ldap

package
v0.2.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 6, 2023 License: AGPL-3.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ServerAddr         = "server_addr"
	SRVRecordName      = "srv_record_name"
	LookupBindDN       = "lookup_bind_dn"
	LookupBindPassword = "lookup_bind_password"
	UserDNSearchBaseDN = "user_dn_search_base_dn"
	UserDNSearchFilter = "user_dn_search_filter"
	GroupSearchFilter  = "group_search_filter"
	GroupSearchBaseDN  = "group_search_base_dn"
	TLSSkipVerify      = "tls_skip_verify"
	ServerInsecure     = "server_insecure"
	ServerStartTLS     = "server_starttls"

	EnvServerAddr         = "MINIO_IDENTITY_LDAP_SERVER_ADDR"
	EnvSRVRecordName      = "MINIO_IDENTITY_LDAP_SRV_RECORD_NAME"
	EnvTLSSkipVerify      = "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"
	EnvServerInsecure     = "MINIO_IDENTITY_LDAP_SERVER_INSECURE"
	EnvServerStartTLS     = "MINIO_IDENTITY_LDAP_SERVER_STARTTLS"
	EnvUsernameFormat     = "MINIO_IDENTITY_LDAP_USERNAME_FORMAT"
	EnvUserDNSearchBaseDN = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN"
	EnvUserDNSearchFilter = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER"
	EnvGroupSearchFilter  = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER"
	EnvGroupSearchBaseDN  = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN"
	EnvLookupBindDN       = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN"
	EnvLookupBindPassword = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD"
)

LDAP keys and envs.

Variables

View Source
var (
	DefaultKVS = config.KVS{
		config.KV{
			Key:   config.Enable,
			Value: "",
		},
		config.KV{
			Key:   ServerAddr,
			Value: "",
		},
		config.KV{
			Key:   SRVRecordName,
			Value: "",
		},
		config.KV{
			Key:   UserDNSearchBaseDN,
			Value: "",
		},
		config.KV{
			Key:   UserDNSearchFilter,
			Value: "",
		},
		config.KV{
			Key:   GroupSearchFilter,
			Value: "",
		},
		config.KV{
			Key:   GroupSearchBaseDN,
			Value: "",
		},
		config.KV{
			Key:   TLSSkipVerify,
			Value: config.EnableOff,
		},
		config.KV{
			Key:   ServerInsecure,
			Value: config.EnableOff,
		},
		config.KV{
			Key:   ServerStartTLS,
			Value: config.EnableOff,
		},
		config.KV{
			Key:   LookupBindDN,
			Value: "",
		},
		config.KV{
			Key:   LookupBindPassword,
			Value: "",
		},
	}
)

DefaultKVS - default config for LDAP config

View Source
var ErrProviderConfigNotFound = errors.New("provider configuration not found")

ErrProviderConfigNotFound - represents a non-existing provider error.

View Source
var (
	Help = config.HelpKVS{
		config.HelpKV{
			Key:         ServerAddr,
			Description: `AD/LDAP server address e.g. "myldap.com" or "myldapserver.com:636"` + defaultHelpPostfix(ServerAddr),
			Type:        "address",
			Sensitive:   true,
		},
		config.HelpKV{
			Key:         SRVRecordName,
			Description: `DNS SRV record name for LDAP service, if given, must be one of "ldap", "ldaps" or "on"` + defaultHelpPostfix(SRVRecordName),
			Optional:    true,
			Type:        "string",
			Sensitive:   false,
		},
		config.HelpKV{
			Key:         LookupBindDN,
			Description: `DN for LDAP read-only service account used to perform DN and group lookups` + defaultHelpPostfix(LookupBindDN),
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
		},
		config.HelpKV{
			Key:         LookupBindPassword,
			Description: `Password for LDAP read-only service account used to perform DN and group lookups` + defaultHelpPostfix(LookupBindPassword),
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
			Secret:      true,
		},
		config.HelpKV{
			Key:         UserDNSearchBaseDN,
			Description: `";" separated list of user search base DNs e.g. "dc=myldapserver,dc=com"` + defaultHelpPostfix(UserDNSearchBaseDN),
			Optional:    true,
			Type:        "list",
		},
		config.HelpKV{
			Key:         UserDNSearchFilter,
			Description: `Search filter to lookup user DN` + defaultHelpPostfix(UserDNSearchFilter),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         GroupSearchFilter,
			Description: `search filter for groups e.g. "(&(objectclass=groupOfNames)(memberUid=%s))"` + defaultHelpPostfix(GroupSearchFilter),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         GroupSearchBaseDN,
			Description: `";" separated list of group search base DNs e.g. "dc=myldapserver,dc=com"` + defaultHelpPostfix(GroupSearchBaseDN),
			Optional:    true,
			Type:        "list",
		},
		config.HelpKV{
			Key:         TLSSkipVerify,
			Description: `trust server TLS without verification` + defaultHelpPostfix(TLSSkipVerify),
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         ServerInsecure,
			Description: `allow plain text connection to AD/LDAP server` + defaultHelpPostfix(ServerInsecure),
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         ServerStartTLS,
			Description: `use StartTLS connection to AD/LDAP server` + defaultHelpPostfix(ServerStartTLS),
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         config.Comment,
			Description: config.DefaultComment,
			Optional:    true,
			Type:        "sentence",
		},
	}
)

Help template for LDAP identity feature.

Functions

func Enabled

func Enabled(kvs config.KVS) bool

Enabled returns if LDAP config is enabled.

func SetIdentityLDAP

func SetIdentityLDAP(s config.Config, ldapArgs LegacyConfig)

SetIdentityLDAP - One time migration code needed, for migrating from older config to new for LDAPConfig.

Types

type Config

type Config struct {
	LDAP ldap.Config
	// contains filtered or unexported fields
}

Config contains AD/LDAP server connectivity information.

func Lookup

func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error)

Lookup - initializes LDAP config, overrides config, if any ENV values are set.

func (*Config) Bind

func (l *Config) Bind(username, password string) (string, []string, error)

Bind - binds to ldap, searches LDAP and returns the distinguished name of the user and the list of groups.

func (*Config) Clone

func (l *Config) Clone() Config

Clone returns a cloned copy of LDAP config.

func (*Config) DoesGroupDNExist

func (l *Config) DoesGroupDNExist(groupDN string) (bool, error)

DoesGroupDNExist checks if the given group DN exists in the LDAP directory.

func (*Config) DoesUsernameExist

func (l *Config) DoesUsernameExist(username string) (string, error)

DoesUsernameExist checks if the given username exists in the LDAP directory. The given username could be just the short "login" username or the full DN. When the username is found, the full DN is returned, otherwise the returned string is empty. If the user is not found, err = nil, otherwise, err != nil.

func (*Config) Enabled

func (l *Config) Enabled() bool

Enabled returns if LDAP is enabled.

func (*Config) GetConfigInfo

func (l *Config) GetConfigInfo(s config.Config, cfgName string) ([]madmin.IDPCfgInfo, error)

GetConfigInfo - returns config details for an LDAP configuration.

func (*Config) GetConfigList

func (l *Config) GetConfigList(s config.Config) ([]madmin.IDPListItem, error)

GetConfigList - returns a list of LDAP configurations.

func (Config) GetExpiryDuration

func (l Config) GetExpiryDuration(dsecs string) (time.Duration, error)

GetExpiryDuration - return parsed expiry duration.

func (*Config) GetNonEligibleUserDistNames

func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error)

GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer present in the LDAP server or do not meet filter criteria anymore

func (Config) IsLDAPGroupDN

func (l Config) IsLDAPGroupDN(user string) bool

IsLDAPGroupDN determines if the given string could be a group DN from LDAP.

func (Config) IsLDAPUserDN

func (l Config) IsLDAPUserDN(user string) bool

IsLDAPUserDN determines if the given string could be a user DN from LDAP.

func (*Config) LookupGroupMemberships

func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsernameMap map[string]string) (map[string]set.StringSet, error)

LookupGroupMemberships - for each DN finds the set of LDAP groups they are a member of.

func (*Config) LookupUserDN

func (l *Config) LookupUserDN(username string) (string, []string, error)

LookupUserDN searches for the full DN and groups of a given username

type LegacyConfig

type LegacyConfig struct {
	Enabled bool `json:"enabled"`

	// E.g. "ldap.minio.io:636"
	ServerAddr string `json:"serverAddr"`

	// User DN search parameters
	UserDNSearchBaseDistName  string   `json:"userDNSearchBaseDN"`
	UserDNSearchBaseDistNames []string `json:"-"` // Generated field
	UserDNSearchFilter        string   `json:"userDNSearchFilter"`

	// Group search parameters
	GroupSearchBaseDistName  string   `json:"groupSearchBaseDN"`
	GroupSearchBaseDistNames []string `json:"-"` // Generated field
	GroupSearchFilter        string   `json:"groupSearchFilter"`

	// Lookup bind LDAP service account
	LookupBindDN       string `json:"lookupBindDN"`
	LookupBindPassword string `json:"lookupBindPassword"`
}

LegacyConfig contains AD/LDAP server connectivity information from old config V33.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL