From: Harald Klein <hari@vt100.at>
Date: Wed, 31 Aug 2016 15:41:26 +0000 (+0200)
Subject: add ldap auth custom search filter feature patch - http://tracker.ceph.com/issues... 
X-Git-Tag: v10.2.4~99^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F11332%2Fhead;p=ceph.git

add ldap auth custom search filter feature patch - http://tracker.ceph.com/issues/17185

Signed-off-by: Harald Klein <hari@vt100.at>
(cherry picked from commit c935885ae9d5fd413495448a0b0e5fce899c9b73)

Fixes: http://tracker.ceph.com/issues/17185
---

diff --git a/src/common/config_opts.h b/src/common/config_opts.h
index 7be42312fd7..a73913bab11 100644
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -1299,6 +1299,8 @@ OPTION(rgw_ldap_dnattr, OPT_STR, "uid")
 OPTION(rgw_ldap_secret, OPT_STR, "/etc/openldap/secret")
 /* rgw_s3_auth_use_ldap  use LDAP for RGW auth? */
 OPTION(rgw_s3_auth_use_ldap, OPT_BOOL, false)
+/* rgw_ldap_searchfilter  LDAP search filter */
+OPTION(rgw_ldap_searchfilter, OPT_STR, "")
 
 OPTION(rgw_admin_entry, OPT_STR, "admin")  // entry point for which a url is considered an admin request
 OPTION(rgw_enforce_swift_acls, OPT_BOOL, true)
diff --git a/src/rgw/librgw.cc b/src/rgw/librgw.cc
index c4761290754..368dcdaa472 100644
--- a/src/rgw/librgw.cc
+++ b/src/rgw/librgw.cc
@@ -468,12 +468,13 @@ namespace rgw {
     const string& ldap_uri = store->ctx()->_conf->rgw_ldap_uri;
     const string& ldap_binddn = store->ctx()->_conf->rgw_ldap_binddn;
     const string& ldap_searchdn = store->ctx()->_conf->rgw_ldap_searchdn;
+    const string& ldap_searchfilter = store->ctx()->_conf->rgw_ldap_searchfilter;
     const string& ldap_dnattr =
       store->ctx()->_conf->rgw_ldap_dnattr;
     std::string ldap_bindpw = parse_rgw_ldap_bindpw(store->ctx());
 
     ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_bindpw.c_str(),
-			      ldap_searchdn, ldap_dnattr);
+			      ldap_searchdn, ldap_searchfilter, ldap_dnattr);
     ldh->init();
     ldh->bind();
 
diff --git a/src/rgw/rgw_ldap.cc b/src/rgw/rgw_ldap.cc
index b8f7d3edfdc..e8915e30daf 100644
--- a/src/rgw/rgw_ldap.cc
+++ b/src/rgw/rgw_ldap.cc
@@ -50,12 +50,33 @@ namespace rgw {
       filter += "))";
     } else {
       /* openldap */
-      filter = "(";
-      filter += dnattr;
-      filter += "=";
-      filter += uid;
-      filter += ")";
+      if (searchfilter.empty()) {
+        /* no search filter provided in config, we construct our own */
+        filter = "(";
+        filter += dnattr;
+        filter += "=";
+        filter += uid;
+        filter += ")";
+      } else {
+        if (searchfilter.find("@USERNAME@") != std::string::npos) {
+        /* we need to substitute the @USERNAME@ placeholder */
+	  filter = searchfilter;
+          filter.replace(searchfilter.find("@USERNAME@"), std::string("@USERNAME@").length(), uid);
+        } else {
+        /* no placeholder for username, so we need to append our own username filter to the custom searchfilter */
+          filter = "(&(";
+          filter += searchfilter;
+          filter += ")(";
+          filter += dnattr;
+          filter += "=";
+          filter += uid;
+          filter += "))";
+        }
+      }
     }
+    ldout(g_ceph_context, 12)
+      << __func__ << " search filter: " << filter
+      << dendl;
     char *attrs[] = { const_cast<char*>(dnattr.c_str()), nullptr };
     LDAPMessage *answer = nullptr, *entry = nullptr;
     bool once = true;
diff --git a/src/rgw/rgw_ldap.h b/src/rgw/rgw_ldap.h
index 925a1550d50..5d3340663c2 100644
--- a/src/rgw/rgw_ldap.h
+++ b/src/rgw/rgw_ldap.h
@@ -28,6 +28,7 @@ namespace rgw {
     std::string binddn;
     std::string bindpw;
     std::string searchdn;
+    std::string searchfilter;
     std::string dnattr;
     LDAP *ldap;
     bool msad = false; /* TODO: possible future specialization */
@@ -37,9 +38,9 @@ namespace rgw {
     using lock_guard = std::lock_guard<std::mutex>;
 
     LDAPHelper(std::string _uri, std::string _binddn, std::string _bindpw,
-	       std::string _searchdn, std::string _dnattr)
+	       std::string _searchdn, std::string _searchfilter, std::string _dnattr)
       : uri(std::move(_uri)), binddn(std::move(_binddn)),
-	bindpw(std::move(_bindpw)), searchdn(_searchdn), dnattr(_dnattr),
+	bindpw(std::move(_bindpw)), searchdn(_searchdn), searchfilter(_searchfilter), dnattr(_dnattr),
 	ldap(nullptr) {
       // nothing
     }
@@ -105,7 +106,7 @@ namespace rgw {
   {
   public:
     LDAPHelper(std::string _uri, std::string _binddn, std::string _bindpw,
-	       std::string _searchdn, std::string _dnattr)
+	       std::string _searchdn, std::string _searchfilter, std::string _dnattr)
       {}
 
     int init() {
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index ac11fcbc2c7..4a0bcdcaa99 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -3096,12 +3096,13 @@ void RGW_Auth_S3::init_impl(RGWRados* store)
   const string& ldap_uri = store->ctx()->_conf->rgw_ldap_uri;
   const string& ldap_binddn = store->ctx()->_conf->rgw_ldap_binddn;
   const string& ldap_searchdn = store->ctx()->_conf->rgw_ldap_searchdn;
+  const string& ldap_searchfilter = store->ctx()->_conf->rgw_ldap_searchfilter;
   const string& ldap_dnattr =
     store->ctx()->_conf->rgw_ldap_dnattr;
   std::string ldap_bindpw = parse_rgw_ldap_bindpw(store->ctx());
 
   ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_bindpw,
-			    ldap_searchdn, ldap_dnattr);
+			    ldap_searchdn, ldap_searchfilter, ldap_dnattr);
 
   ldh->init();
   ldh->bind();