fix: user DN filtering that causes some unnecessary logs (#13584)
Additionally, remove the unnecessary `isUsingLookupBind` field in the LDAP struct
This commit is contained in:
Aditya Manthramurthy
GitHub
parent
c3d24fb26d
commit
947c423824
|
|
@ -286,7 +286,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
|
|||
}
|
||||
}
|
||||
}()
|
||||
case globalLDAPConfig.EnabledWithLookupBind():
|
||||
case globalLDAPConfig.Enabled:
|
||||
go func() {
|
||||
ticker := time.NewTicker(sys.iamRefreshInterval)
|
||||
defer ticker.Stop()
|
||||
|
|
@ -843,7 +843,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) {
|
|||
allDistNames = append(allDistNames, parentUser)
|
||||
}
|
||||
|
||||
expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(parentUsers)
|
||||
expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(allDistNames)
|
||||
if err != nil {
|
||||
// Log and return on error - perhaps it'll work the next time.
|
||||
logger.LogIf(GlobalContext, err)
|
||||
|
|
|
|||
|
|
@ -67,7 +67,6 @@ type Config struct {
|
|||
tlsSkipVerify bool // allows skipping TLS verification
|
||||
serverInsecure bool // allows plain text connection to LDAP server
|
||||
serverStartTLS bool // allows using StartTLS connection to LDAP server
|
||||
isUsingLookupBind bool
|
||||
rootCAs *x509.CertPool
|
||||
}
|
||||
|
||||
|
|
@ -240,10 +239,6 @@ func (l *Config) searchForUserGroups(conn *ldap.Conn, username, bindDN string) (
|
|||
|
||||
// LookupUserDN searches for the full DN and groups of a given username
|
||||
func (l *Config) LookupUserDN(username string) (string, []string, error) {
|
||||
if !l.isUsingLookupBind {
|
||||
return "", nil, errors.New("current lookup mode does not support searching for User DN")
|
||||
}
|
||||
|
||||
conn, err := l.Connect()
|
||||
if err != nil {
|
||||
return "", nil, err
|
||||
|
|
@ -386,10 +381,6 @@ func (l Config) IsLDAPUserDN(user string) bool {
|
|||
// GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer
|
||||
// present in the LDAP server or do not meet filter criteria anymore
|
||||
func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error) {
|
||||
if !l.isUsingLookupBind {
|
||||
return nil, errors.New("current LDAP configuration does not permit looking for expired user accounts")
|
||||
}
|
||||
|
||||
conn, err := l.Connect()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
@ -410,7 +401,7 @@ func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string,
|
|||
dn,
|
||||
ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
|
||||
filter,
|
||||
[]string{}, // only need DN, so no pass no attributes here
|
||||
[]string{}, // only need DN, so pass no attributes here
|
||||
nil,
|
||||
)
|
||||
|
||||
|
|
@ -435,10 +426,6 @@ func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string,
|
|||
// LookupGroupMemberships - for each DN finds the set of LDAP groups they are a
|
||||
// member of.
|
||||
func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsernameMap map[string]string) (map[string]set.StringSet, error) {
|
||||
if !l.isUsingLookupBind {
|
||||
return nil, errors.New("current LDAP configuration does not permit this lookup")
|
||||
}
|
||||
|
||||
conn, err := l.Connect()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
@ -463,12 +450,7 @@ func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsername
|
|||
return res, nil
|
||||
}
|
||||
|
||||
// EnabledWithLookupBind - checks if ldap IDP is enabled in lookup bind mode.
|
||||
func (l Config) EnabledWithLookupBind() bool {
|
||||
return l.Enabled && l.isUsingLookupBind
|
||||
}
|
||||
|
||||
// Enabled returns if jwks is enabled.
|
||||
// Enabled returns if LDAP config is enabled.
|
||||
func Enabled(kvs config.KVS) bool {
|
||||
return kvs.Get(ServerAddr) != ""
|
||||
}
|
||||
|
|
@ -516,11 +498,13 @@ func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error) {
|
|||
|
||||
// Lookup bind user configuration
|
||||
lookupBindDN := env.Get(EnvLookupBindDN, kvs.Get(LookupBindDN))
|
||||
if lookupBindDN == "" {
|
||||
return l, errors.New("Lookup Bind DN is required")
|
||||
}
|
||||
lookupBindPassword := env.Get(EnvLookupBindPassword, kvs.Get(LookupBindPassword))
|
||||
if lookupBindDN != "" {
|
||||
l.LookupBindDN = lookupBindDN
|
||||
l.LookupBindPassword = lookupBindPassword
|
||||
l.isUsingLookupBind = true
|
||||
|
||||
// User DN search configuration
|
||||
userDNSearchBaseDN := env.Get(EnvUserDNSearchBaseDN, kvs.Get(UserDNSearchBaseDN))
|
||||
|
|
@ -532,11 +516,6 @@ func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error) {
|
|||
l.UserDNSearchFilter = userDNSearchFilter
|
||||
}
|
||||
|
||||
// Lookup bind mode is mandatory
|
||||
if !l.isUsingLookupBind {
|
||||
return l, errors.New("Lookup Bind mode is required")
|
||||
}
|
||||
|
||||
// Test connection to LDAP server.
|
||||
if err := l.testConnection(); err != nil {
|
||||
return l, fmt.Errorf("Connection test for LDAP server failed: %w", err)
|
||||
|
|
|
|||
Loading…
Reference in New Issue