Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Improve guidance on AD/LDAP queries #1193

Open
ravindk89 opened this issue Apr 22, 2024 · 2 comments
Open

[FEATURE] Improve guidance on AD/LDAP queries #1193

ravindk89 opened this issue Apr 22, 2024 · 2 comments
Labels
priority: low

Comments

@ravindk89
Copy link
Collaborator

ravindk89 commented Apr 22, 2024
edited
Loading

While working on AD/LDAP customer requests we noted that there are some ldapquery setups that can help test how MinIO would/should behave with a given configuration.

ldapsearch option config desc
-H server_addr LDAP hostname (ldap/ldaps)
-b user_dn_search_base_dn , group_search_base_dn the base DN to start subtree search from
-D ldap_bind_dn the LDAP DN to bind as
-W ldap_bind_password the ldap password to bind as
PARAM user_dn_search_filter or group_search_filter the filter to apply on top of the base DN

Examples:

ldapsearch -W \
  -H ldaps://auth.example.net \
  -b "OU=admins,OU=storage,DC=example,DC=com" \
  -D "CN=minioldapbind,OU=applications,DC=example,DC=com" \
  (&(objectCategory=user)(sAMAccountName=jo.doe))

is equivalent to

mc idp ldap set ALIAS \
  server_addr='auth.example.net' \
  ldap_bind_dn='CN=minioldapbind,OU=applications,DC=example,DC=com' \
  ldap_bind_password='password' \
  user_dn_search_base_dn='OU=admins,OU=storage,DC=example,DC=com' \
  user_dn_search_filter='(&(objectCategory=user)(sAMAccountName=%s))'

For groups you can set the -b to the group base search and set the search filter to something like (&(objectClass=group)(member='DN')) and see whether groups get returned and/or have a given user as a member of that group.

This may help users in figuring out how to set up their user/group lookups and then translate them to a working MinIO config.

We can also document using mc admin trace -v -a --funcname 'sts.AssumeRole*' ALIAS as a way to trace LDAP auth attempts as they go through the process.
@ravindk89 ravindk89 added triage Needs triage and scheduling priority: low and removed triage Needs triage and scheduling labels Apr 22, 2024
@ravindk89
Copy link
Collaborator Author

ravindk89 commented Apr 23, 2024
edited
Loading

Engineer notes - sAMAccountName is a microsoft AD/LDAP filter item. Other AD/LDAP implementations may have different filter / categories. May need to check the LDAP spec for something more universal, or just note that this value should reflect the AD/LDAP object config

https://www.ietf.org/rfc/rfc2798.txt should be standard but there's not a ton here that is easy to work with from a login perspective - or at least, I am not sure how the console would handle passing in something like the displayName as a login. I suppose this is up to the user in the end.

@donatello
Copy link
Member

@ravindk89 It's very difficult to give a standard set of search filters as it depends on the directory schema used.

We can also document using mc admin trace -v -a --funcname 'sts.AssumeRole*' ALIAS as a way to trace LDAP auth attempts as they go through the process.

This would solve many problems for users as they will be able to the most common issue - no policy attached!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@donatello @ravindk89