[BUG] LDAP distinguished names need to be semicolon separated

minio / docs

MinIO Object Storage Documentation

https://docs.min.io/minio/baremetal

Creative Commons Attribution 4.0 International

547 stars 300 forks source link

[BUG] LDAP distinguished names need to be semicolon separated #1341

Closed feorlen closed 1 month ago

feorlen commented 1 month ago

This section about the MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN envvar says the search base DNs are comma separated. Apparently they should be semicolon separated? Should investigate if there are other affected LDAP configs, such as MINIO_IDENTITY_LDAP_USER_DN_ATTRIBUTES and related configuration settings.

https://min.io/docs/minio/linux/reference/minio-server/settings/iam/ldap.html#envvar.MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN

cc @vadmeste, further clarification appreciated

ravindk89 commented 1 month ago

https://github.com/minio/pkg/blob/main/ldap/ldap.go

const (
    dnDelimiter   = ";"
    attrDelimiter = ","
)

ravindk89 commented 1 month ago

@donatello @vadmeste I think attributes are always derived, so really we need to just specify that for the group and search base DNs, its ; for delimiter right?

djwfyi commented 1 month ago

As a Distinguished Name is itself a comma-separated list of attribute=value pairs, multiple DNs have to be separated by a different character. Therefore, a ; is required if providing multiple DNs.

Attributes are separated by commas.