Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin

- Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2026-01-05 13:07:14 +00:00 · 2021-04-07 12:56:09 -07:00
parent 2b6859b161
commit 1c55c857f4
28 changed files with 1537 additions and 88 deletions
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -51,11 +51,80 @@ spec:
          spec:
            description: Spec for configuring the identity provider.
            properties:
+              bind:
+                description: Bind contains the configuration for how to provide access
+                  credentials during an initial bind to the LDAP server to be allowed
+                  to perform searches and binds to validate a user's credentials during
+                  a user's authentication attempt.
+                properties:
+                  secretName:
+                    description: SecretName contains the name of a namespace-local
+                      Secret object that provides the username and password for an
+                      LDAP bind user. This account will be used to perform LDAP searches.
+                      The Secret should be of type "kubernetes.io/basic-auth" which
+                      includes "username" and "password" keys. The username value
+                      should be the full DN of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
+                    minLength: 1
+                    type: string
+                required:
+                - secretName
+                type: object
              host:
                description: 'Host is the hostname of this LDAP identity provider,
                  i.e., where to connect. For example: ldap.example.com:636.'
                minLength: 1
                type: string
+              tls:
+                description: TLS contains the connection settings for how to establish
+                  the connection to the Host.
+                properties:
+                  certificateAuthorityData:
+                    description: X.509 Certificate Authority (base64-encoded PEM bundle)
+                      to trust when connecting to the LDAP provider. If omitted, a
+                      default set of system roots will be trusted.
+                    type: string
+                type: object
+              userSearch:
+                description: UserSearch contains the configuration for searching for
+                  a user by name in the LDAP provider.
+                properties:
+                  attributes:
+                    description: Attributes specifies how the user's information should
+                      be read from the LDAP entry which was found as the result of
+                      the user search.
+                    properties:
+                      uniqueID:
+                        description: UniqueID specifies the name of the attribute
+                          in the LDAP entry which whose value shall be used to uniquely
+                          identify the user within this LDAP provider after a successful
+                          authentication. E.g. "uidNumber" or "objectGUID".
+                        minLength: 1
+                        type: string
+                      username:
+                        description: Username specifies the name of attribute in the
+                          LDAP entry which whose value shall become the username of
+                          the user after a successful authentication. This would typically
+                          be the same attribute name used in the user search filter.
+                          E.g. "mail" or "uid" or "userPrincipalName".
+                        minLength: 1
+                        type: string
+                    type: object
+                  base:
+                    description: Base is the DN that should be used as the search
+                      base when searching for users. E.g. "ou=users,dc=example,dc=com".
+                    minLength: 1
+                    type: string
+                  filter:
+                    description: Filter is the LDAP search filter which should be
+                      applied when searching for users. The pattern "{}" must occur
+                      in the filter and will be dynamically replaced by the username
+                      for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})".
+                      For more information about LDAP filters, see https://ldap.com/ldap-filters.
+                      Optional. When not specified, the default will act as if the
+                      Filter were specified as the value from Attributes.Username
+                      appended by "={}".
+                    type: string
+                type: object
            required:
            - host
            type: object