Project

General

Profile

Feature #17185

ldap auth custom search filter

Added by Harald Klein over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
08/31/2016
Due date:
% Done:

0%

Source:
other
Tags:
Backport:
jewel
Reviewed:
Affected Versions:
Pull request ID:

Description

master PR: https://github.com/ceph/ceph/pull/10936

Currently rgw ldap auth code allows to limit users based on the search base. This might not be applicable for all environments. E.g. flat structures in smaller environments (ou=People, dc=corp, dc=com). Sometimes the structure is based on geo location and not on organisational units. In many cases one might not want to grant access to all accounts in a unit.

This PR implements a new "rgw search filter" option. These are the possible options:

1) parameter is left empty (default)

rgw LDAP auth will behave as usual, constructing its own search filter based on the "dnattr" option.

2) parameter is set to a "partial" filter like "objectclass=inetorperson"

The LDAP auth code takes the user specified partial filter and adds the user id specific filter to it (which is constructed as usual, by using the dn attr and the und). The resulting filter will be "(&()(=))". So the above example becomes: "(&(objectClass=inetOrgPerson)(uid=hari))" (assuming a username of hari in the authentication request and a "uid" dnattr)

3) parameter is set to a "complete" filter with a special USERNAME placeholder

An example would be "(&(uid=USERNAME)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))". The LDAP auth code will substitute the "USERNAME" placeholder with the uid of the auth request, leading to this search filter: "(&(uid=hari)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))"


Related issues

Copied to rgw - Backport #17543: jewel: ldap auth custom search filter Resolved

History

#1 Updated by Nathan Cutler over 2 years ago

  • Subject changed from back port ldap auth custom search filter to jewel to ldap auth custom search filter
  • Status changed from New to Need Review
  • Backport set to jewel

#2 Updated by Nathan Cutler over 2 years ago

Ordinarily features are not backported, but for the time being I flagged this for backport. Yehuda, Orit, please confirm.

#3 Updated by Loic Dachary over 2 years ago

  • Status changed from Need Review to Pending Backport

#4 Updated by Loic Dachary over 2 years ago

#5 Updated by Loic Dachary over 2 years ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF