Add client certs support and anonymous group search to LDAP#7578
Add client certs support and anonymous group search to LDAP#7578AeroNotix wants to merge 5 commits into
Conversation
* GSuite LDAP requires that clients use client TLS certificates/keys in order to authenticate against their LDAP.
|
|
|
This adds the ability to provide client cert/key files when using LDAP. Some LDAP providers like Google require the use of client certificates for client authentication and being able to perform searches with no bind set. This is how you are required to use the Google LDAP service. Unknowns:
Refs (and probably a few others): |
AeroNotix
force-pushed
the
add-client-certs
branch
from
5e5906c to
540d351
Compare
AeroNotix
force-pushed
the
add-client-certs
branch
from
540d351 to
10f7e13
Compare
chrishoffman
changed the title
|
Any feedback on this? Am I missing anything? I am willing to support this code in perpetuity (and force my children to do so as well.) |
|
I would need this as well. Is merging this an option? |
|
Any feedback on this? |
| return nil, logical.ErrorResponse(err.Error()), nil, nil | ||
| } | ||
|
|
||
| if cfg.AnonymousGroupSearch { |
There was a problem hiding this comment.
Would you mind to explain this part a bit further? The below code is exactly the same we already execute on line 80:
vault/builtin/credential/ldap/backend.go
Lines 80 to 86 in 4fbf1f4
There was a problem hiding this comment.
With google LDAP there's no way to query for groups a user is logged in as while logged in as that user. But there's no way to verify a user's login credentials without binding as that user. At least no way I could find to do it.
Reason I added this was so that you could do the first bind as the logged in user, verify that their credentials are correct - then drop to the anonymous bind with client certificates just for the group membership search.
There was a problem hiding this comment.
Ah, gotcha! That sounds very google LDAP specific to me? I wonder if we should rename anonymous_group_search to google_anonymous_group_search or something similar? anonymous_group_search sounds to me like the credentials are never used at all.
There was a problem hiding this comment.
Sure, that makes sense and I agree. I will make that change 👍
There was a problem hiding this comment.
The problem is if this behavior is ever necessary with an ldap server that isn't Google, now the option name is confusing/limiting.
There was a problem hiding this comment.
Yes, @michelvocks made a convincing argument for the name change. I will change it.
There was a problem hiding this comment.
Yes, and I'm suggesting that it should not be name that was discussed.
There was a problem hiding this comment.
Oh my bad, I misunderstood your point then. I'm happy either way, right now we only know that Google LDAP services need this option - but potentially I guess it is possible that others would need it.
| @@ -1,8 +1,6 @@ | |||
| module github.com/hashicorp/vault | |||
|
|
|||
| go 1.12 | |||
There was a problem hiding this comment.
As far as I can see all the changes to go.mod, go.sum and sdk/go.mod are not necessary for this PR. Would you mind to exclude them from your PR?
There was a problem hiding this comment.
Sure, I can. What are the "rules" in general about PRs which bump go/dependency versions?
There was a problem hiding this comment.
PRs never bump Go version. But you're out of date from master anyways, it's already updated for Go 1.13.
There was a problem hiding this comment.
In general, we bump the go version in a separate PR. Dependency versions can be updated in feature/bugfix PRs if there is reason/advantage to do that.
There was a problem hiding this comment.
It wasn't out of date two months ago when I submitted the PR 😛
I'll rebase with master and push up changes.
michelvocks
left a comment
michelvocks
left a comment
There was a problem hiding this comment.
Hi @AeroNotix!
First of all, I want to apologize for the super late reply/review. We are doing our best to do community reviews as quickly as possible but sometimes we struggle a bit.
We really appreciate your work and effort tho!
This PR looks good overall but I have a question and one minor change request left (see in the review). I'm also a bit unsure about the UI question you have mentioned above. I CC here @noelledaley since I think she can help out here.
Cheers,
Michel
|
Thanks for getting back to me! The UI changes I refer to are that some of the additional configuration options I added may not be configurable from the UI properly, I did a quick poke around the JS and fragments that add the configuration options to the UI but last I checked they didn't seem to work as expected. It's been a couple of months since I fired up this PR and had it going. When I get time this week I'll rebase w/ master and go through the motions testing it with our Google LDAP set up. @noelledaley hi - any feedback or tips regarding what's needed for the UI portions is much appreciated! |
| if err != nil { | ||
| return nil, logical.ErrorResponse("ldap operation failed"), nil, nil | ||
| } | ||
| defer c.Close() |
There was a problem hiding this comment.
I think you can drop this line since we already added c.Close() to the defer-stack a few lines above.
| "anonymous_group_search": { | ||
| Type: framework.TypeBool, | ||
| Default: false, | ||
| Description: "Use anonymous binds when performing LDAP group searches", |
There was a problem hiding this comment.
I think it makes sense to add that the credentials are stilled used for the initial connection test otherwise users could be confused.
| "anonymous_group_search": { | ||
| Type: framework.TypeBool, | ||
| Default: false, | ||
| Description: "Use anonymous binds when performing LDAP group searches", |
There was a problem hiding this comment.
You'll need to add another property after Description called DisplayAttrs with the field display Name and default Value to get this field to show in the UI. Here's an example of how to do that!
|
|
||
| "client_tls_cert": { | ||
| Type: framework.TypeString, | ||
| Description: "Client certificate to provide to the LDAP server, must be x509 PEM encoded (optional)", |
There was a problem hiding this comment.
You'll need the DisplayAttrs for this field as well
|
|
||
| "client_tls_key": { | ||
| Type: framework.TypeString, | ||
| Description: "Client certificate key to provide to the LDAP server, must be x509 PEM encoded (optional)", |
There was a problem hiding this comment.
Thank you! Will make these changes.
|
Hi @AeroNotix! Thanks for including UI changes in this PR! The changes look good to me at an initial glance -- you'll just need to add the Nice work! Cheers, |
AeroNotix
left a comment
AeroNotix
left a comment
There was a problem hiding this comment.
Thanks @noelledaley appreciate the feedback. Will make the changed you requested and push up.
|
So excited for this change and then we can finally connect vault to google for user authentication. |
Yeah, I'm also waiting on this one. Thanks to everyone who is making this possible! |
|
My use-case for vault logins has changed somewhat - I might not be able to get to this to deal with PR comments/review comments. If you need Vault LDAP logins working with Google - all the work is done and the changes requested shouldn't be much on top of that. |
|
I've rebased from master and applied the fixes mentioned in the previous review in the PR #8365 . Can we follow up on this there? |
|
@Gisson thanks for taking this on and trying to get it over the line. I'll close this PR in favour of your other. |
9 participants
No description provided.