Ceph » rgw

master PR: https://github.com/ceph/ceph/pull/10936

Currently rgw ldap auth code allows to limit users based on the search base. This might not be applicable for all environments. E.g. flat structures in smaller environments (ou=People, dc=corp, dc=com). Sometimes the structure is based on geo location and not on organisational units. In many cases one might not want to grant access to all accounts in a unit.

This PR implements a new "rgw search filter" option. These are the possible options:

1) parameter is left empty (default)

rgw LDAP auth will behave as usual, constructing its own search filter based on the "dnattr" option.

2) parameter is set to a "partial" filter like "objectclass=inetorperson"

The LDAP auth code takes the user specified partial filter and adds the user id specific filter to it (which is constructed as usual, by using the dn attr and the und). The resulting filter will be "(&()(=))". So the above example becomes: "(&(objectClass=inetOrgPerson)(uid=hari))" (assuming a username of hari in the authentication request and a "uid" dnattr)

3) parameter is set to a "complete" filter with a special USERNAME placeholder

An example would be "(&(uid=USERNAME)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))". The LDAP auth code will substitute the "USERNAME" placeholder with the uid of the auth request, leading to this search filter: "(&(uid=hari)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))"