fix: ldap: avoid unnecessary import errors (#19547)

Follow up for #19528 If there are multiple existing DN mappings for the same normalized DN, if they all have the same policy mapping value, we pick one of them of them instead of returning an import error.
minio · Apr 18, 2024 · 98f7821 · 98f7821
1 parent 2d3898e
commit 98f7821
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 2 deletions.
diff --git a/cmd/iam.go b/cmd/iam.go
@@ -1621,8 +1621,29 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,
 
 	for normKey, origKeys := range normalizedDNKeysMap {
 		if len(origKeys) > 1 {
-			return fmt.Errorf("multiple DNs map to the same LDAP DN[%s]: %v; please remove DNs that are not needed",
-				normKey, origKeys)
+			// If there are multiple DN keys that normalize to the same value,
+			// check if the policy mappings are equal, if they are we don't need
+			// to return an error.
+			policiesDiffer := false
+			firstMappedPolicies := policyMap[origKeys[0]].policySet()
+			for i := 1; i < len(origKeys); i++ {
+				otherMappedPolicies := policyMap[origKeys[i]].policySet()
+				if !firstMappedPolicies.Equals(otherMappedPolicies) {
+					policiesDiffer = true
+					break
+				}
+			}
+
+			if policiesDiffer {
+				return fmt.Errorf("multiple DNs map to the same LDAP DN[%s]: %v; please remove DNs that are not needed",
+					normKey, origKeys)
+			}
+
+			// Policies mapped to the DN's are the same, so we remove the extra
+			// ones from the map.
+			for i := 1; i < len(origKeys); i++ {
+				delete(policyMap, origKeys[i])
+			}
 		}
 
 		// Replacing origKeys[0] with normKey in the policyMap

diff --git a/cmd/sts-handlers_test.go b/cmd/sts-handlers_test.go
@@ -829,11 +829,17 @@ func TestIAMImportAssetWithLDAP(t *testing.T) {
 }
 `,
 		userPolicyMappingsFile: `{}`,
+		// Contains duplicate mapping with same policy, we should not error out.
 		groupPolicyMappingsFile: `{
     "cn=project.c,ou=groups,ou=swengg,DC=min,dc=io": {
         "version": 0,
         "policy": "consoleAdmin",
         "updatedAt": "2024-04-17T23:54:28.442998301Z"
+    },
+    "cn=project.c,ou=groups,OU=swengg,DC=min,DC=io": {
+        "version": 0,
+        "policy": "consoleAdmin",
+        "updatedAt": "2024-04-17T20:54:28.442998301Z"
     }
 }
 `,