diff --git a/docs/sts/ldap.md b/docs/sts/ldap.md index 9b6001bbd..d10892be1 100644 --- a/docs/sts/ldap.md +++ b/docs/sts/ldap.md @@ -34,7 +34,8 @@ KEY: identity_ldap enable LDAP SSO support ARGS: -MINIO_IDENTITY_LDAP_SERVER_ADDR* (address) AD/LDAP server address e.g. "myldapserver.com:636" +MINIO_IDENTITY_LDAP_SERVER_ADDR* (address) AD/LDAP server address e.g. "myldap.com" or "myldapserver.com:1686" +MINIO_IDENTITY_LDAP_SRV_RECORD_NAME (string) DNS SRV record name for LDAP service, if given, must be one of ldap, ldaps or on MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN* (string) DN for LDAP read-only service account used to perform DN and group lookups MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD (string) Password for LDAP read-only service account used to perform DN and group lookups MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN* (list) ";" separated list of user search base DNs e.g. "dc=myldapserver,dc=com" @@ -52,18 +53,33 @@ MINIO_IDENTITY_LDAP_COMMENT (sentence) optionally add a commen The variables relevant to configuring connectivity to the LDAP service are: ``` -MINIO_IDENTITY_LDAP_SERVER_ADDR* (address) AD/LDAP server address e.g. "myldapserver.com:636" +MINIO_IDENTITY_LDAP_SERVER_ADDR* (address) AD/LDAP server address e.g. "myldap.com" or "myldapserver.com:1686" +MINIO_IDENTITY_LDAP_SRV_RECORD_NAME (string) DNS SRV record name for LDAP service, if given, must be one of ldap, ldaps or on MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY (on|off) trust server TLS without verification, defaults to "off" (verify) MINIO_IDENTITY_LDAP_SERVER_INSECURE (on|off) allow plain text connection to AD/LDAP server, defaults to "off" MINIO_IDENTITY_LDAP_SERVER_STARTTLS (on|off) use StartTLS connection to AD/LDAP server, defaults to "off" ``` -The server address variable is _required_. TLS is assumed to be on by default. +The server address variable is _required_. TLS is assumed to be on by default. The port in the server address is optional and defaults to 636 if not provided. **MinIO sends LDAP credentials to the LDAP server for validation. So we _strongly recommend_ to use MinIO with AD/LDAP server over TLS or StartTLS _only_. Using plain-text connection between MinIO and LDAP server means _credentials can be compromised_ by anyone listening to network traffic.** If a self-signed certificate is being used, the certificate can be added to MinIO's certificates directory, so it can be trusted by the server. +#### DNS SRV Records + +Many Active Directory and other LDAP services are setup with [DNS SRV Records](https://ldap.com/dns-srv-records-for-ldap/) for high-availability of the directory service. To use this to find LDAP servers to connect to, an LDAP client makes a DNS SRV record request to the DNS service on a domain that looks like `_service._proto.example.com`. For LDAP the `proto` value is always `tcp`, and `service` is usually `ldap` or `ldaps`. + +To enable MinIO to use the SRV records, specify the `srv_record_name` config parameter (or equivalently the `MINIO_IDENTITY_LDAP_SRV_RECORD_NAME` environment variable). This parameter can be set to `ldap` or `ldaps` and MinIO will substitute it into the `service` value. For example, when `server_addr=myldapserver.com` and `srv_record_name=ldap`, MinIO will lookup the SRV record for `_ldap._tcp.myldapserver.com` and pick an appropriate target for LDAP requests. + +If the DNS SRV record is at an entirely different place, say `_ldapsrv._tcpish.myldapserver.com`, then set `srv_record_name` to the special value `on` and set `server_addr=_ldapsrv._tcpish.myldapserver.com`. + +When using this feature, do not specify a port in the `server_addr` as the port is picked up automatically from the SRV record. + +With the default (empty) value for `srv_record_name`, MinIO **will not** perform any SRV record request. + +The value of `srv_record_name` does not affect any TLS settings - they must be configured with their own parameters. + ### Lookup-Bind A low-privilege read-only LDAP service account is configured in the MinIO server by providing the account's Distinguished Name (DN) and password. This service account is used to perform directory lookups as needed. diff --git a/go.mod b/go.mod index 09770295c..b299958ea 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( github.com/minio/kes v0.22.0 github.com/minio/madmin-go/v2 v2.0.1 github.com/minio/minio-go/v7 v7.0.44 - github.com/minio/pkg v1.5.6 + github.com/minio/pkg v1.5.8 github.com/minio/selfupdate v0.5.0 github.com/minio/sha256-simd v1.0.0 github.com/minio/simdjson-go v0.4.2 diff --git a/go.sum b/go.sum index 022093b41..9154fa228 100644 --- a/go.sum +++ b/go.sum @@ -774,8 +774,8 @@ github.com/minio/minio-go/v7 v7.0.41/go.mod h1:nCrRzjoSUQh8hgKKtu3Y708OLvRLtuASM github.com/minio/minio-go/v7 v7.0.44 h1:9zUJ7iU7ax2P1jOvTp6nVrgzlZq3AZlFm0XfRFDKstM= github.com/minio/minio-go/v7 v7.0.44/go.mod h1:nCrRzjoSUQh8hgKKtu3Y708OLvRLtuASMg2/nvmbarw= github.com/minio/pkg v1.5.4/go.mod h1:2MOaRFdmFKULD+uOLc3qHLGTQTuxCNPKNPfLBTxC8CA= -github.com/minio/pkg v1.5.6 h1:4OUvRU1gDWilu/dohkJMVapylXN8q94kU5MgkOJ/x0I= -github.com/minio/pkg v1.5.6/go.mod h1:EiGlHS2xaooa2VMxhJsxxAZHDObHVUB3HwtuoEXOCVE= +github.com/minio/pkg v1.5.8 h1:ryx23f28havoidUezmYRNgaZpbyn4y3m2yp/vfasFy0= +github.com/minio/pkg v1.5.8/go.mod h1:EiGlHS2xaooa2VMxhJsxxAZHDObHVUB3HwtuoEXOCVE= github.com/minio/selfupdate v0.5.0 h1:0UH1HlL49+2XByhovKl5FpYTjKfvrQ2sgL1zEXK6mfI= github.com/minio/selfupdate v0.5.0/go.mod h1:mcDkzMgq8PRcpCRJo/NlPY7U45O5dfYl2Y0Rg7IustY= github.com/minio/sha256-simd v1.0.0 h1:v1ta+49hkWZyvaKwrQB8elexRqm6Y0aMLjCNsrYxo6g= diff --git a/internal/config/identity/ldap/config.go b/internal/config/identity/ldap/config.go index 6bb0bf63c..3850f3d54 100644 --- a/internal/config/identity/ldap/config.go +++ b/internal/config/identity/ldap/config.go @@ -62,6 +62,7 @@ func (l *Config) Clone() Config { // LDAP keys and envs. const ( ServerAddr = "server_addr" + SRVRecordName = "srv_record_name" LookupBindDN = "lookup_bind_dn" LookupBindPassword = "lookup_bind_password" UserDNSearchBaseDN = "user_dn_search_base_dn" @@ -73,6 +74,7 @@ const ( ServerStartTLS = "server_starttls" EnvServerAddr = "MINIO_IDENTITY_LDAP_SERVER_ADDR" + EnvSRVRecordName = "MINIO_IDENTITY_LDAP_SRV_RECORD_NAME" EnvTLSSkipVerify = "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY" EnvServerInsecure = "MINIO_IDENTITY_LDAP_SERVER_INSECURE" EnvServerStartTLS = "MINIO_IDENTITY_LDAP_SERVER_STARTTLS" @@ -100,6 +102,10 @@ var ( Key: ServerAddr, Value: "", }, + config.KV{ + Key: SRVRecordName, + Value: "", + }, config.KV{ Key: UserDNSearchBaseDN, Value: "", @@ -173,9 +179,10 @@ func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error) { return l, nil } l.LDAP = ldap.Config{ - Enabled: true, - RootCAs: rootCAs, - ServerAddr: ldapServer, + Enabled: true, + RootCAs: rootCAs, + ServerAddr: ldapServer, + SRVRecordName: getCfgVal(SRVRecordName), } l.stsExpiryDuration = defaultLDAPExpiry diff --git a/internal/config/identity/ldap/help.go b/internal/config/identity/ldap/help.go index ca21447f3..2d6227369 100644 --- a/internal/config/identity/ldap/help.go +++ b/internal/config/identity/ldap/help.go @@ -28,10 +28,17 @@ var ( Help = config.HelpKVS{ config.HelpKV{ Key: ServerAddr, - Description: `AD/LDAP server address e.g. "myldapserver.com:636"` + defaultHelpPostfix(ServerAddr), + Description: `AD/LDAP server address e.g. "myldap.com" or "myldapserver.com:636"` + defaultHelpPostfix(ServerAddr), Type: "address", Sensitive: true, }, + config.HelpKV{ + Key: SRVRecordName, + Description: `DNS SRV record name for LDAP service, if given, must be one of "ldap", "ldaps" or "on"` + defaultHelpPostfix(SRVRecordName), + Optional: true, + Type: "string", + Sensitive: false, + }, config.HelpKV{ Key: LookupBindDN, Description: `DN for LDAP read-only service account used to perform DN and group lookups` + defaultHelpPostfix(LookupBindDN),