Add LDAP Lookup-Bind mode

[donatello]

Description

This change allows the MinIO server to be configured with a special (read-only)
LDAP account to perform user DN lookups.

The following configuration parameters are added (along with corresponding
environment variables) to LDAP identity configuration (under identity_ldap):

• lookup_bind_dn / MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN
• lookup_bind_password / MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
• user_dn_search_base_dn / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN
• user_dn_search_filter / MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER

This lookup-bind account is a service account that is used to lookup the user's
DN from their username provided in the STS API. When configured, searching for
the user DN is enabled and configuration of the base DN and filter for search is
required. In this "lookup-bind" mode, username format is not checked and must
not be specified. This feature is to support Active Directory setups where the
DN cannot be simply derived from the username.

When the lookup-bind is not configured, the old behaviour is enabled: the minio
server performs LDAP lookups as the LDAP user making the STS API request and the
username format is checked and configuring it is required.

How to test this PR?

See https://github.com/donatello/minio-ldap-testing

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Optimization (provides speedup with no functional changes)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• Fixes a regression (If yes, please add commit-id or PR # here)
• Documentation updated
• Unit tests added/updated

[harshavardhana]

@donatello is this the only complete implementation needed for admin bind? -

Does the admin bind mean mainly to query groups here? such that users don't have permissiosn to do that?

[harshavardhana]

@donatello let's also update docs talking about this method as main method for LDAP integration instead of the default simple bind approach.

[donatello]

@donatello is this the only complete implementation needed for admin bind? -

No, this is a start to do it with a bind account in a backwards compatible way. We should perhaps stop calling it an admin bind - we only need some read-only credentials that can lookup more parts of the LDAP tree than a typical user. Perhaps LOOKUP_BIND_USER and LOOKUP_BIND_PASSWORD?

Does the admin bind mean mainly to query groups here? such that users don't have permissiosn to do that?

I think users will have permissions to lookup their own groups, but may not be able to lookup other places in the hierarchy as we are trying to support multiple sub-trees with ; separated DNs for username format and group base DNs.

[donatello]

@donatello let's also update docs talking about this method as main method for LDAP integration instead of the default simple bind approach.

@harshavardhana I have updated the implementation to perform DN lookups. Will update documentation too.

[donatello]

Docs updated.

[donatello]

Fixed a bug when there are multiple group base DNs to find groups and one of them returns an error saying no matches are present.

[minio-trusted]

Mint Automation

Test	Result
mint-large-bucket.sh	✔️
mint-fs.sh	✔️
mint-gateway-s3.sh	✔️
mint-erasure.sh	✔️
mint-dist-erasure.sh	✔️
mint-zoned.sh	✔️
mint-gateway-nas.sh	✔️
mint-gateway-azure.sh	❌ more...

11318-5a33dfb/mint-gateway-azure.sh.log:

Running with
SERVER_ENDPOINT:      minio-dev6.minio.io:32619
ACCESS_KEY:           minioazure
SECRET_KEY:           ***REDACTED***
ENABLE_HTTPS:         0
SERVER_REGION:        us-east-1
MINT_DATA_DIR:        /mint/data
MINT_MODE:            full
ENABLE_VIRTUAL_STYLE: 0

To get logs, run 'docker cp a8da4376ebb9:/mint/log /tmp/mint-logs'

(1/15) Running aws-sdk-go tests ... done in 9 seconds
(2/15) Running aws-sdk-java tests ... done in 2 seconds
(3/15) Running aws-sdk-php tests ... done in 3 minutes and 3 seconds
(4/15) Running aws-sdk-ruby tests ... done in 21 seconds
(5/15) Running awscli tests ... done in 2 minutes and 59 seconds
(6/15) Running healthcheck tests ... done in 1 seconds
(7/15) Running mc tests ... done in 3 minutes and 58 seconds
(8/15) Running minio-dotnet tests ... done in 1 minutes and 44 seconds
(9/15) Running minio-go tests ... done in 6 minutes and 37 seconds
(10/15) Running minio-java tests ... FAILED in 9 minutes and 2 seconds
{
  "name": "minio-java",
  "function": "putObject()",
  "args": "[user metadata]",
  "duration": 172,
  "status": "FAIL",
  "error": "error occurred\nErrorResponse(code = AuthenticationFailed, message = -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, github.com/Azure/azure-storage-blob-go@v0.10.0/azblob/zc_storage_error.go:42\n===== RESPONSE ERROR (ServiceCode=AuthenticationFailed) =====\nDescription=Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:1cd3f6c1-801e-008c-2b22-f1a0b5000000\nTime:2021-01-23T00:56:14.6990308Z, Details: \n   AuthenticationErrorDetail: The MAC signature found in the HTTP request 'Dtq06osd7eGmkbBZdGuuOJFB2i0Aj1PsRkC6OJavjeU=' is not the same as any computed signature. Server used following string to sign: 'PUT\n\n\n128\n\napplication/xml\n\n\n\n\n\n\nx-ms-blob-cache-control:\nx-ms-blob-content-disposition:\nx-ms-blob-content-encoding:\nx-ms-blob-content-language:\nx-ms-blob-content-type:application/octet-stream\nx-ms-client-request-id:63615937-e032-4d5a-579f-c7ebddc4b50e\nx-ms-date:Sat, 23 Jan 2021 00:56:14 GMT\nx-ms-meta-my_header1:a   b   c\nx-ms-meta-my_header2:\"a   b   c\"\nx-ms-meta-my_project:Project One\nx-ms-meta-my_unicode_tag:商å“�\nx-ms-version:2019-02-02\n/minioazure/minio-java-test-367mro/minio-java-test-3jkmu7o\ncomp:blocklist\ntimeout:1501'.\n   Code: AuthenticationFailed\n   PUT https://minioazure.blob.core.windows.net/minio-java-test-367mro/minio-java-test-3jkmu7o?comp=blocklist&timeout=1501\n   Authorization: REDACTED\n   Content-Length: [128]\n   Content-Type: [application/xml]\n   User-Agent: [APN/1.0 MinIO/1.0 MinIO/2021-01-23T00:21:59Z]\n   X-Ms-Blob-Cache-Control: []\n   X-Ms-Blob-Content-Disposition: []\n   X-Ms-Blob-Content-Encoding: []\n   X-Ms-Blob-Content-Language: []\n   X-Ms-Blob-Content-Type: [application/octet-stream]\n   X-Ms-Client-Request-Id: [63615937-e032-4d5a-579f-c7ebddc4b50e]\n   X-Ms-Date: [Sat, 23 Jan 2021 00:56:14 GMT]\n   X-Ms-Meta-My_header1: [a   b   c]\n   X-Ms-Meta-My_header2: [\"a   b   c\"]\n   X-Ms-Meta-My_project: [Project One]\n   X-Ms-Meta-My_unicode_tag: [商品]\n   X-Ms-Version: [2019-02-02]\n   --------------------------------------------------------------------------------\n   RESPONSE Status: 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\n   Content-Length: [1091]\n   Content-Type: [application/xml]\n   Date: [Sat, 23 Jan 2021 00:56:14 GMT]\n   Server: [Microsoft-HTTPAPI/2.0]\n   X-Ms-Error-Code: [AuthenticationFailed]\n   X-Ms-Request-Id: [1cd3f6c1-801e-008c-2b22-f1a0b5000000]\n\n\n, bucketName = minio-java-test-367mro, objectName = minio-java-test-3jkmu7o, resource = /minio-java-test-367mro/minio-java-test-3jkmu7o, requestId = 165CB673AA43FFF2, hostId = 2ccdfe07-8ee1-492a-b8e9-e466ce1b56da)\nrequest={method=PUT, url=http://minio-dev6.minio.io:32619/minio-java-test-367mro/minio-java-test-3jkmu7o, headers=x-amz-meta-My-Unicode-Tag: 商品\nx-amz-meta-My-Project: Project One\nx-amz-meta-My-header1: a   b   c\nx-amz-meta-My-Header2: \"a   b   c\"\nContent-Type: application/octet-stream\nHost: minio-dev6.minio.io:32619\nAccept-Encoding: identity\nUser-Agent: MinIO (Linux; amd64) minio-java/8.0.3\nContent-MD5: A9oFTxee7YVcJ9fWsgQeKg==\nx-amz-content-sha256: 1ff7959f86334ddc5c188a5083268f600146328b2b6c5185e75bf7d9387d6b74\nx-amz-date: 20210123T005614Z\nAuthorization: AWS4-HMAC-SHA256 Credential=*REDACTED*/20210123/us-east-1/s3/aws4_request, SignedHeaders=content-md5;host;x-amz-content-sha256;x-amz-date;x-amz-meta-my-header1;x-amz-meta-my-header2;x-amz-meta-my-project;x-amz-meta-my-unicode-tag, Signature=*REDACTED*\n}\nresponse={code=403, headers=Accept-Ranges: bytes\nContent-Length: 3082\nContent-Security-Policy: block-all-mixed-content\nContent-Type: application/xml\nServer: MinIO\nVary: Origin\nX-Amz-Request-Id: 165CB673AA43FFF2\nX-Xss-Protection: 1; mode=block\nDate: Sat, 23 Jan 2021 00:56:14 GMT\n}\n >>> [io.minio.MinioClient.execute(MinioClient.java:775), io.minio.MinioClient.putObject(MinioClient.java:4547), io.minio.MinioClient.putObject(MinioClient.java:2713), io.minio.MinioClient.putObject(MinioClient.java:2830), FunctionalTest.testPutObject(FunctionalTest.java:763), FunctionalTest.putObject(FunctionalTest.java:890), FunctionalTest.runObjectTests(FunctionalTest.java:3751), FunctionalTest.runTests(FunctionalTest.java:3783), FunctionalTest.main(FunctionalTest.java:3927)]"
}
(10/15) Running minio-js tests ... done in 2 minutes and 47 seconds
(11/15) Running minio-py tests ... done in 18 minutes and 43 seconds
(12/15) Running s3cmd tests ... done in 2 minutes and 30 seconds
(13/15) Running s3select tests ... done in 1 minutes and 0 seconds
(14/15) Running security tests ... done in 0 seconds

Executed 14 out of 15 tests successfully.

Deleting image on docker hub
Deleting image locally