-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP DNs are treated as case-sensitive in Minio, should be case-insensitive #17347
Comments
One behaviour, that makes this bug more frustrating: The command Issuing this :
|
It's a bit nuanced CN, OU, DC are always based on the case provided by you to our search strings. We do not fully support case insensitivity for the values of these fields. So what you are seeing is expected. Use the correct capitalization based on your user/group DN parameters |
The RFCs beg to differ. In particular: querying with DC= or dc= or Dc= or dC= on any LDAP directory yields the same result. There's no reason minio should be performing that filtering itself ahead of the LDAP directory. |
@drivera-armedia I am not talking about whether RFC is correct, not even trying to defend our implementation. We haven't implemented it the way LDAP might want case insensitivity and that is the whole point of this issue. When this gets fixed it will be in accordance with the LDAP RFC for LDAP hierarchies until then this is an open item. |
If it's a pressing need feel free to send a PR and we are happy to accept contributions in this area - if not wait for us to get some free cycles to fix this correctly. // cc @donatello |
Fair enough ... a possible solve, since the most immediate impact has to do with policies, is to simply make the entire string comparison case-insensitive since we'll be comparing DNs and, as the RFC stated, DNs should always be case-insensitive (and I have observed them to be). I'll look into this, and may post a PR in the coming days. |
@donatello, is this issue fixed with the new normalization of LDAP DNs? |
Works much better, thank you! But there may still be some rough edges: bash-4.4$ mcli idp ldap policy entities --group cn=ADMINISTRATOR,OU=Groups,ou=Operations,dc=my-test-domain,dc=com local
Query time: 2024-05-22T20:09:29Z
bash-4.4$ mcli idp ldap policy entities --group CN=ADMINISTRATOR,ou=Groups,ou=Operations,dc=my-test-domain,dc=com local
Query time: 2024-05-22T20:09:35Z
bash-4.4$ mcli idp ldap policy entities --group cn=ADMINISTRATOR,ou=Groups,ou=Operations,dc=my-test-domain,dc=com local
Query time: 2024-05-22T20:09:43Z
Group -> Policy Mappings:
Group: cn=ADMINISTRATOR,ou=Groups,ou=Operations,dc=my-test-domain,dc=com
consoleAdmin
readwrite
bash-4.4$ mcli idp ldap policy entities --group cn=administrator,ou=Groups,ou=Operations,dc=my-test-domain,dc=com local
Query time: 2024-05-22T20:09:55Z As you can see, we get different results if we change the case of some elements and values, so the case sensitivity is still there... at least from the policy query tool. That said, I can log in using LDAP users which are members of that group, and the Cheers! |
While setting up the policy mapping, MinIO uses the LDAP server to obtain a normalized value - however, we do not want to contact the LDAP server for normalization when querying the mappings as we expect this to work even if the LDAP server down. We are looking into doing a basic level of normalization without contacting the LDAP server to try and solve this remaining problem. |
Expected Behavior
When attaching a policy to a group using lowercase attributes in the admin group's DN (i.e. cn=ARKCASE_ADMINISTRATOR,cn=Users,dc=dev,dc=arkcase,dc=com), Minio's LDAP engine expects the attributes to be in uppercase (i.e. CN=ARKCASE_ADMINISTRATOR,CN=Users,DC=dev,DC=arkcase,DC=com).
Both DNs are equivalent per RFCs, and granting the policy to either should yield the same result.
Steps to Reproduce (for bugs)
Context
This increases the difficulty of initialization and configuration for an integrated Minio container that's part of a larger app. Granting the role to the same DN, but with the attribute names in uppercase, works perfectly. It appears that the minio code expects the DNs to match the case from LDAP exactly, which is incorrect behavior.
Per ldap.com:
Your Environment
minio --version
): RELEASE.2023-06-02T23-17-26Zuname -a
): Linux test-env-0 5.19.0-42-generic List buckets response should be nested xml buckets #43~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Apr 21 16:51:08 UTC 2 x86_64 x86_64 x86_64 GNU/LinuxThe text was updated successfully, but these errors were encountered: