Merge pull request #8168 from linuxbox2/rgw-ldap-fixes

Rgw ldap fixes Reviewed-by: Yehuda Sadeh <yehuda@redhat.com>
ceph · Mar 16, 2016 · 7789e18 · 7789e18
2 parents eaa9338 + 1539d90
commit 7789e18
Show file tree

Hide file tree

Showing 9 changed files with 70 additions and 18 deletions.
diff --git a/cmake/modules/FindOpenLdap.cmake b/cmake/modules/FindOpenLdap.cmake
@@ -31,6 +31,7 @@ else (OPENLDAP_FOUND)
   endif (NOT OPENLDAP_INCLUDE_DIR)
 endif (OPENLDAP_FOUND)
 
+add_definitions(-DHAVE_OPENLDAP)
 set(OPENLDAP_LIBS ${LIBLDAP} ${LIBLBER})
 
 mark_as_advanced(

diff --git a/configure.ac b/configure.ac
@@ -1279,6 +1279,19 @@ AS_IF([test "x$with_eventfd" != xno],
                      [AC_DEFINE(HAVE_EVENTFD, 1, [Have eventfd extension.])])])
 AM_CONDITIONAL(WITH_EVENTFD, [ test "$with_eventfd" = "yes" ])
 
+# disable OpenLDAP support
+AC_ARG_WITH([openldap],
+            [AS_HELP_STRING([--without-openldap], [Disable OpenLDAP support (RGW)])])
+if test "x$with_openldap" != "xno"; then
+   AC_CHECK_HEADER([ldap.h], [],
+      AC_MSG_ERROR([ldap.h not found (openldap-dev, openldap-devel)]))
+    AC_CHECK_LIB([ldap], [ldap_initialize], [true],
+      AC_MSG_FAILURE([libldap not found]))
+   AC_DEFINE([HAVE_OPENLDAP], [1], [Defined if OpenLDAP enabled])
+   have_openldap="yes"
+fi
+AM_CONDITIONAL(WITH_OPENLDAP, [ test "$have_openldap" = "yes" ])
+
 # Checks for typedefs, structures, and compiler characteristics.
 #AC_HEADER_STDBOOL
 #AC_C_CONST

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -1124,6 +1124,11 @@ if(${WITH_KVS})
 endif(${WITH_KVS})
 
 if(${WITH_RADOSGW})
+
+  if(${HAVE_OPENLDAP})
+    set(rgw_ldap_srcs rgw/rgw_ldap.cc)
+  endif(${HAVE_OPENLDAP})
+
   set(rgw_a_srcs
     rgw/rgw_acl.cc
     rgw/rgw_acl_s3.cc
@@ -1145,7 +1150,7 @@ if(${WITH_RADOSGW})
     rgw/rgw_http_client.cc
     rgw/rgw_json_enc.cc
     rgw/rgw_keystone.cc
-    rgw/rgw_ldap.cc
+    ${rgw_ldap_srcs}
     rgw/rgw_loadgen.cc
     rgw/rgw_log.cc
     rgw/rgw_metadata.cc

diff --git a/src/common/config_opts.h b/src/common/config_opts.h
@@ -1251,8 +1251,8 @@ OPTION(rgw_ldap_uri, OPT_STR, "ldaps://<ldap.your.domain>")
 OPTION(rgw_ldap_binddn, OPT_STR, "uid=admin,cn=users,dc=example,dc=com")
 /* rgw_ldap_searchdn  LDAP search base (basedn) */
 OPTION(rgw_ldap_searchdn, OPT_STR, "cn=users,cn=accounts,dc=example,dc=com")
-/* rgw_ldap_memberattr  LDAP attribute containing RGW user names */
-OPTION(rgw_ldap_memberattr, OPT_STR, "uid")
+/* rgw_ldap_dnattr  LDAP attribute containing RGW user names (to form binddns)*/
+OPTION(rgw_ldap_dnattr, OPT_STR, "uid")
 /* rgw_ldap_secret  file containing credentials for rgw_ldap_binddn */
 OPTION(rgw_ldap_secret, OPT_STR, "/etc/openldap/secret")
 /* rgw_s3_auth_use_ldap  use LDAP for RGW auth? */

diff --git a/src/rgw/Makefile.am b/src/rgw/Makefile.am
@@ -44,7 +44,6 @@ librgw_la_SOURCES = \
 	rgw/rgw_http_client.cc \
 	rgw/rgw_json_enc.cc \
 	rgw/rgw_keystone.cc \
-	rgw/rgw_ldap.cc \
 	rgw/rgw_loadgen.cc \
 	rgw/rgw_log.cc \
 	rgw/rgw_metadata.cc \
@@ -92,6 +91,10 @@ librgw_la_SOURCES = \
 	rgw/rgw_xml_enc.cc \
 	rgw/rgw_website.cc
 
+if WITH_OPENLDAP
+librgw_la_SOURCES += rgw/rgw_ldap.cc
+endif
+
 librgw_la_CXXFLAGS = -Woverloaded-virtual -fPIC -I$(srcdir)/xxHash \
 	${AM_CXXFLAGS}
 # noinst_LTLIBRARIES += librgw.la

diff --git a/src/rgw/librgw.cc b/src/rgw/librgw.cc
@@ -467,11 +467,11 @@ namespace rgw {
     const string& ldap_uri = store->ctx()->_conf->rgw_ldap_uri;
     const string& ldap_binddn = store->ctx()->_conf->rgw_ldap_binddn;
     const string& ldap_searchdn = store->ctx()->_conf->rgw_ldap_searchdn;
-    const string& ldap_memberattr =
-      store->ctx()->_conf->rgw_ldap_memberattr;
+    const string& ldap_dnattr =
+      store->ctx()->_conf->rgw_ldap_dnattr;
 
     ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_searchdn,
-			      ldap_memberattr);
+			      ldap_dnattr);
     ldh->init();
     ldh->bind();
 

diff --git a/src/rgw/rgw_ldap.h b/src/rgw/rgw_ldap.h
@@ -15,19 +15,21 @@
 
 namespace rgw {
 
+#if defined(HAVE_OPENLDAP)
+
   class LDAPHelper
   {
     std::string uri;
     std::string binddn;
     std::string searchdn;
-    std::string memberattr;
+    std::string dnattr;
     LDAP *ldap;
 
   public:
     LDAPHelper(std::string _uri, std::string _binddn, std::string _searchdn,
-	      std::string _memberattr)
+	      std::string _dnattr)
       : uri(std::move(_uri)), binddn(std::move(_binddn)), searchdn(_searchdn),
-	memberattr(_memberattr), ldap(nullptr) {
+	dnattr(_dnattr), ldap(nullptr) {
       // nothing
     }
 
@@ -57,11 +59,11 @@ namespace rgw {
       int ret;
       std::string filter;
       filter = "(";
-      filter += memberattr;
+      filter += dnattr;
       filter += "=";
       filter += uid;
       filter += ")";
-      char *attrs[] = { const_cast<char*>(memberattr.c_str()), nullptr };
+      char *attrs[] = { const_cast<char*>(dnattr.c_str()), nullptr };
       LDAPMessage *answer, *entry;
       ret = ldap_search_s(ldap, searchdn.c_str(), LDAP_SCOPE_SUBTREE,
 			  filter.c_str(), attrs, 0, &answer);
@@ -80,7 +82,35 @@ namespace rgw {
 	ldap_unbind(ldap);
     }
 
-  };
+  }; /* LDAPHelper */
+
+#else
+
+  class LDAPHelper
+  {
+  public:
+    LDAPHelper(std::string _uri, std::string _binddn, std::string _searchdn,
+	      std::string _dnattr)
+      {}
+
+    int init() {
+      return -ENOTSUP;
+    }
+
+    int bind() {
+      return -ENOTSUP;
+    }
+
+    int auth(const std::string uid, const std::string pwd) {
+      return -EACCES;
+    }
+
+    ~LDAPHelper() {}
+
+  }; /* LDAPHelper */
+
+
+#endif /* HAVE_OPENLDAP */
 
 } /* namespace rgw */
 

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
@@ -2903,11 +2903,11 @@ void RGW_Auth_S3::init_impl(RGWRados* store)
   const string& ldap_uri = store->ctx()->_conf->rgw_ldap_uri;
   const string& ldap_binddn = store->ctx()->_conf->rgw_ldap_binddn;
   const string& ldap_searchdn = store->ctx()->_conf->rgw_ldap_searchdn;
-  const string& ldap_memberattr =
-    store->ctx()->_conf->rgw_ldap_memberattr;
+  const string& ldap_dnattr =
+    store->ctx()->_conf->rgw_ldap_dnattr;
 
   ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_searchdn,
-			    ldap_memberattr);
+			    ldap_dnattr);
 
   ldh->init();
   ldh->bind();

diff --git a/src/test/test_rgw_ldap.cc b/src/test/test_rgw_ldap.cc
@@ -44,9 +44,9 @@ namespace {
   string ldap_uri = "ldaps://f23-kdc.rgw.com";
   string ldap_binddn = "uid=admin,cn=users,cn=accounts,dc=rgw,dc=com";
   string ldap_searchdn = "cn=users,cn=accounts,dc=rgw,dc=com";
-  string ldap_memberattr = "uid";
+  string ldap_dnattr = "uid";
 
-  rgw::LDAPHelper ldh(ldap_uri, ldap_binddn, ldap_searchdn, ldap_memberattr);
+  rgw::LDAPHelper ldh(ldap_uri, ldap_binddn, ldap_searchdn, ldap_dnattr);
 
 } /* namespace */