ldap

package
v0.0.0-...-f40b8e9 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 2, 2023 License: AGPL-3.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ServerAddr         = "server_addr"
	LookupBindDN       = "lookup_bind_dn"
	LookupBindPassword = "lookup_bind_password"
	UserDNSearchBaseDN = "user_dn_search_base_dn"
	UserDNSearchFilter = "user_dn_search_filter"
	GroupSearchFilter  = "group_search_filter"
	GroupSearchBaseDN  = "group_search_base_dn"
	TLSSkipVerify      = "tls_skip_verify"
	ServerInsecure     = "server_insecure"
	ServerStartTLS     = "server_starttls"

	EnvServerAddr         = "MINIO_IDENTITY_LDAP_SERVER_ADDR"
	EnvTLSSkipVerify      = "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"
	EnvServerInsecure     = "MINIO_IDENTITY_LDAP_SERVER_INSECURE"
	EnvServerStartTLS     = "MINIO_IDENTITY_LDAP_SERVER_STARTTLS"
	EnvUsernameFormat     = "MINIO_IDENTITY_LDAP_USERNAME_FORMAT"
	EnvUserDNSearchBaseDN = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN"
	EnvUserDNSearchFilter = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER"
	EnvGroupSearchFilter  = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER"
	EnvGroupSearchBaseDN  = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN"
	EnvLookupBindDN       = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN"
	EnvLookupBindPassword = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD"
)

LDAP keys and envs.

Variables

View Source
var (
	DefaultKVS = config.KVS{
		config.KV{
			Key:   ServerAddr,
			Value: "",
		},
		config.KV{
			Key:   UserDNSearchBaseDN,
			Value: "",
		},
		config.KV{
			Key:   UserDNSearchFilter,
			Value: "",
		},
		config.KV{
			Key:   GroupSearchFilter,
			Value: "",
		},
		config.KV{
			Key:   GroupSearchBaseDN,
			Value: "",
		},
		config.KV{
			Key:   TLSSkipVerify,
			Value: config.EnableOff,
		},
		config.KV{
			Key:   ServerInsecure,
			Value: config.EnableOff,
		},
		config.KV{
			Key:   ServerStartTLS,
			Value: config.EnableOff,
		},
		config.KV{
			Key:   LookupBindDN,
			Value: "",
		},
		config.KV{
			Key:   LookupBindPassword,
			Value: "",
		},
	}
)

DefaultKVS - default config for LDAP config

View Source
var (
	Help = config.HelpKVS{
		config.HelpKV{
			Key:         ServerAddr,
			Description: `AD/LDAP server address e.g. "myldapserver.com:636"` + defaultHelpPostfix(ServerAddr),
			Type:        "address",
			Sensitive:   true,
		},
		config.HelpKV{
			Key:         LookupBindDN,
			Description: `DN for LDAP read-only service account used to perform DN and group lookups` + defaultHelpPostfix(LookupBindDN),
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
		},
		config.HelpKV{
			Key:         LookupBindPassword,
			Description: `Password for LDAP read-only service account used to perform DN and group lookups` + defaultHelpPostfix(LookupBindPassword),
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
		},
		config.HelpKV{
			Key:         UserDNSearchBaseDN,
			Description: `";" separated list of user search base DNs e.g. "dc=myldapserver,dc=com"` + defaultHelpPostfix(UserDNSearchBaseDN),
			Optional:    true,
			Type:        "list",
		},
		config.HelpKV{
			Key:         UserDNSearchFilter,
			Description: `Search filter to lookup user DN` + defaultHelpPostfix(UserDNSearchFilter),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         GroupSearchFilter,
			Description: `search filter for groups e.g. "(&(objectclass=groupOfNames)(memberUid=%s))"` + defaultHelpPostfix(GroupSearchFilter),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         GroupSearchBaseDN,
			Description: `";" separated list of group search base DNs e.g. "dc=myldapserver,dc=com"` + defaultHelpPostfix(GroupSearchBaseDN),
			Optional:    true,
			Type:        "list",
		},
		config.HelpKV{
			Key:         TLSSkipVerify,
			Description: `trust server TLS without verification` + defaultHelpPostfix(TLSSkipVerify),
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         ServerInsecure,
			Description: `allow plain text connection to AD/LDAP server` + defaultHelpPostfix(ServerInsecure),
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         ServerStartTLS,
			Description: `use StartTLS connection to AD/LDAP server` + defaultHelpPostfix(ServerStartTLS),
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         config.Comment,
			Description: config.DefaultComment,
			Optional:    true,
			Type:        "sentence",
		},
	}
)

Help template for LDAP identity feature.

Functions

func Enabled

func Enabled(kvs config.KVS) bool

Enabled returns if LDAP config is enabled.

func SetIdentityLDAP

func SetIdentityLDAP(s config.Config, ldapArgs Config)

SetIdentityLDAP - One time migration code needed, for migrating from older config to new for LDAPConfig.

Types

type Config

type Config struct {
	Enabled bool `json:"enabled"`

	// E.g. "ldap.minio.io:636"
	ServerAddr string `json:"serverAddr"`

	// User DN search parameters
	UserDNSearchBaseDistName  string   `json:"userDNSearchBaseDN"`
	UserDNSearchBaseDistNames []string `json:"-"` // Generated field
	UserDNSearchFilter        string   `json:"userDNSearchFilter"`

	// Group search parameters
	GroupSearchBaseDistName  string   `json:"groupSearchBaseDN"`
	GroupSearchBaseDistNames []string `json:"-"` // Generated field
	GroupSearchFilter        string   `json:"groupSearchFilter"`

	// Lookup bind LDAP service account
	LookupBindDN       string `json:"lookupBindDN"`
	LookupBindPassword string `json:"lookupBindPassword"`
	// contains filtered or unexported fields
}

Config contains AD/LDAP server connectivity information.

func Lookup

func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error)

Lookup - initializes LDAP config, overrides config, if any ENV values are set.

func (*Config) Bind

func (l *Config) Bind(username, password string) (string, []string, error)

Bind - binds to ldap, searches LDAP and returns the distinguished name of the user and the list of groups.

func (*Config) Clone

func (l *Config) Clone() Config

Clone returns a cloned copy of LDAP config.

func (*Config) Connect

func (l *Config) Connect() (ldapConn *ldap.Conn, err error)

Connect connect to ldap server.

func (Config) GetExpiryDuration

func (l Config) GetExpiryDuration(dsecs string) (time.Duration, error)

GetExpiryDuration - return parsed expiry duration.

func (*Config) GetNonEligibleUserDistNames

func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error)

GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer present in the LDAP server or do not meet filter criteria anymore

func (Config) IsLDAPUserDN

func (l Config) IsLDAPUserDN(user string) bool

IsLDAPUserDN determines if the given string could be a user DN from LDAP.

func (*Config) LookupGroupMemberships

func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsernameMap map[string]string) (map[string]set.StringSet, error)

LookupGroupMemberships - for each DN finds the set of LDAP groups they are a member of.

func (*Config) LookupUserDN

func (l *Config) LookupUserDN(username string) (string, []string, error)

LookupUserDN searches for the full DN and groups of a given username

func (*Config) Validate

func (l *Config) Validate() Validation

Validate validates the LDAP configuration. It can be called with any subset of configuration parameters provided by the user - it will return information on what needs to be done to fix the problem if any.

This function updates the UserDNSearchBaseDistNames and GroupSearchBaseDistNames fields of the Config - however this an idempotent operation. This is done to support configuration validation in Console/mc and for tests.

func (*Config) ValidateLookup

func (l *Config) ValidateLookup(testUsername string) (*UserLookupResult, Validation)

ValidateLookup takes a test username and performs user and group lookup (if configured) and returns the result. It is to validate the LDAP configuration. The lookup is performed without requiring the password for the test user - and so can be used to test any LDAP user intending to use MinIO.

type Result

type Result string

Result - type for high-level names for the validation status of the config.

const (
	ConfigOk                       Result = "Config OK"
	ConnectivityError              Result = "LDAP Server Connection Error"
	LookupBindError                Result = "LDAP Lookup Bind Error"
	UserSearchParamsMisconfigured  Result = "User Search Parameters Misconfigured"
	GroupSearchParamsMisconfigured Result = "Group Search Parameters Misconfigured"
	UserDNLookupError              Result = "User DN Lookup Error"
	GroupMembershipsLookupError    Result = "Group Memberships Lookup Error"
)

Constant values for Result type.

type UserLookupResult

type UserLookupResult struct {
	DN                 string
	GroupDNMemberships []string
}

UserLookupResult returns the DN found for the test user and their group memberships.

type Validation

type Validation struct {
	Result     Result
	Detail     string
	Suggestion string
	ErrCause   error
}

Validation returns feedback on the configuration. The `Suggestion` field needs to be "printed" for friendly display (it can contain escaped newlines `\n`).

func (Validation) Error

func (v Validation) Error() string

Error instance for Validation.

func (Validation) IsOk

func (v Validation) IsOk() bool

IsOk - returns if the validation succeeded.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL