search

minio / mc

Unix like utilities for object store
https://min.io/download
GNU Affero General Public License v3.0
2.86k stars 548 forks source link

LDAP login prompts are written to stdout #4901

Open cjnosal opened 6 months ago

cjnosal commented 6 months ago

Expected behavior

Login prompts "Enter LDAP Username:" and "Enter Password:" should be written to stderr so they don't interfere with stdout redirection or formatting.

Actual behavior

Login prompts are written to stdout. If redirecting the output to save credentials (or prevent credentials from being logged) the user can't see the prompts. If using --json to allow programmatic consumption of the credentials the json file will be invalid.

Steps to reproduce the behavior

1) configure minio with LDAP authentication and provion bind credentials for the minio system user

    cat > /etc/default/minio <<EOF
    MINIO_ROOT_USER=minio-root
    MINIO_ROOT_PASSWORD=${admincred}

    MINIO_VOLUMES="/mnt/data"
    MINIO_OPTS="--certs-dir /opt/minio/certs"
    MINIO_SERVER_URL="https://minio.${domain}:9000"

    MINIO_IDENTITY_LDAP_SERVER_ADDR="ldap.${domain}:636"
    MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN="ou=people,${suffix}"
    MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER="(&(objectClass=inetOrgPerson)(uid=%s))"
    MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectClass=groupOfNames)(member=%d))"
    MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="ou=groups,${suffix}"
    MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY="off"
    MINIO_IDENTITY_LDAP_SERVER_INSECURE="off"
    MINIO_IDENTITY_LDAP_SERVER_STARTTLS="off"
    MINIO_IDENTITY_LDAP_SRV_RECORD_NAME=""
    MINIO_IDENTITY_LDAP_COMMENT=""
    MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN="uid=minio,ou=systems,${suffix}"
    MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD="${ldapcred}"

    EOF

2) mc --json idp ldap accesskey create --login https://minio.${domain}:9000 > creds.json 3) enter username and password without visible prompts 4) cat creds.json shows

    Enter LDAP Username: Enter Password: 
    {"status":"success","accessKey":"xxx","secretKey":"xxx","expiration":"1970-01-01T00:00:00Z"}

mc --version