Remove DryRunAuthenticationUsername from LDAPIdentityProviderSpec
Signed-off-by: Margo Crawford <margaretc@vmware.com>
This commit is contained in:
Ryan Richard
Margo Crawford
parent
5c62a9d0bd
commit
36819989a3
|
|
@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct {
|
|||
|
||||
// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|
||||
UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
|
||||
|
||||
// DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated.
|
||||
// When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection
|
||||
// to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success
|
||||
// or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array.
|
||||
// When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a
|
||||
// connection to the LDAP server and performing a full dry run of authenticating as the end user with the username
|
||||
// specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for
|
||||
// that end user during the authentication. This will test all of the configuration options of the
|
||||
// LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the
|
||||
// LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships
|
||||
// were selected for the specified user. If the dry run fails, then that user would not be able to authenticate
|
||||
// in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error".
|
||||
// Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able
|
||||
// to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch
|
||||
// configuration were set up such that an end user should log in using their email address as their username, then
|
||||
// the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP
|
||||
// server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your
|
||||
// LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration
|
||||
// if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become
|
||||
// disabled in the future.
|
||||
DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"`
|
||||
}
|
||||
|
||||
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access
|
||||
|
|
|
|||
|
|
@ -70,38 +70,6 @@ spec:
|
|||
required:
|
||||
- secretName
|
||||
type: object
|
||||
dryRunAuthenticationUsername:
|
||||
description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's
|
||||
configuration is validated. When DryRunAuthenticationUsername is
|
||||
blank, the LDAPIdentityProvider will be validated by opening a connection
|
||||
to the LDAP server using the Host and TLS settings and also will
|
||||
bind using the Bind settings. The success or failure of the connect
|
||||
and bind will be reflected in the LDAPIdentityProvider's status
|
||||
conditions array. When DryRunAuthenticationUsername is not blank,
|
||||
the LDAPIdentityProvider will be validated by opening a connection
|
||||
to the LDAP server and performing a full dry run of authenticating
|
||||
as the end user with the username specified by DryRunAuthenticationUsername.
|
||||
The dry run will act as if the correct password were specified for
|
||||
that end user during the authentication. This will test all of the
|
||||
configuration options of the LDAPIdentityProvider. The success or
|
||||
failure of the authentication dry run will be reflected in the LDAPIdentityProvider's
|
||||
status conditions array, along with details of what username, UID,
|
||||
and group memberships were selected for the specified user. If the
|
||||
dry run fails, then that user would not be able to authenticate
|
||||
in a real authentication situation either, so the LDAPIdentityProvider's
|
||||
Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername
|
||||
must be a valid username of a real user who should be able to authenticate
|
||||
given all of the LDAPIdentityProvider's configuration. For example,
|
||||
if the UserSearch configuration were set up such that an end user
|
||||
should log in using their email address as their username, then
|
||||
the DryRunAuthenticationUsername should be the actual email address
|
||||
of a valid user who will be found in the LDAP server by the UserSearch
|
||||
criteria. Once you have used DryRunAuthenticationUsername to validate
|
||||
your LDAPIdentityProvider's configuration, you might choose to remove
|
||||
the DryRunAuthenticationUsername configuration if you are concerned
|
||||
that the user's LDAP account could change in the future, e.g. if
|
||||
the account could become disabled in the future.
|
||||
type: string
|
||||
host:
|
||||
description: 'Host is the hostname of this LDAP identity provider,
|
||||
i.e., where to connect. For example: ldap.example.com:636.'
|
||||
|
|
|
|||
|
|
@ -757,7 +757,6 @@ Spec for configuring an LDAP identity provider.
|
|||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
|
||||
| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
|
||||
| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|
||||
| *`dryRunAuthenticationUsername`* __string__ | DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server and performing a full dry run of authenticating as the end user with the username specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for that end user during the authentication. This will test all of the configuration options of the LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships were selected for the specified user. If the dry run fails, then that user would not be able to authenticate in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch configuration were set up such that an end user should log in using their email address as their username, then the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become disabled in the future.
|
||||
|===
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct {
|
|||
|
||||
// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|
||||
UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
|
||||
|
||||
// DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated.
|
||||
// When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection
|
||||
// to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success
|
||||
// or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array.
|
||||
// When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a
|
||||
// connection to the LDAP server and performing a full dry run of authenticating as the end user with the username
|
||||
// specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for
|
||||
// that end user during the authentication. This will test all of the configuration options of the
|
||||
// LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the
|
||||
// LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships
|
||||
// were selected for the specified user. If the dry run fails, then that user would not be able to authenticate
|
||||
// in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error".
|
||||
// Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able
|
||||
// to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch
|
||||
// configuration were set up such that an end user should log in using their email address as their username, then
|
||||
// the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP
|
||||
// server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your
|
||||
// LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration
|
||||
// if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become
|
||||
// disabled in the future.
|
||||
DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"`
|
||||
}
|
||||
|
||||
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access
|
||||
|
|
|
|||
|
|
@ -70,38 +70,6 @@ spec:
|
|||
required:
|
||||
- secretName
|
||||
type: object
|
||||
dryRunAuthenticationUsername:
|
||||
description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's
|
||||
configuration is validated. When DryRunAuthenticationUsername is
|
||||
blank, the LDAPIdentityProvider will be validated by opening a connection
|
||||
to the LDAP server using the Host and TLS settings and also will
|
||||
bind using the Bind settings. The success or failure of the connect
|
||||
and bind will be reflected in the LDAPIdentityProvider's status
|
||||
conditions array. When DryRunAuthenticationUsername is not blank,
|
||||
the LDAPIdentityProvider will be validated by opening a connection
|
||||
to the LDAP server and performing a full dry run of authenticating
|
||||
as the end user with the username specified by DryRunAuthenticationUsername.
|
||||
The dry run will act as if the correct password were specified for
|
||||
that end user during the authentication. This will test all of the
|
||||
configuration options of the LDAPIdentityProvider. The success or
|
||||
failure of the authentication dry run will be reflected in the LDAPIdentityProvider's
|
||||
status conditions array, along with details of what username, UID,
|
||||
and group memberships were selected for the specified user. If the
|
||||
dry run fails, then that user would not be able to authenticate
|
||||
in a real authentication situation either, so the LDAPIdentityProvider's
|
||||
Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername
|
||||
must be a valid username of a real user who should be able to authenticate
|
||||
given all of the LDAPIdentityProvider's configuration. For example,
|
||||
if the UserSearch configuration were set up such that an end user
|
||||
should log in using their email address as their username, then
|
||||
the DryRunAuthenticationUsername should be the actual email address
|
||||
of a valid user who will be found in the LDAP server by the UserSearch
|
||||
criteria. Once you have used DryRunAuthenticationUsername to validate
|
||||
your LDAPIdentityProvider's configuration, you might choose to remove
|
||||
the DryRunAuthenticationUsername configuration if you are concerned
|
||||
that the user's LDAP account could change in the future, e.g. if
|
||||
the account could become disabled in the future.
|
||||
type: string
|
||||
host:
|
||||
description: 'Host is the hostname of this LDAP identity provider,
|
||||
i.e., where to connect. For example: ldap.example.com:636.'
|
||||
|
|
|
|||
|
|
@ -757,7 +757,6 @@ Spec for configuring an LDAP identity provider.
|
|||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
|
||||
| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
|
||||
| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|
||||
| *`dryRunAuthenticationUsername`* __string__ | DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server and performing a full dry run of authenticating as the end user with the username specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for that end user during the authentication. This will test all of the configuration options of the LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships were selected for the specified user. If the dry run fails, then that user would not be able to authenticate in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch configuration were set up such that an end user should log in using their email address as their username, then the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become disabled in the future.
|
||||
|===
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct {
|
|||
|
||||
// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|
||||
UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
|
||||
|
||||
// DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated.
|
||||
// When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection
|
||||
// to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success
|
||||
// or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array.
|
||||
// When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a
|
||||
// connection to the LDAP server and performing a full dry run of authenticating as the end user with the username
|
||||
// specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for
|
||||
// that end user during the authentication. This will test all of the configuration options of the
|
||||
// LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the
|
||||
// LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships
|
||||
// were selected for the specified user. If the dry run fails, then that user would not be able to authenticate
|
||||
// in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error".
|
||||
// Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able
|
||||
// to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch
|
||||
// configuration were set up such that an end user should log in using their email address as their username, then
|
||||
// the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP
|
||||
// server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your
|
||||
// LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration
|
||||
// if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become
|
||||
// disabled in the future.
|
||||
DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"`
|
||||
}
|
||||
|
||||
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access
|
||||
|
|
|
|||
|
|
@ -70,38 +70,6 @@ spec:
|
|||
required:
|
||||
- secretName
|
||||
type: object
|
||||
dryRunAuthenticationUsername:
|
||||
description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's
|
||||
configuration is validated. When DryRunAuthenticationUsername is
|
||||
blank, the LDAPIdentityProvider will be validated by opening a connection
|
||||
to the LDAP server using the Host and TLS settings and also will
|
||||
bind using the Bind settings. The success or failure of the connect
|
||||
and bind will be reflected in the LDAPIdentityProvider's status
|
||||
conditions array. When DryRunAuthenticationUsername is not blank,
|
||||
the LDAPIdentityProvider will be validated by opening a connection
|
||||
to the LDAP server and performing a full dry run of authenticating
|
||||
as the end user with the username specified by DryRunAuthenticationUsername.
|
||||
The dry run will act as if the correct password were specified for
|
||||
that end user during the authentication. This will test all of the
|
||||
configuration options of the LDAPIdentityProvider. The success or
|
||||
failure of the authentication dry run will be reflected in the LDAPIdentityProvider's
|
||||
status conditions array, along with details of what username, UID,
|
||||
and group memberships were selected for the specified user. If the
|
||||
dry run fails, then that user would not be able to authenticate
|
||||
in a real authentication situation either, so the LDAPIdentityProvider's
|
||||
Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername
|
||||
must be a valid username of a real user who should be able to authenticate
|
||||
given all of the LDAPIdentityProvider's configuration. For example,
|
||||
if the UserSearch configuration were set up such that an end user
|
||||
should log in using their email address as their username, then
|
||||
the DryRunAuthenticationUsername should be the actual email address
|
||||
of a valid user who will be found in the LDAP server by the UserSearch
|
||||
criteria. Once you have used DryRunAuthenticationUsername to validate
|
||||
your LDAPIdentityProvider's configuration, you might choose to remove
|
||||
the DryRunAuthenticationUsername configuration if you are concerned
|
||||
that the user's LDAP account could change in the future, e.g. if
|
||||
the account could become disabled in the future.
|
||||
type: string
|
||||
host:
|
||||
description: 'Host is the hostname of this LDAP identity provider,
|
||||
i.e., where to connect. For example: ldap.example.com:636.'
|
||||
|
|
|
|||
|
|
@ -757,7 +757,6 @@ Spec for configuring an LDAP identity provider.
|
|||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
|
||||
| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
|
||||
| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|
||||
| *`dryRunAuthenticationUsername`* __string__ | DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server and performing a full dry run of authenticating as the end user with the username specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for that end user during the authentication. This will test all of the configuration options of the LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships were selected for the specified user. If the dry run fails, then that user would not be able to authenticate in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch configuration were set up such that an end user should log in using their email address as their username, then the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become disabled in the future.
|
||||
|===
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct {
|
|||
|
||||
// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|
||||
UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
|
||||
|
||||
// DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated.
|
||||
// When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection
|
||||
// to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success
|
||||
// or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array.
|
||||
// When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a
|
||||
// connection to the LDAP server and performing a full dry run of authenticating as the end user with the username
|
||||
// specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for
|
||||
// that end user during the authentication. This will test all of the configuration options of the
|
||||
// LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the
|
||||
// LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships
|
||||
// were selected for the specified user. If the dry run fails, then that user would not be able to authenticate
|
||||
// in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error".
|
||||
// Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able
|
||||
// to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch
|
||||
// configuration were set up such that an end user should log in using their email address as their username, then
|
||||
// the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP
|
||||
// server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your
|
||||
// LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration
|
||||
// if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become
|
||||
// disabled in the future.
|
||||
DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"`
|
||||
}
|
||||
|
||||
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access
|
||||
|
|
|
|||
|
|
@ -70,38 +70,6 @@ spec:
|
|||
required:
|
||||
- secretName
|
||||
type: object
|
||||
dryRunAuthenticationUsername:
|
||||
description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's
|
||||
configuration is validated. When DryRunAuthenticationUsername is
|
||||
blank, the LDAPIdentityProvider will be validated by opening a connection
|
||||
to the LDAP server using the Host and TLS settings and also will
|
||||
bind using the Bind settings. The success or failure of the connect
|
||||
and bind will be reflected in the LDAPIdentityProvider's status
|
||||
conditions array. When DryRunAuthenticationUsername is not blank,
|
||||
the LDAPIdentityProvider will be validated by opening a connection
|
||||
to the LDAP server and performing a full dry run of authenticating
|
||||
as the end user with the username specified by DryRunAuthenticationUsername.
|
||||
The dry run will act as if the correct password were specified for
|
||||
that end user during the authentication. This will test all of the
|
||||
configuration options of the LDAPIdentityProvider. The success or
|
||||
failure of the authentication dry run will be reflected in the LDAPIdentityProvider's
|
||||
status conditions array, along with details of what username, UID,
|
||||
and group memberships were selected for the specified user. If the
|
||||
dry run fails, then that user would not be able to authenticate
|
||||
in a real authentication situation either, so the LDAPIdentityProvider's
|
||||
Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername
|
||||
must be a valid username of a real user who should be able to authenticate
|
||||
given all of the LDAPIdentityProvider's configuration. For example,
|
||||
if the UserSearch configuration were set up such that an end user
|
||||
should log in using their email address as their username, then
|
||||
the DryRunAuthenticationUsername should be the actual email address
|
||||
of a valid user who will be found in the LDAP server by the UserSearch
|
||||
criteria. Once you have used DryRunAuthenticationUsername to validate
|
||||
your LDAPIdentityProvider's configuration, you might choose to remove
|
||||
the DryRunAuthenticationUsername configuration if you are concerned
|
||||
that the user's LDAP account could change in the future, e.g. if
|
||||
the account could become disabled in the future.
|
||||
type: string
|
||||
host:
|
||||
description: 'Host is the hostname of this LDAP identity provider,
|
||||
i.e., where to connect. For example: ldap.example.com:636.'
|
||||
|
|
|
|||
|
|
@ -757,7 +757,6 @@ Spec for configuring an LDAP identity provider.
|
|||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
|
||||
| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
|
||||
| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|
||||
| *`dryRunAuthenticationUsername`* __string__ | DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server and performing a full dry run of authenticating as the end user with the username specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for that end user during the authentication. This will test all of the configuration options of the LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships were selected for the specified user. If the dry run fails, then that user would not be able to authenticate in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch configuration were set up such that an end user should log in using their email address as their username, then the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become disabled in the future.
|
||||
|===
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct {
|
|||
|
||||
// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|
||||
UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
|
||||
|
||||
// DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated.
|
||||
// When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection
|
||||
// to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success
|
||||
// or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array.
|
||||
// When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a
|
||||
// connection to the LDAP server and performing a full dry run of authenticating as the end user with the username
|
||||
// specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for
|
||||
// that end user during the authentication. This will test all of the configuration options of the
|
||||
// LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the
|
||||
// LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships
|
||||
// were selected for the specified user. If the dry run fails, then that user would not be able to authenticate
|
||||
// in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error".
|
||||
// Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able
|
||||
// to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch
|
||||
// configuration were set up such that an end user should log in using their email address as their username, then
|
||||
// the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP
|
||||
// server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your
|
||||
// LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration
|
||||
// if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become
|
||||
// disabled in the future.
|
||||
DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"`
|
||||
}
|
||||
|
||||
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access
|
||||
|
|
|
|||
|
|
@ -70,38 +70,6 @@ spec:
|
|||
required:
|
||||
- secretName
|
||||
type: object
|
||||
dryRunAuthenticationUsername:
|
||||
description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's
|
||||
configuration is validated. When DryRunAuthenticationUsername is
|
||||
blank, the LDAPIdentityProvider will be validated by opening a connection
|
||||
to the LDAP server using the Host and TLS settings and also will
|
||||
bind using the Bind settings. The success or failure of the connect
|
||||
and bind will be reflected in the LDAPIdentityProvider's status
|
||||
conditions array. When DryRunAuthenticationUsername is not blank,
|
||||
the LDAPIdentityProvider will be validated by opening a connection
|
||||
to the LDAP server and performing a full dry run of authenticating
|
||||
as the end user with the username specified by DryRunAuthenticationUsername.
|
||||
The dry run will act as if the correct password were specified for
|
||||
that end user during the authentication. This will test all of the
|
||||
configuration options of the LDAPIdentityProvider. The success or
|
||||
failure of the authentication dry run will be reflected in the LDAPIdentityProvider's
|
||||
status conditions array, along with details of what username, UID,
|
||||
and group memberships were selected for the specified user. If the
|
||||
dry run fails, then that user would not be able to authenticate
|
||||
in a real authentication situation either, so the LDAPIdentityProvider's
|
||||
Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername
|
||||
must be a valid username of a real user who should be able to authenticate
|
||||
given all of the LDAPIdentityProvider's configuration. For example,
|
||||
if the UserSearch configuration were set up such that an end user
|
||||
should log in using their email address as their username, then
|
||||
the DryRunAuthenticationUsername should be the actual email address
|
||||
of a valid user who will be found in the LDAP server by the UserSearch
|
||||
criteria. Once you have used DryRunAuthenticationUsername to validate
|
||||
your LDAPIdentityProvider's configuration, you might choose to remove
|
||||
the DryRunAuthenticationUsername configuration if you are concerned
|
||||
that the user's LDAP account could change in the future, e.g. if
|
||||
the account could become disabled in the future.
|
||||
type: string
|
||||
host:
|
||||
description: 'Host is the hostname of this LDAP identity provider,
|
||||
i.e., where to connect. For example: ldap.example.com:636.'
|
||||
|
|
|
|||
|
|
@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct {
|
|||
|
||||
// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
|
||||
UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
|
||||
|
||||
// DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated.
|
||||
// When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection
|
||||
// to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success
|
||||
// or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array.
|
||||
// When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a
|
||||
// connection to the LDAP server and performing a full dry run of authenticating as the end user with the username
|
||||
// specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for
|
||||
// that end user during the authentication. This will test all of the configuration options of the
|
||||
// LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the
|
||||
// LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships
|
||||
// were selected for the specified user. If the dry run fails, then that user would not be able to authenticate
|
||||
// in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error".
|
||||
// Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able
|
||||
// to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch
|
||||
// configuration were set up such that an end user should log in using their email address as their username, then
|
||||
// the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP
|
||||
// server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your
|
||||
// LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration
|
||||
// if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become
|
||||
// disabled in the future.
|
||||
DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"`
|
||||
}
|
||||
|
||||
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access
|
||||
|
|
|
|||
|
|
@ -158,7 +158,6 @@ spec:
|
|||
attributes:
|
||||
uid: "$PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME"
|
||||
username: "$PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_NAME"
|
||||
dryRunAuthenticationUsername: "$PINNIPED_TEST_LDAP_USER_CN"
|
||||
EOF
|
||||
|
||||
# Make a Secret for the above LDAPIdentityProvider to describe the bind account.
|
||||
|
|
|
|||
|
|
@ -33,13 +33,12 @@ const (
|
|||
testLDAPConnectionTimeout = 90 * time.Second
|
||||
|
||||
// Constants related to conditions.
|
||||
typeBindSecretValid = "BindSecretValid"
|
||||
typeTLSConfigurationValid = "TLSConfigurationValid"
|
||||
typeLDAPConnectionValid = "LDAPConnectionValid"
|
||||
reasonLDAPConnectionError = "LDAPConnectionError"
|
||||
reasonAuthenticationDryRunError = "AuthenticationDryRunError"
|
||||
noTLSConfigurationMessage = "no TLS configuration provided"
|
||||
loadedTLSConfigurationMessage = "loaded TLS configuration"
|
||||
typeBindSecretValid = "BindSecretValid"
|
||||
typeTLSConfigurationValid = "TLSConfigurationValid"
|
||||
typeLDAPConnectionValid = "LDAPConnectionValid"
|
||||
reasonLDAPConnectionError = "LDAPConnectionError"
|
||||
noTLSConfigurationMessage = "no TLS configuration provided"
|
||||
loadedTLSConfigurationMessage = "loaded TLS configuration"
|
||||
)
|
||||
|
||||
var (
|
||||
|
|
@ -196,10 +195,6 @@ func (c *ldapWatcherController) validateFinishedConfig(ctx context.Context, upst
|
|||
testConnectionTimeout, cancelFunc := context.WithTimeout(ctx, testLDAPConnectionTimeout)
|
||||
defer cancelFunc()
|
||||
|
||||
if len(upstream.Spec.DryRunAuthenticationUsername) > 0 {
|
||||
return c.dryRunAuthentication(testConnectionTimeout, upstream, ldapProvider, currentSecretVersion)
|
||||
}
|
||||
|
||||
return c.testConnection(testConnectionTimeout, upstream, config, ldapProvider, currentSecretVersion)
|
||||
}
|
||||
|
||||
|
|
@ -230,47 +225,6 @@ func (c *ldapWatcherController) testConnection(
|
|||
}
|
||||
}
|
||||
|
||||
func (c *ldapWatcherController) dryRunAuthentication(
|
||||
ctx context.Context,
|
||||
upstream *v1alpha1.LDAPIdentityProvider,
|
||||
ldapProvider *upstreamldap.Provider,
|
||||
currentSecretVersion string,
|
||||
) *v1alpha1.Condition {
|
||||
authResponse, authenticated, err := ldapProvider.DryRunAuthenticateUser(ctx, upstream.Spec.DryRunAuthenticationUsername)
|
||||
if err != nil {
|
||||
return &v1alpha1.Condition{
|
||||
Type: typeLDAPConnectionValid,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Reason: reasonAuthenticationDryRunError,
|
||||
Message: fmt.Sprintf(`failed authentication dry run for end user "%s": %s`,
|
||||
upstream.Spec.DryRunAuthenticationUsername, err.Error()),
|
||||
}
|
||||
}
|
||||
|
||||
if !authenticated {
|
||||
// Since we aren't doing a real auth with a password that could be wrong, the only reason we should get
|
||||
// an unauthenticated response without an error is when the username was wrong.
|
||||
return &v1alpha1.Condition{
|
||||
Type: typeLDAPConnectionValid,
|
||||
Status: v1alpha1.ConditionFalse,
|
||||
Reason: reasonAuthenticationDryRunError,
|
||||
Message: fmt.Sprintf(`failed authentication dry run for end user "%s": user not found`,
|
||||
upstream.Spec.DryRunAuthenticationUsername),
|
||||
}
|
||||
}
|
||||
|
||||
return &v1alpha1.Condition{
|
||||
Type: typeLDAPConnectionValid,
|
||||
Status: v1alpha1.ConditionTrue,
|
||||
Reason: reasonSuccess,
|
||||
Message: fmt.Sprintf(
|
||||
`successful authentication dry run for end user "%s": selected username "%s" and UID "%s" [validated with Secret "%s" at version "%s"]`,
|
||||
upstream.Spec.DryRunAuthenticationUsername,
|
||||
authResponse.User.GetName(), authResponse.User.GetUID(),
|
||||
upstream.Spec.Bind.SecretName, currentSecretVersion),
|
||||
}
|
||||
}
|
||||
|
||||
func hasPreviousSuccessfulConditionForCurrentSpecGenerationAndSecretVersion(upstream *v1alpha1.LDAPIdentityProvider, currentSecretVersion string) bool {
|
||||
currentGeneration := upstream.Generation
|
||||
for _, c := range upstream.Status.Conditions {
|
||||
|
|
|
|||
|
|
@ -12,8 +12,6 @@ import (
|
|||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/go-ldap/ldap/v3"
|
||||
|
||||
"github.com/golang/mock/gomock"
|
||||
"github.com/stretchr/testify/require"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
|
|
@ -667,123 +665,6 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
|
|||
},
|
||||
}},
|
||||
},
|
||||
{
|
||||
name: "when DryRunAuthenticationUsername is specified and a successful dry run authentication is performed",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) {
|
||||
upstream.Spec.DryRunAuthenticationUsername = "endUserUsername"
|
||||
})},
|
||||
inputSecrets: []runtime.Object{validBindUserSecret("4242")},
|
||||
setupMocks: func(conn *mockldapconn.MockConn) {
|
||||
// Should perform a full auth dry run.
|
||||
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
|
||||
conn.EXPECT().Search(gomock.Any()).Return(&ldap.SearchResult{
|
||||
Entries: []*ldap.Entry{
|
||||
{
|
||||
DN: "testFoundUserDN",
|
||||
Attributes: []*ldap.EntryAttribute{
|
||||
ldap.NewEntryAttribute(testUsernameAttrName, []string{"testDownstreamUsername"}),
|
||||
ldap.NewEntryAttribute(testUIDAttrName, []string{"testDownstreamUID"}),
|
||||
},
|
||||
},
|
||||
},
|
||||
}, nil).Times(1)
|
||||
conn.EXPECT().Close().Times(1)
|
||||
},
|
||||
wantResultingCache: []*upstreamldap.ProviderConfig{providerConfigForValidUpstream},
|
||||
wantResultingUpstreams: []v1alpha1.LDAPIdentityProvider{{
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
Status: "True",
|
||||
LastTransitionTime: now,
|
||||
Reason: "Success",
|
||||
Message: fmt.Sprintf(
|
||||
`successful authentication dry run for end user "%s": selected username "%s" and UID "%s" [validated with Secret "%s" at version "%s"]`,
|
||||
"endUserUsername", "testDownstreamUsername", "testDownstreamUID", testSecretName, "4242"),
|
||||
ObservedGeneration: 1234,
|
||||
},
|
||||
tlsConfigurationValidLoadedTrueCondition(1234),
|
||||
},
|
||||
},
|
||||
}},
|
||||
},
|
||||
{
|
||||
name: "when DryRunAuthenticationUsername is specified and the dry run authentication returns an error",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) {
|
||||
upstream.Spec.DryRunAuthenticationUsername = "endUserUsername"
|
||||
})},
|
||||
inputSecrets: []runtime.Object{validBindUserSecret("4242")},
|
||||
setupMocks: func(conn *mockldapconn.MockConn) {
|
||||
// Failure during a full auth dry run.
|
||||
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
|
||||
conn.EXPECT().Search(gomock.Any()).Return(nil, errors.New("some dry run error")).Times(1)
|
||||
conn.EXPECT().Close().Times(1)
|
||||
},
|
||||
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
|
||||
wantResultingCache: []*upstreamldap.ProviderConfig{},
|
||||
wantResultingUpstreams: []v1alpha1.LDAPIdentityProvider{{
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
Status: "False",
|
||||
LastTransitionTime: now,
|
||||
Reason: "AuthenticationDryRunError",
|
||||
Message: fmt.Sprintf(
|
||||
`failed authentication dry run for end user "%s": error searching for user "%s": some dry run error`,
|
||||
"endUserUsername", "endUserUsername"),
|
||||
ObservedGeneration: 1234,
|
||||
},
|
||||
tlsConfigurationValidLoadedTrueCondition(1234),
|
||||
},
|
||||
},
|
||||
}},
|
||||
},
|
||||
{
|
||||
name: "when DryRunAuthenticationUsername is specified and the dry run authentication returns unauthenticated without an error",
|
||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) {
|
||||
upstream.Spec.DryRunAuthenticationUsername = "endUserUsername"
|
||||
})},
|
||||
inputSecrets: []runtime.Object{validBindUserSecret("4242")},
|
||||
setupMocks: func(conn *mockldapconn.MockConn) {
|
||||
// Failure during full auth dry run which will cause it to return unauthenticated instead of error.
|
||||
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
|
||||
conn.EXPECT().Search(gomock.Any()).Return(&ldap.SearchResult{
|
||||
// No search results means the user did not enter a valid username, which is unauthenticated instead of error.
|
||||
Entries: []*ldap.Entry{},
|
||||
}, nil).Times(1)
|
||||
conn.EXPECT().Close().Times(1)
|
||||
},
|
||||
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
|
||||
wantResultingCache: []*upstreamldap.ProviderConfig{},
|
||||
wantResultingUpstreams: []v1alpha1.LDAPIdentityProvider{{
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234},
|
||||
Status: v1alpha1.LDAPIdentityProviderStatus{
|
||||
Phase: "Error",
|
||||
Conditions: []v1alpha1.Condition{
|
||||
bindSecretValidTrueCondition(1234),
|
||||
{
|
||||
Type: "LDAPConnectionValid",
|
||||
Status: "False",
|
||||
LastTransitionTime: now,
|
||||
Reason: "AuthenticationDryRunError",
|
||||
Message: fmt.Sprintf(
|
||||
`failed authentication dry run for end user "%s": user not found`,
|
||||
"endUserUsername"),
|
||||
ObservedGeneration: 1234,
|
||||
},
|
||||
tlsConfigurationValidLoadedTrueCondition(1234),
|
||||
},
|
||||
},
|
||||
}},
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@ func TestSupervisorLogin(t *testing.T) {
|
|||
wantDownstreamIDTokenUsernameToMatch: regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+",
|
||||
},
|
||||
{
|
||||
name: "ldap with email as username and with dry run",
|
||||
name: "ldap with email as username",
|
||||
createIDP: func(t *testing.T) {
|
||||
t.Helper()
|
||||
secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
|
||||
|
|
@ -92,12 +92,10 @@ func TestSupervisorLogin(t *testing.T) {
|
|||
UID: env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeName,
|
||||
},
|
||||
},
|
||||
DryRunAuthenticationUsername: env.SupervisorUpstreamLDAP.TestUserMailAttributeValue,
|
||||
}, idpv1alpha1.LDAPPhaseReady)
|
||||
expectedMsg := fmt.Sprintf(
|
||||
`successful authentication dry run for end user "%s": selected username "%s" and UID "%s" [validated with Secret "%s" at version "%s"]`,
|
||||
env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, env.SupervisorUpstreamLDAP.TestUserMailAttributeValue,
|
||||
env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue,
|
||||
`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
|
||||
env.SupervisorUpstreamLDAP.Host, env.SupervisorUpstreamLDAP.BindUsername,
|
||||
secret.Name, secret.ResourceVersion,
|
||||
)
|
||||
requireSuccessfulLDAPIdentityProviderConditions(t, ldapIDP, expectedMsg)
|
||||
|
|
@ -118,7 +116,7 @@ func TestSupervisorLogin(t *testing.T) {
|
|||
wantDownstreamIDTokenUsernameToMatch: regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue),
|
||||
},
|
||||
{
|
||||
name: "ldap with CN as username and without dry run", // try another variation of configuration options
|
||||
name: "ldap with CN as username ", // try another variation of configuration options
|
||||
createIDP: func(t *testing.T) {
|
||||
t.Helper()
|
||||
secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
|
||||
|
|
@ -143,7 +141,6 @@ func TestSupervisorLogin(t *testing.T) {
|
|||
UID: env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeName,
|
||||
},
|
||||
},
|
||||
DryRunAuthenticationUsername: "", // try without dry run
|
||||
}, idpv1alpha1.LDAPPhaseReady)
|
||||
expectedMsg := fmt.Sprintf(
|
||||
`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
|
||||
|
|
|
|||
Loading…
Reference in New Issue