Created attachment 1193282 [details] custom ldap search filter implementation Description of problem: Customer should be able to supply custom search filter for ldap authentication. Currently rgw ldap auth code allows to limit users based on the search base. This might not be applicable for all customer situations. Often customers have a flat structure in smaller environments (ou=People, dc=corp, dc=com). Sometimes the structure is based on geo location and not on organisational units. In many cases you don’t want to grant access to all accounts in a unit. Version-Release number of selected component (if applicable): 2.x How reproducible: n/a Actual results: no search filter option available Expected results: custom search filter option Additional info: proposed patch attached
Further details on the patch: It implements a new "rgw search filter" option. These are the possible options: 1) parameter is left empty (default) rgw LDAP auth will behave as usual, constructing its own search filter based on the "dnattr" option. 2) parameter is set to a "partial" filter like "objectclass=inetorperson" The LDAP auth code takes the user specified partial filter and adds the user id specific filter to it (which is constructed as usual, by using the dn attr and the und). The resulting filter will be "(&(<custom search filter>)(<dnattr>=<uid>))". So the above example becomes: "(&(objectClass=inetOrgPerson)(uid=hari))" (assuming a username of hari in the authentication request and a "uid" dnattr) 3) parameter is set to a "complete" filter with a special @USERNAME@ placeholder An example would be "(&(uid=@USERNAME@)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))". The LDAP auth code will substitute the "@USERNAME@" placeholder with the uid of the auth request, leading to this search filter: "(&(uid=hari)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))"
I did a scratch build with this patch based on the latest ceph-2-rhel-7 (ceph-10.2.2-38.el7cp) and test it against OpenLDAP with the following settings: 1) no search filter specified works as usual 2) rgw ldap searchfilter = "objectclass=inetOrgPerson" leads to this search: Aug 23 12:03:50 ldapserver slapd[31552]: conn=1402 op=2 SRCH base="ou=users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(objectClass=inetOrgPerson)(uid=hari))" 3) rgw ldap searchfilter = "(&(objectclass=inetOrgPerson)(cn=@USERNAME@))" leads to this search: Aug 23 12:05:43 ldapserver slapd[31552]: conn=1408 op=2 SRCH base="ou=users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(objectClass=inetOrgPerson)(cn=hari))" 4) rgw ldap searchfilter = "(&(uid=@USERNAME@)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))" This was used to test group membership checking via search filter. This might need additional config on the LDAP server to work (memberof overlay on OpenLDAP, memberof plugin in Red Hat DirServ). Resulting search: Aug 23 12:15:42 www slapd[31552]: conn=1437 op=2 SRCH base="ou=users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(uid=hari)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))" adding user hari to the ceph-user group did grant access, removing it did revoke access, as expected.
additional note: specifying an invalid search filter will lead to this error in the RGW logs: 2016-08-23 06:11:23.236029 7f6ccbfff700 5 auth ldap_search_s error uid=hari ldap err=-7 We might want to prettify that a bit (albeit it should be a well known error to LDAP administrators - Bad search filter (-7))
upstream PR: https://github.com/ceph/ceph/pull/10936
Harald's PR has merged on master as https://github.com/ceph/ceph/pull/10936 Pending backport http://tracker.ceph.com/issues/17328
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0514.html