add ldap auth custom search filter feature patch - http://tracker.ceph.com/issues...

Signed-off-by: Harald Klein <hari@vt100.at>
(cherry picked from commit c935885ae9d5fd413495448a0b0e5fce899c9b73)

Fixes: http://tracker.ceph.com/issues/17185

diff --git a/src/common/config_opts.h b/src/common/config_opts.h
index 7be42312fd781fe5f2026da450befb642444b415..a73913bab110bdf07d733df8987a184e3005afaf 100644 (file)
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -1299,6 +1299,8 @@ OPTION(rgw_ldap_dnattr, OPT_STR, "uid")
 OPTION(rgw_ldap_secret, OPT_STR, "/etc/openldap/secret")
 /* rgw_s3_auth_use_ldap  use LDAP for RGW auth? */
 OPTION(rgw_s3_auth_use_ldap, OPT_BOOL, false)
+/* rgw_ldap_searchfilter  LDAP search filter */
+OPTION(rgw_ldap_searchfilter, OPT_STR, "")
 
 OPTION(rgw_admin_entry, OPT_STR, "admin")  // entry point for which a url is considered an admin request
 OPTION(rgw_enforce_swift_acls, OPT_BOOL, true)

diff --git a/src/rgw/librgw.cc b/src/rgw/librgw.cc
index c47612907542eff0e84e83d2036c6763c02fdc11..368dcdaa4727411dd2f04946650e024fc21b2a04 100644 (file)
--- a/src/rgw/librgw.cc
+++ b/src/rgw/librgw.cc
@@ -468,12 +468,13 @@ namespace rgw {
     const string& ldap_uri = store->ctx()->_conf->rgw_ldap_uri;
     const string& ldap_binddn = store->ctx()->_conf->rgw_ldap_binddn;
     const string& ldap_searchdn = store->ctx()->_conf->rgw_ldap_searchdn;
+    const string& ldap_searchfilter = store->ctx()->_conf->rgw_ldap_searchfilter;
     const string& ldap_dnattr =
       store->ctx()->_conf->rgw_ldap_dnattr;
     std::string ldap_bindpw = parse_rgw_ldap_bindpw(store->ctx());
 
     ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_bindpw.c_str(),
-                             ldap_searchdn, ldap_dnattr);
+                             ldap_searchdn, ldap_searchfilter, ldap_dnattr);
     ldh->init();
     ldh->bind();
 

diff --git a/src/rgw/rgw_ldap.cc b/src/rgw/rgw_ldap.cc
index b8f7d3edfdcda38e17f9a013b6181917c4b9efc8..e8915e30daff84cf94d88dc660bdff11b6e5853f 100644 (file)
--- a/src/rgw/rgw_ldap.cc
+++ b/src/rgw/rgw_ldap.cc
@@ -50,12 +50,33 @@ namespace rgw {
       filter += "))";
     } else {
       /* openldap */
-      filter = "(";
-      filter += dnattr;
-      filter += "=";
-      filter += uid;
-      filter += ")";
+      if (searchfilter.empty()) {
+        /* no search filter provided in config, we construct our own */
+        filter = "(";
+        filter += dnattr;
+        filter += "=";
+        filter += uid;
+        filter += ")";
+      } else {
+        if (searchfilter.find("@USERNAME@") != std::string::npos) {
+        /* we need to substitute the @USERNAME@ placeholder */
+         filter = searchfilter;
+          filter.replace(searchfilter.find("@USERNAME@"), std::string("@USERNAME@").length(), uid);
+        } else {
+        /* no placeholder for username, so we need to append our own username filter to the custom searchfilter */
+          filter = "(&(";
+          filter += searchfilter;
+          filter += ")(";
+          filter += dnattr;
+          filter += "=";
+          filter += uid;
+          filter += "))";
+        }
+      }
     }
+    ldout(g_ceph_context, 12)
+      << __func__ << " search filter: " << filter
+      << dendl;
     char *attrs[] = { const_cast<char*>(dnattr.c_str()), nullptr };
     LDAPMessage *answer = nullptr, *entry = nullptr;
     bool once = true;

diff --git a/src/rgw/rgw_ldap.h b/src/rgw/rgw_ldap.h
index 925a1550d504a0c513512e503a56cdf5ab6be552..5d3340663c26c39e5b9ca4d8d8a95797e0fe4cd1 100644 (file)
--- a/src/rgw/rgw_ldap.h
+++ b/src/rgw/rgw_ldap.h
@@ -28,6 +28,7 @@ namespace rgw {
     std::string binddn;
     std::string bindpw;
     std::string searchdn;
+    std::string searchfilter;
     std::string dnattr;
     LDAP *ldap;
     bool msad = false; /* TODO: possible future specialization */
@@ -37,9 +38,9 @@ namespace rgw {
     using lock_guard = std::lock_guard<std::mutex>;
 
     LDAPHelper(std::string _uri, std::string _binddn, std::string _bindpw,
-              std::string _searchdn, std::string _dnattr)
+              std::string _searchdn, std::string _searchfilter, std::string _dnattr)
       : uri(std::move(_uri)), binddn(std::move(_binddn)),
-       bindpw(std::move(_bindpw)), searchdn(_searchdn), dnattr(_dnattr),
+       bindpw(std::move(_bindpw)), searchdn(_searchdn), searchfilter(_searchfilter), dnattr(_dnattr),
        ldap(nullptr) {
       // nothing
     }
@@ -105,7 +106,7 @@ namespace rgw {
   {
   public:
     LDAPHelper(std::string _uri, std::string _binddn, std::string _bindpw,
-              std::string _searchdn, std::string _dnattr)
+              std::string _searchdn, std::string _searchfilter, std::string _dnattr)
       {}
 
     int init() {

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index ac11fcbc2c7076ef8c19199e836140ee96a90935..4a0bcdcaa991d455bc28d1ad9245397c637c70a4 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -3096,12 +3096,13 @@ void RGW_Auth_S3::init_impl(RGWRados* store)
   const string& ldap_uri = store->ctx()->_conf->rgw_ldap_uri;
   const string& ldap_binddn = store->ctx()->_conf->rgw_ldap_binddn;
   const string& ldap_searchdn = store->ctx()->_conf->rgw_ldap_searchdn;
+  const string& ldap_searchfilter = store->ctx()->_conf->rgw_ldap_searchfilter;
   const string& ldap_dnattr =
     store->ctx()->_conf->rgw_ldap_dnattr;
   std::string ldap_bindpw = parse_rgw_ldap_bindpw(store->ctx());
 
   ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_bindpw,
-                           ldap_searchdn, ldap_dnattr);
+                           ldap_searchdn, ldap_searchfilter, ldap_dnattr);
 
   ldh->init();
   ldh->bind();