPConfig.GetConfigInfo(cfgCopy, cfgName) + cfgInfos, err := globalIAMSys.LDAPConfig.GetConfigInfo(cfgCopy, cfgName) if err != nil { if errors.Is(err, openid.ErrProviderConfigNotFound) { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminNoSuchConfigTarget), r.URL) diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 55df8ca99..3fdcc433f 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -741,9 +741,9 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque // In case of LDAP we need to resolve the targetUser to a DN and // query their groups: - if globalLDAPConfig.Enabled() { + if globalIAMSys.LDAPConfig.Enabled() { opts.claims[ldapUserN] = targetUser // simple username - targetUser, targetGroups, err = globalLDAPConfig.LookupUserDN(targetUser) + targetUser, targetGroups, err = globalIAMSys.LDAPConfig.LookupUserDN(targetUser) if err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return @@ -2455,9 +2455,9 @@ func (a adminAPIHandlers) ImportIAM(w http.ResponseWriter, r *http.Request) { // In case of LDAP we need to resolve the targetUser to a DN and // query their groups: - if globalLDAPConfig.Enabled() { + if globalIAMSys.LDAPConfig.Enabled() { opts.claims[ldapUserN] = svcAcctReq.AccessKey // simple username - targetUser, _, err := globalLDAPConfig.LookupUserDN(svcAcctReq.AccessKey) + targetUser, _, err := globalIAMSys.LDAPConfig.LookupUserDN(svcAcctReq.AccessKey) if err != nil { writeErrorResponseJSON(ctx, w, importError(ctx, err, allSvcAcctsFile, user), r.URL) return diff --git a/cmd/admin-handlers.go b/cmd/admin-handlers.go index 70b2d45cb..5e58ccc58 100644 --- a/cmd/admin-handlers.go +++ b/cmd/admin-handlers.go @@ -1819,8 +1819,8 @@ func getServerInfo(ctx context.Context, poolsInfoEnabled bool, r *http.Request) kmsStat := fetchKMSStatus() ldap := madmin.LDAP{} - if globalLDAPConfig.Enabled() { - ldapConn, err := globalLDAPConfig.LDAP.Connect() + if globalIAMSys.LDAPConfig.Enabled() { + ldapConn, err := globalIAMSys.LDAPConfig.LDAP.Connect() //nolint:gocritic if err != nil { ldap.Status = string(madmin.ItemOffline) diff --git a/cmd/common-main.go b/cmd/common-main.go index a8bfa9511..126501b35 100644 --- a/cmd/common-main.go +++ b/cmd/common-main.go @@ -205,7 +205,7 @@ func minioConfigToConsoleFeatures() { } } // Enable if LDAP is enabled. - if globalLDAPConfig.Enabled() { + if globalIAMSys.LDAPConfig.Enabled() { os.Setenv("CONSOLE_LDAP_ENABLED", config.EnableOn) } os.Setenv("CONSOLE_MINIO_REGION", globalSite.Region) diff --git a/cmd/globals.go b/cmd/globals.go index 909d61850..f0fc39104 100644 --- a/cmd/globals.go +++ b/cmd/globals.go @@ -42,7 +42,6 @@ import ( "github.com/minio/minio/internal/config/callhome" "github.com/minio/minio/internal/config/compress" "github.com/minio/minio/internal/config/dns" - xldap "github.com/minio/minio/internal/config/identity/ldap" "github.com/minio/minio/internal/config/identity/openid" idplugin "github.com/minio/minio/internal/config/identity/plugin" xtls "github.com/minio/minio/internal/config/identity/tls" @@ -201,7 +200,6 @@ var ( globalStorageClass storageclass.Config - globalLDAPConfig xldap.Config globalOpenIDConfig openid.Config globalSTSTLSConfig xtls.Config diff --git a/cmd/iam.go b/cmd/iam.go index 2f6f845c1..4bbdbb273 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -87,7 +87,7 @@ type IAMSys struct { sync.Mutex iamRefreshInterval time.Duration - ldapConfig xldap.Config // only valid if usersSysType is LDAPUsers + LDAPConfig xldap.Config // only valid if usersSysType is LDAPUsers openIDConfig openid.Config // only valid if OpenID is configured usersSysType UsersSysType @@ -163,7 +163,7 @@ func (sys *IAMSys) LoadServiceAccount(ctx context.Context, accessKey string) err // initStore initializes IAM stores func (sys *IAMSys) initStore(objAPI ObjectLayer, etcdClient *etcd.Client) { - if sys.ldapConfig.Enabled() { + if sys.LDAPConfig.Enabled() { sys.SetUsersSysType(LDAPUsersSysType) } @@ -221,7 +221,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc } // Initialize if LDAP is enabled - globalLDAPConfig, err = xldap.Lookup(s, globalRootCAs) + ldapConfig, err := xldap.Lookup(s, globalRootCAs) if err != nil { logger.LogIf(ctx, fmt.Errorf("Unable to parse LDAP configuration: %w", err)) } @@ -257,7 +257,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc sys.Lock() defer sys.Unlock() - sys.ldapConfig = globalLDAPConfig.Clone() + sys.LDAPConfig = ldapConfig sys.openIDConfig = globalOpenIDConfig.Clone() sys.iamRefreshInterval = iamRefreshInterval @@ -337,7 +337,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc } } }() - case sys.ldapConfig.Enabled(): + case sys.LDAPConfig.Enabled(): go func() { timer := time.NewTimer(refreshInterval) defer timer.Stop() @@ -800,7 +800,7 @@ func (sys *IAMSys) QueryLDAPPolicyEntities(ctx context.Context, q madmin.PolicyE select { case <-sys.configLoaded: - pe := sys.store.ListLDAPPolicyMappings(q, sys.ldapConfig.IsLDAPUserDN, sys.ldapConfig.IsLDAPGroupDN) + pe := sys.store.ListLDAPPolicyMappings(q, sys.LDAPConfig.IsLDAPUserDN, sys.LDAPConfig.IsLDAPGroupDN) pe.Timestamp = UTCNow() return &pe, nil case <-ctx.Done(): @@ -1302,14 +1302,14 @@ func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) { parentUsers := sys.store.GetAllParentUsers() var allDistNames []string for parentUser := range parentUsers { - if !sys.ldapConfig.IsLDAPUserDN(parentUser) { + if !sys.LDAPConfig.IsLDAPUserDN(parentUser) { continue } allDistNames = append(allDistNames, parentUser) } - expiredUsers, err := sys.ldapConfig.GetNonEligibleUserDistNames(allDistNames) + expiredUsers, err := sys.LDAPConfig.GetNonEligibleUserDistNames(allDistNames) if err != nil { // Log and return on error - perhaps it'll work the next time. logger.LogIf(GlobalContext, err) @@ -1331,7 +1331,7 @@ func (sys *IAMSys) updateGroupMembershipsForLDAP(ctx context.Context) { // DN to ldap username mapping for each LDAP user parentUserToLDAPUsernameMap := make(map[string]string) for _, cred := range allCreds { - if !sys.ldapConfig.IsLDAPUserDN(cred.ParentUser) { + if !sys.LDAPConfig.IsLDAPUserDN(cred.ParentUser) { continue } // Check if this is the first time we are @@ -1379,7 +1379,7 @@ func (sys *IAMSys) updateGroupMembershipsForLDAP(ctx context.Context) { } // 2. Query LDAP server for groups of the LDAP users collected. - updatedGroups, err := sys.ldapConfig.LookupGroupMemberships(parentUsers, parentUserToLDAPUsernameMap) + updatedGroups, err := sys.LDAPConfig.LookupGroupMemberships(parentUsers, parentUserToLDAPUsernameMap) if err != nil { // Log and return on error - perhaps it'll work the next time. logger.LogIf(GlobalContext, err) @@ -1566,7 +1566,7 @@ func (sys *IAMSys) PolicyDBUpdateLDAP(ctx context.Context, isAttach bool, var dn string var isGroup bool if r.User != "" { - dn, err = globalLDAPConfig.DoesUsernameExist(r.User) + dn, err = sys.LDAPConfig.DoesUsernameExist(r.User) if err != nil { logger.LogIf(ctx, err) return updatedAt, nil, err @@ -1576,7 +1576,7 @@ func (sys *IAMSys) PolicyDBUpdateLDAP(ctx context.Context, isAttach bool, } isGroup = false } else { - if exists, err := globalLDAPConfig.DoesGroupDNExist(r.Group); err != nil { + if exists, err := sys.LDAPConfig.DoesGroupDNExist(r.Group); err != nil { logger.LogIf(ctx, err) return updatedAt, nil, err } else if !exists { diff --git a/cmd/site-replication.go b/cmd/site-replication.go index 444ca63b4..f0eeee875 100644 --- a/cmd/site-replication.go +++ b/cmd/site-replication.go @@ -599,11 +599,11 @@ func (c *SiteReplicationSys) PeerJoinReq(ctx context.Context, arg madmin.SRPeerJ func (c *SiteReplicationSys) GetIDPSettings(ctx context.Context) madmin.IDPSettings { s := madmin.IDPSettings{} s.LDAP = madmin.LDAPSettings{ - IsLDAPEnabled: globalLDAPConfig.Enabled(), - LDAPUserDNSearchBase: globalLDAPConfig.LDAP.UserDNSearchBaseDistName, - LDAPUserDNSearchFilter: globalLDAPConfig.LDAP.UserDNSearchFilter, - LDAPGroupSearchBase: globalLDAPConfig.LDAP.GroupSearchBaseDistName, - LDAPGroupSearchFilter: globalLDAPConfig.LDAP.GroupSearchFilter, + IsLDAPEnabled: globalIAMSys.LDAPConfig.Enabled(), + LDAPUserDNSearchBase: globalIAMSys.LDAPConfig.LDAP.UserDNSearchBaseDistName, + LDAPUserDNSearchFilter: globalIAMSys.LDAPConfig.LDAP.UserDNSearchFilter, + LDAPGroupSearchBase: globalIAMSys.LDAPConfig.LDAP.GroupSearchBaseDistName, + LDAPGroupSearchFilter: globalIAMSys.LDAPConfig.LDAP.GroupSearchFilter, } s.OpenID = globalOpenIDConfig.GetSettings() if s.OpenID.Enabled { @@ -1328,7 +1328,7 @@ func (c *SiteReplicationSys) PeerSTSAccHandler(ctx context.Context, stsCred *mad switch { case isLDAPSTS: // Need to lookup the groups from LDAP. - _, ldapGroups, err := globalLDAPConfig.LookupUserDN(ldapUser) + _, ldapGroups, err := globalIAMSys.LDAPConfig.LookupUserDN(ldapUser) if err != nil { return fmt.Errorf("unable to query LDAP server for %s: %w", ldapUser, err) } diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index b7eee8d46..4ba02eecb 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -598,7 +598,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r * } } - ldapUserDN, groupDistNames, err := globalLDAPConfig.Bind(ldapUsername, ldapPassword) + ldapUserDN, groupDistNames, err := globalIAMSys.LDAPConfig.Bind(ldapUsername, ldapPassword) if err != nil { err = fmt.Errorf("LDAP server error: %w", err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err) @@ -614,7 +614,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r * return } - expiryDur, err := globalLDAPConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds)) + expiryDur, err := globalIAMSys.LDAPConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds)) if err != nil { writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err) return