Documentation
¶
Index ¶
- Constants
- Variables
- func Enabled(kvs config.KVS) bool
- func SetIdentityLDAP(s config.Config, ldapArgs Config)
- type Config
- func (l *Config) Bind(username, password string) (string, []string, error)
- func (l *Config) Connect() (ldapConn *ldap.Conn, err error)
- func (l Config) GetExpiryDuration(dsecs string) (time.Duration, error)
- func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error)
- func (l Config) IsLDAPUserDN(user string) bool
- func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsernameMap map[string]string) (map[string]set.StringSet, error)
- func (l *Config) LookupUserDN(username string) (string, []string, error)
- func (l *Config) Validate() Validation
- func (l *Config) ValidateLookup(testUsername string) (*UserLookupResult, Validation)
- type Result
- type UserLookupResult
- type Validation
Constants ¶
const ( ServerAddr = "server_addr" LookupBindDN = "lookup_bind_dn" LookupBindPassword = "lookup_bind_password" UserDNSearchBaseDN = "user_dn_search_base_dn" UserDNSearchFilter = "user_dn_search_filter" GroupSearchFilter = "group_search_filter" GroupSearchBaseDN = "group_search_base_dn" TLSSkipVerify = "tls_skip_verify" ServerInsecure = "server_insecure" ServerStartTLS = "server_starttls" EnvServerAddr = "MINIO_IDENTITY_LDAP_SERVER_ADDR" EnvTLSSkipVerify = "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY" EnvServerInsecure = "MINIO_IDENTITY_LDAP_SERVER_INSECURE" EnvServerStartTLS = "MINIO_IDENTITY_LDAP_SERVER_STARTTLS" EnvUsernameFormat = "MINIO_IDENTITY_LDAP_USERNAME_FORMAT" EnvUserDNSearchBaseDN = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN" EnvUserDNSearchFilter = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER" EnvGroupSearchFilter = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER" EnvGroupSearchBaseDN = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN" EnvLookupBindDN = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN" EnvLookupBindPassword = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD" )
LDAP keys and envs.
Variables ¶
var ( DefaultKVS = config.KVS{ config.KV{ Key: ServerAddr, Value: "", }, config.KV{ Key: UserDNSearchBaseDN, Value: "", }, config.KV{ Key: UserDNSearchFilter, Value: "", }, config.KV{ Key: GroupSearchFilter, Value: "", }, config.KV{ Key: GroupSearchBaseDN, Value: "", }, config.KV{ Key: TLSSkipVerify, Value: config.EnableOff, }, config.KV{ Key: ServerInsecure, Value: config.EnableOff, }, config.KV{ Key: ServerStartTLS, Value: config.EnableOff, }, config.KV{ Key: LookupBindDN, Value: "", }, config.KV{ Key: LookupBindPassword, Value: "", }, } )
DefaultKVS - default config for LDAP config
var ( Help = config.HelpKVS{ config.HelpKV{ Key: ServerAddr, Description: `AD/LDAP server address e.g. "myldapserver.com:636"`, Type: "address", Sensitive: true, }, config.HelpKV{ Key: LookupBindDN, Description: `DN for LDAP read-only service account used to perform DN and group lookups`, Type: "string", Sensitive: true, }, config.HelpKV{ Key: LookupBindPassword, Description: `Password for LDAP read-only service account used to perform DN and group lookups`, Optional: true, Type: "string", Sensitive: true, }, config.HelpKV{ Key: UserDNSearchBaseDN, Description: `";" separated list of user search base DNs e.g. "dc=myldapserver,dc=com"`, Type: "list", }, config.HelpKV{ Key: UserDNSearchFilter, Description: `Search filter to lookup user DN`, Type: "string", }, config.HelpKV{ Key: GroupSearchFilter, Description: `search filter for groups e.g. "(&(objectclass=groupOfNames)(memberUid=%s))"`, Optional: true, Type: "string", }, config.HelpKV{ Key: GroupSearchBaseDN, Description: `";" separated list of group search base DNs e.g. "dc=myldapserver,dc=com"`, Optional: true, Type: "list", }, config.HelpKV{ Key: TLSSkipVerify, Description: `trust server TLS without verification, defaults to "off" (verify)`, Optional: true, Type: "on|off", }, config.HelpKV{ Key: ServerInsecure, Description: `allow plain text connection to AD/LDAP server, defaults to "off"`, Optional: true, Type: "on|off", }, config.HelpKV{ Key: ServerStartTLS, Description: `use StartTLS connection to AD/LDAP server, defaults to "off"`, Optional: true, Type: "on|off", }, config.HelpKV{ Key: config.Comment, Description: config.DefaultComment, Optional: true, Type: "sentence", }, } )
Help template for LDAP identity feature.
Functions ¶
func SetIdentityLDAP ¶
SetIdentityLDAP - One time migration code needed, for migrating from older config to new for LDAPConfig.
Types ¶
type Config ¶
type Config struct {
Enabled bool `json:"enabled"`
// E.g. "ldap.minio.io:636"
ServerAddr string `json:"serverAddr"`
// User DN search parameters
UserDNSearchBaseDistName string `json:"userDNSearchBaseDN"`
UserDNSearchBaseDistNames []string `json:"-"` // Generated field
UserDNSearchFilter string `json:"userDNSearchFilter"`
// Group search parameters
GroupSearchBaseDistName string `json:"groupSearchBaseDN"`
GroupSearchBaseDistNames []string `json:"-"` // Generated field
GroupSearchFilter string `json:"groupSearchFilter"`
// Lookup bind LDAP service account
LookupBindDN string `json:"lookupBindDN"`
LookupBindPassword string `json:"lookupBindPassword"`
// contains filtered or unexported fields
}
Config contains AD/LDAP server connectivity information.
func (*Config) Bind ¶
Bind - binds to ldap, searches LDAP and returns the distinguished name of the user and the list of groups.
func (Config) GetExpiryDuration ¶
GetExpiryDuration - return parsed expiry duration.
func (*Config) GetNonEligibleUserDistNames ¶
GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer present in the LDAP server or do not meet filter criteria anymore
func (Config) IsLDAPUserDN ¶
IsLDAPUserDN determines if the given string could be a user DN from LDAP.
func (*Config) LookupGroupMemberships ¶
func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsernameMap map[string]string) (map[string]set.StringSet, error)
LookupGroupMemberships - for each DN finds the set of LDAP groups they are a member of.
func (*Config) LookupUserDN ¶
LookupUserDN searches for the full DN and groups of a given username
func (*Config) Validate ¶
func (l *Config) Validate() Validation
Validate validates the LDAP configuration. It can be called with any subset of configuration parameters provided by the user - it will return information on what needs to be done to fix the problem if any.
This function updates the UserDNSearchBaseDistNames and GroupSearchBaseDistNames fields of the Config - however this an idempotent operation. This is done to support configuration validation in Console/mc and for tests.
func (*Config) ValidateLookup ¶
func (l *Config) ValidateLookup(testUsername string) (*UserLookupResult, Validation)
ValidateLookup takes a test username and performs user and group lookup (if configured) and returns the result. It is to validate the LDAP configuration. The lookup is performed without requiring the password for the test user - and so can be used to test any LDAP user intending to use MinIO.
type Result ¶
type Result string
Result - type for high-level names for the validation status of the config.
const ( ConfigOk Result = "Config OK" ConnectivityError Result = "LDAP Server Connection Error" LookupBindError Result = "LDAP Lookup Bind Error" UserSearchParamsMisconfigured Result = "User Search Parameters Misconfigured" GroupSearchParamsMisconfigured Result = "Group Search Parameters Misconfigured" UserDNLookupError Result = "User DN Lookup Error" GroupMembershipsLookupError Result = "Group Memberships Lookup Error" )
Constant values for Result type.
type UserLookupResult ¶
UserLookupResult returns the DN found for the test user and their group memberships.
type Validation ¶
Validation returns feedback on the configuration. The `Suggestion` field needs to be "printed" for friendly display (it can contain escaped newlines `\n`).
func (Validation) IsOk ¶
func (v Validation) IsOk() bool
IsOk - returns if the validation succeeded.
Source Files