Documentation
¶
Overview ¶
Package ldap defines the LDAP configuration object and methods used by the MinIO server.
Index ¶
- func DecodeDN(str string) (string, error)
- func NormalizeDN(dn string) (string, error)
- type BaseDNInfo
- type Config
- func (l *Config) Clone() (cloned Config)
- func (l *Config) Connect() (ldapConn *ldap.Conn, err error)
- func (l *Config) GetGroupSearchBaseDistNames() []BaseDNInfo
- func (l *Config) GetUserDNAttributesList() []string
- func (l *Config) GetUserDNSearchBaseDistNames() []BaseDNInfo
- func (l *Config) LookupBind(conn *ldap.Conn) error
- func (l *Config) LookupUsername(conn *ldap.Conn, username string) (*DNSearchResult, error)
- func (l *Config) SearchForUserGroups(conn *ldap.Conn, username, bindDN string) ([]string, error)
- func (l *Config) Validate() Validation
- func (l *Config) ValidateLookup(testUsername string) (*UserLookupResult, Validation)
- type DNSearchResult
- type Result
- type UserLookupResult
- type Validation
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DecodeDN ¶ added in v3.0.6
DecodeDN - remove leading and trailing spaces from the attribute type and value and unescape any escaped characters in these fields
pulled from the go-ldap library https://github.com/go-ldap/ldap/blob/dbdc485259442f987d83e604cd4f5859cfc1be58/dn.go
func NormalizeDN ¶
NormalizeDN normalizes the DN. The ldap library here mainly lowercases the attribute type names in the DN.
Types ¶
type BaseDNInfo ¶
type BaseDNInfo struct {
// User provided base DN.
Original string
// DN string returned by the LDAP server. This value is used as the
// canonical form of the DN.
ServerDN string
// Parsed DN (from `ServerDN` value, not `Original`).
Parsed *ldap.DN
}
BaseDNInfo contains information about a base DN.
type Config ¶
type Config struct {
Enabled bool
// E.g. "ldap.minio.io:636"
ServerAddr string
SRVRecordName string
ServerInsecure bool // allows plain text connection to LDAP server
ServerStartTLS bool // allows using StartTLS connection to LDAP server
TLS *tls.Config // TLS client config
// Lookup bind LDAP service account
LookupBindDN string
LookupBindPassword string
// User DN search parameters
UserDNSearchBaseDistName string
UserDNSearchFilter string
// Additional attributes to fetch from the user DN search.
UserDNAttributes string
// Group search parameters
GroupSearchBaseDistName string
GroupSearchFilter string
// contains filtered or unexported fields
}
Config contains configuration to connect to an LDAP server.
func (*Config) GetGroupSearchBaseDistNames ¶
func (l *Config) GetGroupSearchBaseDistNames() []BaseDNInfo
GetGroupSearchBaseDistNames returns the group search base DN list.
func (*Config) GetUserDNAttributesList ¶
GetUserDNAttributesList returns the user attributes list.
func (*Config) GetUserDNSearchBaseDistNames ¶
func (l *Config) GetUserDNSearchBaseDistNames() []BaseDNInfo
GetUserDNSearchBaseDistNames returns the user DN search base DN list.
func (*Config) LookupBind ¶
LookupBind connects to LDAP server using the bind user credentials.
func (*Config) LookupUsername ¶
LookupUsername searches for the DN of the user given their login username. conn is assumed to be using the lookup bind service account.
It is required that the search return at most one result.
If the user does not exist, an error is returned that starts with:
"User DN not found for:"
func (*Config) SearchForUserGroups ¶
SearchForUserGroups finds the groups of the user.
func (*Config) Validate ¶
func (l *Config) Validate() Validation
Validate validates the LDAP configuration. It can be called with any subset of configuration parameters provided by the user - it will return information on what needs to be done to fix the problem if any.
This function updates the UserDNSearchBaseDistNames and GroupSearchBaseDistNames fields of the Config - however this an idempotent operation. This is done to support configuration validation in Console/mc and for tests.
func (*Config) ValidateLookup ¶
func (l *Config) ValidateLookup(testUsername string) (*UserLookupResult, Validation)
ValidateLookup takes a test username and performs user and group lookup (if configured) and returns the result. It is to validate the LDAP configuration. The lookup is performed without requiring the password for the test user - and so can be used to test any LDAP user intending to use MinIO.
type DNSearchResult ¶
type DNSearchResult struct {
// Normalized DN of the user.
NormDN string
// Actual DN of the user.
ActualDN string
// Attributes of the user.
Attributes map[string][]string
}
DNSearchResult contains the result of a DN search. The attibutes map may be empty if no attributes were requested or if no attributes were found.
type Result ¶
type Result string
Result - type for high-level names for the validation status of the config.
const ( ConfigOk Result = "Config OK" ConnectivityError Result = "LDAP Server Connection Error" ConnectionParamMisconfigured Result = "LDAP Server Connection Parameters Misconfigured" LookupBindError Result = "LDAP Lookup Bind Error" UserSearchParamsMisconfigured Result = "User Search Parameters Misconfigured" GroupSearchParamsMisconfigured Result = "Group Search Parameters Misconfigured" UserDNLookupError Result = "User DN Lookup Error" GroupMembershipsLookupError Result = "Group Memberships Lookup Error" )
Constant values for Result type.
type UserLookupResult ¶
type UserLookupResult struct {
DN string
DNAttributes map[string][]string
GroupDNMemberships []string
}
UserLookupResult returns the DN found for the test user and their group memberships.
type Validation ¶
Validation returns feedback on the configuration. The `Suggestion` field needs to be "printed" for friendly display (it can contain escaped newlines `\n`).
func (Validation) FormatError ¶
func (v Validation) FormatError() string
FormatError returns detailed validation error information.
func (Validation) IsOk ¶
func (v Validation) IsOk() bool
IsOk - returns if the validation succeeded.
Source Files