search

minio / docs

MinIO Object Storage Documentation
https://docs.min.io/minio/baremetal
Creative Commons Attribution 4.0 International
547 stars 298 forks source link

[FEATURE] Improve guidance on AD/LDAP queries #1193

Open ravindk89 opened 5 months ago

ravindk89 commented 5 months ago

While working on AD/LDAP customer requests we noted that there are some ldapquery setups that can help test how MinIO would/should behave with a given configuration.

ldapsearch option config desc
-H server_addr LDAP hostname (ldap/ldaps)
-b user_dn_search_base_dn , group_search_base_dn the base DN to start subtree search from
-D ldap_bind_dn the LDAP DN to bind as
-W ldap_bind_password the ldap password to bind as
PARAM user_dn_search_filter or group_search_filter the filter to apply on top of the base DN

Examples:

ldapsearch -W \
  -H ldaps://auth.example.net \
  -b "OU=admins,OU=storage,DC=example,DC=com" \
  -D "CN=minioldapbind,OU=applications,DC=example,DC=com" \
  (&(objectCategory=user)(sAMAccountName=jo.doe))

is equivalent to

mc idp ldap set ALIAS \
  server_addr='auth.example.net' \
  ldap_bind_dn='CN=minioldapbind,OU=applications,DC=example,DC=com' \
  ldap_bind_password='password' \
  user_dn_search_base_dn='OU=admins,OU=storage,DC=example,DC=com' \
  user_dn_search_filter='(&(objectCategory=user)(sAMAccountName=%s))'

For groups you can set the -b to the group base search and set the search filter to something like (&(objectClass=group)(member='DN')) and see whether groups get returned and/or have a given user as a member of that group.

This may help users in figuring out how to set up their user/group lookups and then translate them to a working MinIO config.

We can also document using mc admin trace -v -a --funcname 'sts.AssumeRole*' ALIAS as a way to trace LDAP auth attempts as they go through the process.

ravindk89 commented 5 months ago

Engineer notes - sAMAccountName is a microsoft AD/LDAP filter item. Other AD/LDAP implementations may have different filter / categories. May need to check the LDAP spec for something more universal, or just note that this value should reflect the AD/LDAP object config

https://www.ietf.org/rfc/rfc2798.txt should be standard but there's not a ton here that is easy to work with from a login perspective - or at least, I am not sure how the console would handle passing in something like the displayName as a login. I suppose this is up to the user in the end.

donatello commented 5 months ago

@ravindk89 It's very difficult to give a standard set of search filters as it depends on the directory schema used.

We can also document using mc admin trace -v -a --funcname 'sts.AssumeRole*' ALIAS as a way to trace LDAP auth attempts as they go through the process.

This would solve many problems for users as they will be able to the most common issue - no policy attached!