Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split LDAP user filters #996

Merged
merged 2 commits into from
Jul 24, 2020
Merged

Split LDAP user filters #996

merged 2 commits into from
Jul 24, 2020

Conversation

butonic
Copy link
Contributor

@butonic butonic commented Jul 23, 2020
edited
Loading

The current LDAP user filters only allow a single %s to be replaced with the relevant string. I moved to filter templates that can use the CS3 user id properties {{.OpaqueId}} and {{.Idp}}. Furthermore,
I introduced a new find filter that is used when searching for users. An example config would be

userfilter = "(&(objectclass=posixAccount)(|(ownclouduuid={{.OpaqueId}})(cn={{.OpaqueId}})))"
findfilter = "(&(objectclass=posixAccount)(|(cn={{query}}*)(displayname={{query}}*)(mail={{query}}*)))"

As you can see the userfilter is used to lookup a single user, whereas the findfilter is for a broader search, e.g. used when searching for share recipients.

Related: #326

@butonic butonic requested a review from labkode as a code owner July 23, 2020 15:12
@butonic butonic force-pushed the split-ldap-filters branch 2 times, most recently from 86c9db2 to 6f4e803 Compare July 24, 2020 07:04
butonic
butonic commented Jul 24, 2020
View reviewed changes
pkg/user/manager/ldap/ldap.go Outdated
fmt.Sprintf(m.userfilter, uid.OpaqueId), // TODO this is screaming for errors if filter contains >1 %s
[]string{m.schema.DN, m.schema.UID, m.schema.Mail, m.schema.DisplayName},
m.getUserFilter(uid),
[]string{m.schema.DN, m.schema.CN, m.schema.UID, m.schema.Mail, m.schema.DisplayName},
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we add the cn attribute so we can return a user with an id that is different from the username

butonic
butonic commented Jul 24, 2020
View reviewed changes
pkg/user/manager/ldap/ldap.go Outdated
@@ -154,7 +180,7 @@ func (m *manager) GetUser(ctx context.Context, uid *userpb.UserId) (*userpb.User
}
u := &userpb.User{
Id: id,
Username: sr.Entries[0].GetAttributeValue(m.schema.UID),
Username: sr.Entries[0].GetAttributeValue(m.schema.CN),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here we use the previously fetched cn as the username. they can be configured to the same attribute and the code will work as before

@butonic
Split LDAP user filters
ed64c21 
Signed-off-by: Jörn Friedrich Dreyer <[email protected]>
butonic
butonic commented Jul 24, 2020
View reviewed changes
pkg/user/manager/ldap/ldap.go
@@ -244,13 +270,17 @@ func (m *manager) GetUserGroups(ctx context.Context, uid *userpb.UserId) ([]stri
groups := []string{}

for _, entry := range sr.Entries {
// FIXME this makes the users groups use the cn, not an immutable id
// FIXME 1. use the memberof or members attribute of a user to get the groups
// FIXME 2. ook up the id for each group
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this needs to be cleaned up to actually fetch groups. AFAIU it will require the memberof overlay. In any case the member attribute needs to be made configurable as well. As part of a subsequent PR.

@butonic butonic requested a review from ishank011 July 24, 2020 07:15
@butonic butonic mentioned this pull request Jul 24, 2020
Closed
ishank011
ishank011 reviewed Jul 24, 2020
View reviewed changes
Copy link
Contributor

@ishank011 ishank011 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. We also need to make the corresponding change to the auth/ldap package. There we still use the UID attribute as username.

Also, can we just make config an object of the manager struct? The fields are just repeated so that's a bit off-putting.

One question for my understanding. The m.schema.UID attribute would have the same value as uid.OpaqueId, right?

@butonic
Copy link
Contributor Author

butonic commented Jul 24, 2020

@ishank011 good catch!
Updated the LDAP auth manager, and inlined the config.

The m.c.Schema.UID corresponds to the user.Id.OpaqueId, yes. m.c.Schema.UID corresponds to the user.Username. This PR allows configuring the userfilter in a way that the storage drivers can look up the user in LDAP ether with the username or with the userid: (&(objectclass=posixAccount)(|(ownclouduuid={{.OpaqueId}})(cn={{.OpaqueId}}))

I think we need to introduce a new api call to properly handle that though, tracked in #998

@butonic butonic requested a review from ishank011 July 24, 2020 11:45
ishank011
ishank011 approved these changes Jul 24, 2020
View reviewed changes
Copy link
Contributor

@ishank011 ishank011 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@butonic looks good! A couple of minor comments.

changelog/unreleased/split-ldap-filters.md Outdated Show resolved Hide resolved
pkg/user/manager/ldap/ldap.go Show resolved Hide resolved
@labkode labkode merged commit 1bff3a9 into cs3org:master Jul 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ishank011 ishank011 ishank011 approved these changes

@labkode labkode labkode approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@butonic @labkode @ishank011