From ecf156626664b846c5ab2aaaa0d8ff5481e5a5cf Mon Sep 17 00:00:00 2001 From: Nitish Tiwari Date: Fri, 20 Mar 2020 07:50:51 +0530 Subject: [PATCH] Add an option to allow plaintext connection to LDAP/AD Server (#9151) --- cmd/config/identity/ldap/config.go | 17 +++++++++++++++++ cmd/config/identity/ldap/help.go | 8 +++++++- docs/sts/ldap.md | 6 +++--- 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/cmd/config/identity/ldap/config.go b/cmd/config/identity/ldap/config.go index ba0a3f2ea..933176228 100644 --- a/cmd/config/identity/ldap/config.go +++ b/cmd/config/identity/ldap/config.go @@ -52,6 +52,7 @@ type Config struct { stsExpiryDuration time.Duration // contains converted value tlsSkipVerify bool // allows skipping TLS verification + serverInsecure bool // allows plain text connection to LDAP Server rootCAs *x509.CertPool } @@ -64,10 +65,12 @@ const ( GroupNameAttribute = "group_name_attribute" GroupSearchBaseDN = "group_search_base_dn" TLSSkipVerify = "tls_skip_verify" + ServerInsecure = "server_insecure" EnvServerAddr = "MINIO_IDENTITY_LDAP_SERVER_ADDR" EnvSTSExpiry = "MINIO_IDENTITY_LDAP_STS_EXPIRY" EnvTLSSkipVerify = "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY" + EnvServerInsecure = "MINIO_IDENTITY_LDAP_SERVER_INSECURE" EnvUsernameFormat = "MINIO_IDENTITY_LDAP_USERNAME_FORMAT" EnvGroupSearchFilter = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER" EnvGroupNameAttribute = "MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE" @@ -105,6 +108,10 @@ var ( Key: TLSSkipVerify, Value: config.EnableOff, }, + config.KV{ + Key: ServerInsecure, + Value: config.EnableOff, + }, } ) @@ -114,6 +121,10 @@ func (l *Config) Connect() (ldapConn *ldap.Conn, err error) { // Happens when LDAP is not configured. return } + + if l.serverInsecure { + return ldap.Dial("tcp", l.ServerAddr) + } return ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{ InsecureSkipVerify: l.tlsSkipVerify, RootCAs: l.rootCAs, @@ -154,6 +165,12 @@ func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error) { l.STSExpiryDuration = v l.stsExpiryDuration = expDur } + if v := env.Get(EnvServerInsecure, kvs.Get(ServerInsecure)); v != "" { + l.serverInsecure, err = config.ParseBool(v) + if err != nil { + return l, err + } + } if v := env.Get(EnvTLSSkipVerify, kvs.Get(TLSSkipVerify)); v != "" { l.tlsSkipVerify, err = config.ParseBool(v) if err != nil { diff --git a/cmd/config/identity/ldap/help.go b/cmd/config/identity/ldap/help.go index 1129c9eb6..879ffb859 100644 --- a/cmd/config/identity/ldap/help.go +++ b/cmd/config/identity/ldap/help.go @@ -57,7 +57,13 @@ var ( }, config.HelpKV{ Key: TLSSkipVerify, - Description: `trust server TLS without verification, defaults to "on" (verify)`, + Description: `trust server TLS without verification, defaults to "off" (verify)`, + Optional: true, + Type: "on|off", + }, + config.HelpKV{ + Key: ServerInsecure, + Description: `allow plain text connection to AD/LDAP server, defaults to "off" (TLS)`, Optional: true, Type: "on|off", }, diff --git a/docs/sts/ldap.md b/docs/sts/ldap.md index c930f1e88..9a3435e9b 100644 --- a/docs/sts/ldap.md +++ b/docs/sts/ldap.md @@ -49,11 +49,11 @@ LDAP is configured via the following environment variables: | **MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE** | **NO** | Attribute of search results to use as group name | | **MINIO_IDENTITY_LDAP_STS_EXPIRY** | **NO** (default: "1h") | STS credentials validity duration | | **MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY** | **NO** (default: "off") | Set this to 'on', to disable client verification of server certificates | +| **MINIO_IDENTITY_LDAP_SERVER_INSECURE** | **NO** (default: "off") | Set this to 'on', to allow plain text connection to LDAP/AD Server (only for testing) | +MinIO sends LDAP credentials to LDAP server for validation. So we _strongly recommend_ to use MinIO with AD/LDAP server over TLS _only_. Using plain-text connection between MinIO and LDAP server means _credentials can be compromised_ by anyone listening to network traffic. -Please note that MinIO will only access the AD/LDAP server over TLS. If a self-signed certificate is being used, the certificate can be added to MinIO's certificates directory, so it can be trusted by the server. - -An example setup for development or experimentation: +If a self-signed certificate is being used, the certificate can be added to MinIO's certificates directory, so it can be trusted by the server. An example setup for development or experimentation: ``` shell export MINIO_IDENTITY_LDAP_SERVER_ADDR=myldapserver.com:636