-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add LDAP Lookup-Bind mode #11318
Add LDAP Lookup-Bind mode #11318
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@donatello is this the only complete implementation needed for admin bind? -
Does the admin bind mean mainly to query groups here? such that users don't have permissiosn to do that?
@donatello let's also update docs talking about this method as main method for LDAP integration instead of the default simple bind approach. |
No, this is a start to do it with a bind account in a backwards compatible way. We should perhaps stop calling it an admin bind - we only need some read-only credentials that can lookup more parts of the LDAP tree than a typical user. Perhaps
I think users will have permissions to lookup their own groups, but may not be able to lookup other places in the hierarchy as we are trying to support multiple sub-trees with |
This change allows the MinIO server to be configured with a special (read-only) LDAP account to perform user DN lookups. The following configuration parameters are added (along with corresponding environment variables) to LDAP identity configuration (under `identity_ldap`): - lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN - lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD - user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN - user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER This lookup-bind account is a service account that is used to lookup the user's DN from their username provided in the STS API. When configured, searching for the user DN is enabled and configuration of the base DN and filter for search is required. In this "lookup-bind" mode, username format is not checked and must not be specified. This feature is to support Active Directory setups where the DN cannot be simply derived from the username. When the lookup-bind is not configured, the old behaviour is enabled: the minio server performs LDAP lookups as the LDAP user making the STS API request and the username format is checked and configuring it is required.
3c0b3b4
to
2c572de
Compare
@harshavardhana I have updated the implementation to perform DN lookups. Will update documentation too. |
Docs updated. |
Fixed a bug when there are multiple group base DNs to find groups and one of them returns an error saying no matches are present. |
Mint Automation
11318-5a33dfb/mint-gateway-azure.sh.log:
Deleting image on docker hub |
Description
This change allows the MinIO server to be configured with a special (read-only)
LDAP account to perform user DN lookups.
The following configuration parameters are added (along with corresponding
environment variables) to LDAP identity configuration (under
identity_ldap
):This lookup-bind account is a service account that is used to lookup the user's
DN from their username provided in the STS API. When configured, searching for
the user DN is enabled and configuration of the base DN and filter for search is
required. In this "lookup-bind" mode, username format is not checked and must
not be specified. This feature is to support Active Directory setups where the
DN cannot be simply derived from the username.
When the lookup-bind is not configured, the old behaviour is enabled: the minio
server performs LDAP lookups as the LDAP user making the STS API request and the
username format is checked and configuring it is required.
How to test this PR?
See https://github.com/donatello/minio-ldap-testing
Types of changes
Checklist:
commit-id
orPR #
here)