Documentation ¶
Index ¶
- Constants
- Variables
- func Enabled(kvs config.KVS) bool
- func SetIdentityLDAP(s config.Config, ldapArgs LegacyConfig)
- type Config
- func (l *Config) Bind(username, password string) (string, []string, error)
- func (l *Config) Clone() Config
- func (l *Config) Enabled() bool
- func (l *Config) GetConfigInfo(s config.Config, cfgName string) ([]madmin.IDPCfgInfo, error)
- func (l *Config) GetConfigList(s config.Config) ([]madmin.IDPListItem, error)
- func (l Config) GetExpiryDuration(dsecs string) (time.Duration, error)
- func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error)
- func (l *Config) GetValidatedDNForUsername(username string) (string, error)
- func (l *Config) GetValidatedDNUnderBaseDN(conn *ldap.Conn, dn string, baseDNList []xldap.BaseDNInfo) (string, bool, error)
- func (l *Config) GetValidatedGroupDN(conn *ldap.Conn, groupDN string) (string, bool, error)
- func (l *Config) GetValidatedUserDN(conn *ldap.Conn, userDN string) (string, bool, error)
- func (l Config) IsLDAPGroupDN(group string) bool
- func (l Config) IsLDAPUserDN(user string) bool
- func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsernameMap map[string]string) (map[string]set.StringSet, error)
- func (l *Config) LookupUserDN(username string) (string, []string, error)
- func (l Config) ParsesAsDN(dn string) bool
- type LegacyConfig
Constants ¶
const ( ServerAddr = "server_addr" SRVRecordName = "srv_record_name" LookupBindDN = "lookup_bind_dn" LookupBindPassword = "lookup_bind_password" UserDNSearchBaseDN = "user_dn_search_base_dn" UserDNSearchFilter = "user_dn_search_filter" GroupSearchFilter = "group_search_filter" GroupSearchBaseDN = "group_search_base_dn" TLSSkipVerify = "tls_skip_verify" ServerInsecure = "server_insecure" ServerStartTLS = "server_starttls" EnvServerAddr = "MINIO_IDENTITY_LDAP_SERVER_ADDR" EnvSRVRecordName = "MINIO_IDENTITY_LDAP_SRV_RECORD_NAME" EnvTLSSkipVerify = "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY" EnvServerInsecure = "MINIO_IDENTITY_LDAP_SERVER_INSECURE" EnvServerStartTLS = "MINIO_IDENTITY_LDAP_SERVER_STARTTLS" EnvUsernameFormat = "MINIO_IDENTITY_LDAP_USERNAME_FORMAT" EnvUserDNSearchBaseDN = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN" EnvUserDNSearchFilter = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER" EnvGroupSearchFilter = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER" EnvGroupSearchBaseDN = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN" EnvLookupBindDN = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN" EnvLookupBindPassword = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD" )
LDAP keys and envs.
Variables ¶
var ( DefaultKVS = config.KVS{ config.KV{ Key: config.Enable, Value: "", }, config.KV{ Key: ServerAddr, Value: "", }, config.KV{ Key: SRVRecordName, Value: "", }, config.KV{ Key: UserDNSearchBaseDN, Value: "", }, config.KV{ Key: UserDNSearchFilter, Value: "", }, config.KV{ Key: GroupSearchFilter, Value: "", }, config.KV{ Key: GroupSearchBaseDN, Value: "", }, config.KV{ Key: TLSSkipVerify, Value: config.EnableOff, }, config.KV{ Key: ServerInsecure, Value: config.EnableOff, }, config.KV{ Key: ServerStartTLS, Value: config.EnableOff, }, config.KV{ Key: LookupBindDN, Value: "", }, config.KV{ Key: LookupBindPassword, Value: "", }, } )
DefaultKVS - default config for LDAP config
var ErrProviderConfigNotFound = errors.New("provider configuration not found")
ErrProviderConfigNotFound - represents a non-existing provider error.
var ( Help = config.HelpKVS{ config.HelpKV{ Key: ServerAddr, Description: `AD/LDAP server address e.g. "myldap.com" or "myldapserver.com:636"` + defaultHelpPostfix(ServerAddr), Type: "address", Sensitive: true, }, config.HelpKV{ Key: SRVRecordName, Description: `DNS SRV record name for LDAP service, if given, must be one of "ldap", "ldaps" or "on"` + defaultHelpPostfix(SRVRecordName), Optional: true, Type: "string", Sensitive: false, }, config.HelpKV{ Key: LookupBindDN, Description: `DN for LDAP read-only service account used to perform DN and group lookups` + defaultHelpPostfix(LookupBindDN), Optional: true, Type: "string", Sensitive: true, }, config.HelpKV{ Key: LookupBindPassword, Description: `Password for LDAP read-only service account used to perform DN and group lookups` + defaultHelpPostfix(LookupBindPassword), Optional: true, Type: "string", Sensitive: true, Secret: true, }, config.HelpKV{ Key: UserDNSearchBaseDN, Description: `";" separated list of user search base DNs e.g. "dc=myldapserver,dc=com"` + defaultHelpPostfix(UserDNSearchBaseDN), Optional: true, Type: "list", }, config.HelpKV{ Key: UserDNSearchFilter, Description: `Search filter to lookup user DN` + defaultHelpPostfix(UserDNSearchFilter), Optional: true, Type: "string", }, config.HelpKV{ Key: GroupSearchFilter, Description: `search filter for groups e.g. "(&(objectclass=groupOfNames)(memberUid=%s))"` + defaultHelpPostfix(GroupSearchFilter), Optional: true, Type: "string", }, config.HelpKV{ Key: GroupSearchBaseDN, Description: `";" separated list of group search base DNs e.g. "dc=myldapserver,dc=com"` + defaultHelpPostfix(GroupSearchBaseDN), Optional: true, Type: "list", }, config.HelpKV{ Key: TLSSkipVerify, Description: `trust server TLS without verification` + defaultHelpPostfix(TLSSkipVerify), Optional: true, Type: "on|off", }, config.HelpKV{ Key: ServerInsecure, Description: `allow plain text connection to AD/LDAP server` + defaultHelpPostfix(ServerInsecure), Optional: true, Type: "on|off", }, config.HelpKV{ Key: ServerStartTLS, Description: `use StartTLS connection to AD/LDAP server` + defaultHelpPostfix(ServerStartTLS), Optional: true, Type: "on|off", }, config.HelpKV{ Key: config.Comment, Description: config.DefaultComment, Optional: true, Type: "sentence", }, } )
Help template for LDAP identity feature.
Functions ¶
func SetIdentityLDAP ¶
func SetIdentityLDAP(s config.Config, ldapArgs LegacyConfig)
SetIdentityLDAP - One time migration code needed, for migrating from older config to new for LDAPConfig.
Types ¶
type Config ¶
Config contains AD/LDAP server connectivity information.
func (*Config) Bind ¶
Bind - binds to ldap, searches LDAP and returns the distinguished name of the user and the list of groups.
func (*Config) GetConfigInfo ¶
GetConfigInfo - returns config details for an LDAP configuration.
func (*Config) GetConfigList ¶
GetConfigList - returns a list of LDAP configurations.
func (Config) GetExpiryDuration ¶
GetExpiryDuration - return parsed expiry duration.
func (*Config) GetNonEligibleUserDistNames ¶
GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer present in the LDAP server or do not meet filter criteria anymore
func (*Config) GetValidatedDNForUsername ¶
GetValidatedDNForUsername checks if the given username exists in the LDAP directory. The given username could be just the short "login" username or the full DN.
When the username/DN is found, the full DN returned by the **server** is returned, otherwise the returned string is empty. The value returned here is the value sent by the LDAP server and is used in minio as the server performs LDAP specific normalization (including Unicode normalization).
If the user is not found, err = nil, otherwise, err != nil.
func (*Config) GetValidatedDNUnderBaseDN ¶
func (l *Config) GetValidatedDNUnderBaseDN(conn *ldap.Conn, dn string, baseDNList []xldap.BaseDNInfo) (string, bool, error)
GetValidatedDNUnderBaseDN checks if the given DN exists in the LDAP directory and returns the DN value sent by the LDAP server. The value returned by the server may not be equal to the input DN, as LDAP equality is not a simple Golang string equality. However, we assume the value returned by the LDAP server is canonical. Additionally, the attribute type names in the DN are lower-cased.
Return values:
If the DN is found, the normalized (string) value is returned and error is nil.
If the DN is not found, the string returned is empty and the error is nil.
The returned boolean is true iff the DN is found under one of the LDAP subtrees listed in `baseDNList`.
func (*Config) GetValidatedGroupDN ¶
GetValidatedGroupDN validates the given group DN. If conn is nil, creates a connection. The returned boolean is true iff the group DN is found under one of the configured LDAP base DNs.
func (*Config) GetValidatedUserDN ¶
GetValidatedUserDN validates the given user DN. Will error out if conn is nil. The returned boolean is true iff the user DN is found under one of the LDAP user base DNs.
func (Config) IsLDAPGroupDN ¶
IsLDAPGroupDN determines if the given string could be a group DN from LDAP.
func (Config) IsLDAPUserDN ¶
IsLDAPUserDN determines if the given string could be a user DN from LDAP.
func (*Config) LookupGroupMemberships ¶
func (l *Config) LookupGroupMemberships(userDistNames []string, userDNToUsernameMap map[string]string) (map[string]set.StringSet, error)
LookupGroupMemberships - for each DN finds the set of LDAP groups they are a member of.
func (*Config) LookupUserDN ¶
LookupUserDN searches for the full DN and groups of a given short/login username.
func (Config) ParsesAsDN ¶
ParsesAsDN determines if the given string could be a valid DN based on parsing alone.
type LegacyConfig ¶
type LegacyConfig struct { Enabled bool `json:"enabled"` // E.g. "ldap.minio.io:636" ServerAddr string `json:"serverAddr"` // User DN search parameters UserDNSearchBaseDistName string `json:"userDNSearchBaseDN"` UserDNSearchBaseDistNames []string `json:"-"` // Generated field UserDNSearchFilter string `json:"userDNSearchFilter"` // Group search parameters GroupSearchBaseDistName string `json:"groupSearchBaseDN"` GroupSearchBaseDistNames []string `json:"-"` // Generated field GroupSearchFilter string `json:"groupSearchFilter"` // Lookup bind LDAP service account LookupBindDN string `json:"lookupBindDN"` LookupBindPassword string `json:"lookupBindPassword"` }
LegacyConfig contains AD/LDAP server connectivity information from old config V33.