[LDAP] Support syncing user-group memberships with LDAP service #12785
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
When configured in Lookup Bind mode, the server now periodically queries the
LDAP IDP service to find changes to a user's group memberships, and saves this
info to update the access policies for all temporary and service account
credentials belonging to LDAP users.
Motivation and Context
Extension to IDP polling to keep MinIO access credentials in sync with changes in the IDP's data about users.
How to test this PR?
IN PROGRESSUpdate 7/24:
Use the ldap server setup at https://github.com/donatello/minio-ldap-testing -
create STS credential or service account for one of the LDAP users and try operations like:
ldapdelete -D 'cn=admin,dc=min,dc=io' -w admin cn=projecta,ou=groups,ou=swengg,dc=min,dc=io
After some time (5 minutes or so), the previously generated credential will have only permissions that apply given the membership changes or group deletions.
Types of changes
Checklist:
commit-id
orPR #
here)