Feature #17185
closedldap auth custom search filter
0%
Description
master PR: https://github.com/ceph/ceph/pull/10936
Currently rgw ldap auth code allows to limit users based on the search base. This might not be applicable for all environments. E.g. flat structures in smaller environments (ou=People, dc=corp, dc=com). Sometimes the structure is based on geo location and not on organisational units. In many cases one might not want to grant access to all accounts in a unit.
This PR implements a new "rgw search filter" option. These are the possible options:
1) parameter is left empty (default)
rgw LDAP auth will behave as usual, constructing its own search filter based on the "dnattr" option.
2) parameter is set to a "partial" filter like "objectclass=inetorperson"
The LDAP auth code takes the user specified partial filter and adds the user id specific filter to it (which is constructed as usual, by using the dn attr and the und). The resulting filter will be "(&()(=))". So the above example becomes: "(&(objectClass=inetOrgPerson)(uid=hari))" (assuming a username of hari in the authentication request and a "uid" dnattr)
3) parameter is set to a "complete" filter with a special USERNAME
placeholder
An example would be "(&(uid=USERNAME
)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))". The LDAP auth code will substitute the "USERNAME
" placeholder with the uid of the auth request, leading to this search filter: "(&(uid=hari)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))"
Updated by Nathan Cutler over 7 years ago
- Subject changed from back port ldap auth custom search filter to jewel to ldap auth custom search filter
- Status changed from New to Fix Under Review
- Backport set to jewel
master PR: https://github.com/ceph/ceph/pull/10936
Updated by Nathan Cutler over 7 years ago
Ordinarily features are not backported, but for the time being I flagged this for backport. Yehuda, Orit, please confirm.
Updated by Loïc Dachary over 7 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Loïc Dachary over 7 years ago
- Copied to Backport #17543: jewel: ldap auth custom search filter added
Updated by Loïc Dachary over 7 years ago
- Status changed from Pending Backport to Resolved