Documentation

Index

Constants

View Source
const (
	ServerAddr         = "server_addr"
	STSExpiry          = "sts_expiry"
	LookupBindDN       = "lookup_bind_dn"
	LookupBindPassword = "lookup_bind_password"
	UserDNSearchBaseDN = "user_dn_search_base_dn"
	UserDNSearchFilter = "user_dn_search_filter"
	UsernameFormat     = "username_format"
	GroupSearchFilter  = "group_search_filter"
	GroupSearchBaseDN  = "group_search_base_dn"
	TLSSkipVerify      = "tls_skip_verify"
	ServerInsecure     = "server_insecure"
	ServerStartTLS     = "server_starttls"

	EnvServerAddr         = "MINIO_IDENTITY_LDAP_SERVER_ADDR"
	EnvSTSExpiry          = "MINIO_IDENTITY_LDAP_STS_EXPIRY"
	EnvTLSSkipVerify      = "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"
	EnvServerInsecure     = "MINIO_IDENTITY_LDAP_SERVER_INSECURE"
	EnvServerStartTLS     = "MINIO_IDENTITY_LDAP_SERVER_STARTTLS"
	EnvUsernameFormat     = "MINIO_IDENTITY_LDAP_USERNAME_FORMAT"
	EnvUserDNSearchBaseDN = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN"
	EnvUserDNSearchFilter = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER"
	EnvGroupSearchFilter  = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER"
	EnvGroupSearchBaseDN  = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN"
	EnvLookupBindDN       = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN"
	EnvLookupBindPassword = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD"
)

    LDAP keys and envs.

    Variables

    View Source
    var (
    	DefaultKVS = config.KVS{
    		config.KV{
    			Key:   ServerAddr,
    			Value: "",
    		},
    		config.KV{
    			Key:   UsernameFormat,
    			Value: "",
    		},
    		config.KV{
    			Key:   UserDNSearchBaseDN,
    			Value: "",
    		},
    		config.KV{
    			Key:   UserDNSearchFilter,
    			Value: "",
    		},
    		config.KV{
    			Key:   GroupSearchFilter,
    			Value: "",
    		},
    		config.KV{
    			Key:   GroupSearchBaseDN,
    			Value: "",
    		},
    		config.KV{
    			Key:   STSExpiry,
    			Value: "1h",
    		},
    		config.KV{
    			Key:   TLSSkipVerify,
    			Value: config.EnableOff,
    		},
    		config.KV{
    			Key:   ServerInsecure,
    			Value: config.EnableOff,
    		},
    		config.KV{
    			Key:   ServerStartTLS,
    			Value: config.EnableOff,
    		},
    		config.KV{
    			Key:   LookupBindDN,
    			Value: "",
    		},
    		config.KV{
    			Key:   LookupBindPassword,
    			Value: "",
    		},
    	}
    )

      DefaultKVS - default config for LDAP config

      View Source
      var (
      	Help = config.HelpKVS{
      		config.HelpKV{
      			Key:         ServerAddr,
      			Description: `AD/LDAP server address e.g. "myldapserver.com:636"`,
      			Type:        "address",
      		},
      		config.HelpKV{
      			Key:         STSExpiry,
      			Description: `temporary credentials validity duration in s,m,h,d. Default is "1h"`,
      			Optional:    true,
      			Type:        "duration",
      		},
      		config.HelpKV{
      			Key:         LookupBindDN,
      			Description: `DN for LDAP read-only service account used to perform DN and group lookups`,
      			Optional:    true,
      			Type:        "string",
      		},
      		config.HelpKV{
      			Key:         LookupBindPassword,
      			Description: `Password for LDAP read-only service account used to perform DN and group lookups`,
      			Optional:    true,
      			Type:        "string",
      		},
      		config.HelpKV{
      			Key:         UserDNSearchBaseDN,
      			Description: `Base LDAP DN to search for user DN`,
      			Optional:    true,
      			Type:        "string",
      		},
      		config.HelpKV{
      			Key:         UserDNSearchFilter,
      			Description: `Search filter to lookup user DN`,
      			Optional:    true,
      			Type:        "string",
      		},
      		config.HelpKV{
      			Key:         UsernameFormat,
      			Description: `";" separated list of username bind DNs e.g. "uid=%s,cn=accounts,dc=myldapserver,dc=com"`,
      			Optional:    true,
      			Type:        "list",
      		},
      		config.HelpKV{
      			Key:         GroupSearchFilter,
      			Description: `search filter for groups e.g. "(&(objectclass=groupOfNames)(memberUid=%s))"`,
      			Optional:    true,
      			Type:        "string",
      		},
      		config.HelpKV{
      			Key:         GroupSearchBaseDN,
      			Description: `";" separated list of group search base DNs e.g. "dc=myldapserver,dc=com"`,
      			Optional:    true,
      			Type:        "list",
      		},
      		config.HelpKV{
      			Key:         TLSSkipVerify,
      			Description: `trust server TLS without verification, defaults to "off" (verify)`,
      			Optional:    true,
      			Type:        "on|off",
      		},
      		config.HelpKV{
      			Key:         ServerInsecure,
      			Description: `allow plain text connection to AD/LDAP server, defaults to "off"`,
      			Optional:    true,
      			Type:        "on|off",
      		},
      		config.HelpKV{
      			Key:         ServerStartTLS,
      			Description: `use StartTLS connection to AD/LDAP server, defaults to "off"`,
      			Optional:    true,
      			Type:        "on|off",
      		},
      		config.HelpKV{
      			Key:         config.Comment,
      			Description: config.DefaultComment,
      			Optional:    true,
      			Type:        "sentence",
      		},
      	}
      )

        Help template for LDAP identity feature.

        Functions

        func Enabled

        func Enabled(kvs config.KVS) bool

          Enabled returns if jwks is enabled.

          func SetIdentityLDAP

          func SetIdentityLDAP(s config.Config, ldapArgs Config)

            SetIdentityLDAP - One time migration code needed, for migrating from older config to new for LDAPConfig.

            Types

            type Config

            type Config struct {
            	Enabled bool `json:"enabled"`
            
            	// E.g. "ldap.minio.io:636"
            	ServerAddr string `json:"serverAddr"`
            
            	// STS credentials expiry duration
            	STSExpiryDuration string `json:"stsExpiryDuration"`
            
            	// Format string for usernames
            	UsernameFormat  string   `json:"usernameFormat"`
            	UsernameFormats []string `json:"-"`
            
            	// User DN search parameters
            	UserDNSearchBaseDN string `json:"userDNSearchBaseDN"`
            	UserDNSearchFilter string `json:"userDNSearchFilter"`
            
            	// Group search parameters
            	GroupSearchBaseDistName  string   `json:"groupSearchBaseDN"`
            	GroupSearchBaseDistNames []string `json:"-"`
            	GroupSearchFilter        string   `json:"groupSearchFilter"`
            
            	// Lookup bind LDAP service account
            	LookupBindDN       string `json:"lookupBindDN"`
            	LookupBindPassword string `json:"lookupBindPassword"`
            	// contains filtered or unexported fields
            }

              Config contains AD/LDAP server connectivity information.

              func Lookup

              func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error)

                Lookup - initializes LDAP config, overrides config, if any ENV values are set.

                func (*Config) Bind

                func (l *Config) Bind(username, password string) (string, []string, error)

                  Bind - binds to ldap, searches LDAP and returns the distinguished name of the user and the list of groups.

                  func (*Config) Connect

                  func (l *Config) Connect() (ldapConn *ldap.Conn, err error)

                    Connect connect to ldap server.

                    func (Config) GetExpiryDuration

                    func (l Config) GetExpiryDuration() time.Duration

                      GetExpiryDuration - return parsed expiry duration.