Default values for ad usersearch and groupsearch
This commit is contained in:
Margo Crawford
parent
890d9c3216
commit
f99f7be836
@ -31,6 +31,19 @@ const (
|
|||||||
// Default values for active directory config.
|
// Default values for active directory config.
|
||||||
defaultActiveDirectoryUsernameAttributeName = "sAMAccountName"
|
defaultActiveDirectoryUsernameAttributeName = "sAMAccountName"
|
||||||
defaultActiveDirectoryUIDAttributeName = "objectGUID"
|
defaultActiveDirectoryUIDAttributeName = "objectGUID"
|
||||||
|
defaultActiveDirectoryGroupNameAttributeName = "sAMAccountName"
|
||||||
|
|
||||||
|
// - is a person.
|
||||||
|
// - is not a computer.
|
||||||
|
// - is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions).
|
||||||
|
// - either the sAMAccountName or the mail attribute matches the input username.
|
||||||
|
// - the sAMAccountType is for a normal user account.
|
||||||
|
defaultActiveDirectoryUserSearchFilter = "(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={})(mail={}))(sAMAccountType=805306368))"
|
||||||
|
|
||||||
|
// - is a group.
|
||||||
|
// - has a member that matches the DN of the user we successfully logged in as.
|
||||||
|
// - perform nested group search by default.
|
||||||
|
defaultActiveDirectoryGroupSearchFilter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})"
|
||||||
)
|
)
|
||||||
|
|
||||||
type activeDirectoryUpstreamGenericLDAPImpl struct {
|
type activeDirectoryUpstreamGenericLDAPImpl struct {
|
||||||
@ -271,19 +284,34 @@ func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context,
|
|||||||
uidAttribute = defaultActiveDirectoryUIDAttributeName
|
uidAttribute = defaultActiveDirectoryUIDAttributeName
|
||||||
}
|
}
|
||||||
|
|
||||||
|
groupNameAttribute := spec.GroupSearch.Attributes.GroupName
|
||||||
|
if len(groupNameAttribute) == 0 {
|
||||||
|
groupNameAttribute = defaultActiveDirectoryGroupNameAttributeName
|
||||||
|
}
|
||||||
|
|
||||||
|
userSearchFilter := spec.UserSearch.Filter
|
||||||
|
if len(userSearchFilter) == 0 {
|
||||||
|
userSearchFilter = defaultActiveDirectoryUserSearchFilter
|
||||||
|
}
|
||||||
|
|
||||||
|
groupSearchFilter := spec.GroupSearch.Filter
|
||||||
|
if len(groupSearchFilter) == 0 {
|
||||||
|
groupSearchFilter = defaultActiveDirectoryGroupSearchFilter
|
||||||
|
}
|
||||||
|
|
||||||
config := &upstreamldap.ProviderConfig{
|
config := &upstreamldap.ProviderConfig{
|
||||||
Name: upstream.Name,
|
Name: upstream.Name,
|
||||||
Host: spec.Host,
|
Host: spec.Host,
|
||||||
UserSearch: upstreamldap.UserSearchConfig{
|
UserSearch: upstreamldap.UserSearchConfig{
|
||||||
Base: spec.UserSearch.Base,
|
Base: spec.UserSearch.Base,
|
||||||
Filter: spec.UserSearch.Filter,
|
Filter: userSearchFilter,
|
||||||
UsernameAttribute: usernameAttribute,
|
UsernameAttribute: usernameAttribute,
|
||||||
UIDAttribute: uidAttribute,
|
UIDAttribute: uidAttribute,
|
||||||
},
|
},
|
||||||
GroupSearch: upstreamldap.GroupSearchConfig{
|
GroupSearch: upstreamldap.GroupSearchConfig{
|
||||||
Base: spec.GroupSearch.Base,
|
Base: spec.GroupSearch.Base,
|
||||||
Filter: spec.GroupSearch.Filter,
|
Filter: groupSearchFilter,
|
||||||
GroupNameAttribute: spec.GroupSearch.Attributes.GroupName,
|
GroupNameAttribute: groupNameAttribute,
|
||||||
},
|
},
|
||||||
Dialer: c.ldapDialer,
|
Dialer: c.ldapDialer,
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1157,6 +1157,9 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
|||||||
name: "when the input activedirectoryidentityprovider leaves user attributes blank, provide default values",
|
name: "when the input activedirectoryidentityprovider leaves user attributes blank, provide default values",
|
||||||
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.ActiveDirectoryIdentityProvider) {
|
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.ActiveDirectoryIdentityProvider) {
|
||||||
upstream.Spec.UserSearch.Attributes = v1alpha1.ActiveDirectoryIdentityProviderUserSearchAttributes{}
|
upstream.Spec.UserSearch.Attributes = v1alpha1.ActiveDirectoryIdentityProviderUserSearchAttributes{}
|
||||||
|
upstream.Spec.UserSearch.Filter = ""
|
||||||
|
upstream.Spec.GroupSearch.Filter = ""
|
||||||
|
upstream.Spec.GroupSearch.Attributes = v1alpha1.ActiveDirectoryIdentityProviderGroupSearchAttributes{}
|
||||||
})},
|
})},
|
||||||
inputSecrets: []runtime.Object{validBindUserSecret("4242")},
|
inputSecrets: []runtime.Object{validBindUserSecret("4242")},
|
||||||
setupMocks: func(conn *mockldapconn.MockConn) {
|
setupMocks: func(conn *mockldapconn.MockConn) {
|
||||||
@ -1174,14 +1177,14 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
|
|||||||
BindPassword: testBindPassword,
|
BindPassword: testBindPassword,
|
||||||
UserSearch: upstreamldap.UserSearchConfig{
|
UserSearch: upstreamldap.UserSearchConfig{
|
||||||
Base: testUserSearchBase,
|
Base: testUserSearchBase,
|
||||||
Filter: testUserSearchFilter,
|
Filter: "(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={})(mail={}))(sAMAccountType=805306368))",
|
||||||
UsernameAttribute: "sAMAccountName",
|
UsernameAttribute: "sAMAccountName",
|
||||||
UIDAttribute: "objectGUID",
|
UIDAttribute: "objectGUID",
|
||||||
},
|
},
|
||||||
GroupSearch: upstreamldap.GroupSearchConfig{
|
GroupSearch: upstreamldap.GroupSearchConfig{
|
||||||
Base: testGroupSearchBase,
|
Base: testGroupSearchBase,
|
||||||
Filter: testGroupSearchFilter,
|
Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})",
|
||||||
GroupNameAttribute: testGroupNameAttrName,
|
GroupNameAttribute: "sAMAccountName",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user