Fix LDAP TLS support to use custom CAs (#8352)
This commit is contained in:
Harshavardhana
committed by
kannappanr
kannappanr
parent
8b80eca184
commit
90bfa6260a
@@ -305,7 +305,7 @@ func (s *serverConfig) loadFromEnvs() {
|
||||
}
|
||||
|
||||
var err error
|
||||
s.LDAPServerConfig, err = newLDAPConfigFromEnv()
|
||||
s.LDAPServerConfig, err = newLDAPConfigFromEnv(globalRootCAs)
|
||||
if err != nil {
|
||||
logger.FatalIf(err, "Unable to parse LDAP configuration from env")
|
||||
}
|
||||
|
||||
@@ -442,7 +442,7 @@ func (l *s3Objects) GetObject(ctx context.Context, bucket string, key string, st
|
||||
return minio.ErrorRespToObjectError(err, bucket, key)
|
||||
}
|
||||
}
|
||||
object, _, err := l.Client.GetObject(bucket, key, opts)
|
||||
object, _, _, err := l.Client.GetObject(bucket, key, opts)
|
||||
if err != nil {
|
||||
return minio.ErrorRespToObjectError(err, bucket, key)
|
||||
}
|
||||
|
||||
@@ -18,6 +18,7 @@ package cmd
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log"
|
||||
@@ -40,8 +41,9 @@ type ldapServerConfig struct {
|
||||
ServerAddr string `json:"serverAddr"`
|
||||
|
||||
// STS credentials expiry duration
|
||||
STSExpiryDuration string `json:"stsExpiryDuration"`
|
||||
stsExpiryDuration time.Duration // contains converted value
|
||||
STSExpiryDuration string `json:"stsExpiryDuration"`
|
||||
stsExpiryDuration time.Duration // contains converted value
|
||||
rootCAs *x509.CertPool // contains custom CAs for ldaps server.
|
||||
|
||||
// Skips TLS verification (for testing, not
|
||||
// recommended in production).
|
||||
@@ -61,22 +63,22 @@ func (l *ldapServerConfig) Connect() (ldapConn *ldap.Conn, err error) {
|
||||
return
|
||||
}
|
||||
if l.SkipTLSVerify {
|
||||
ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{InsecureSkipVerify: true})
|
||||
ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{RootCAs: l.rootCAs, InsecureSkipVerify: true})
|
||||
} else {
|
||||
ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{})
|
||||
ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{RootCAs: l.rootCAs})
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// newLDAPConfigFromEnv loads configuration from the environment
|
||||
func newLDAPConfigFromEnv() (l ldapServerConfig, err error) {
|
||||
func newLDAPConfigFromEnv(rootCAs *x509.CertPool) (l ldapServerConfig, err error) {
|
||||
if ldapServer, ok := os.LookupEnv("MINIO_IDENTITY_LDAP_SERVER_ADDR"); ok {
|
||||
l.IsEnabled = true
|
||||
l.IsEnabled = ok
|
||||
l.ServerAddr = ldapServer
|
||||
|
||||
if v := os.Getenv("MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"); v == "true" {
|
||||
l.SkipTLSVerify = true
|
||||
}
|
||||
// Save root CAs
|
||||
l.rootCAs = rootCAs
|
||||
l.SkipTLSVerify = os.Getenv("MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY") == "true"
|
||||
|
||||
if v := os.Getenv("MINIO_IDENTITY_LDAP_STS_EXPIRY"); v != "" {
|
||||
expDur, err := time.ParseDuration(v)
|
||||
|
||||
Reference in New Issue
Block a user