Dex LDAP Coonector中的任务组搜索条件 [英] Mandate Group Search Condition in Dex LDAP Coonector

问题描述

我正在使用Dex作为我们的身份提供程序，并将其连接到LDAP.以下是我在Dex中的ldap配置:

I am using Dex as our Identity provider and connecting it to LDAP. Below is my ldap config in Dex:

connectors:
- type: ldap
 id: ldap
 name: LDAP
 config:
   host: myhost.staging.com:636
   insecureNoSSL: false
   insecureSkipVerify: false
   bindDN: cn=prometheus-proxy,ou=serviceaccounts,dc=staging,dc=comp,dc=com
   bindPW: 'prometheus'
   rootCA: /etc/dex/ldap/ca-bundle.pem
   userSearch:
     baseDN: ou=people,dc=staging,dc=comp,dc=com
     filter: "(objectClass=person)"
     username: uid
     idAttr: uid
     emailAttr: mail
     nameAttr: uid
   groupSearch:
     baseDN: ou=appgroups,dc=staging,dc=comp,dc=com
     filter: "(objectClass=groupOfMembers)"
     userAttr: DN
     groupAttr: member
     nameAttr: cn

下面是一个示例用户搜索& groupSearch结果:

And below is a sample userSearch & groupSearch Result:

dn: uid=swedas01,ou=people,dc=staging,dc=comp,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Sweta Das
gecos: Sweta Das
gidNumber: 50000
givenName: Sweta
mail: Sweta.Das@comp.com
sn: Das
uid: swedas01
memberOf: cn=jenkins,ou=appgroups,dc=staging,dc=comp,dc=com
homeDirectory: /home/swedas01

dn: cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com
objectClass: top
objectClass: groupOfMembers
cn: prometheus
member: uid=testl01,ou=people,dc=staging,dc=comp,dc=com

当我登录使用上述配置的Prometheus实例时，即使我的userID不属于所使用的组(即Prometheus)，我仍然可以登录.

When I login to my Prometheus instance which uses the above config, even though my userID is not part of the Group that is being used ie Prometheus, I am still able to login.

Dex日志显示没有与我的ID相关的组.

Dex logs shows there is no groups associated with my id.

time="2019-10-07T19:05:48Z" level=info msg="performing ldap search ou=people,dc=staging,dc=comp,dc=com sub (&(objectClass=person)(uid=swedas01))"
time="2019-10-07T19:05:48Z" level=info msg="username \"swedas01\" mapped to entry uid=swedas01,ou=people,dc=staging,dc=comp,dc=com"
time="2019-10-07T19:05:48Z" level=info msg="performing ldap search cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com sub (&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))"
time="2019-10-07T19:05:48Z" level=error msg="ldap: groups search with filter \"(&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))\" returned no groups"
time="2019-10-07T19:05:48Z" level=info msg="login successful: connector \"ldap\", username=\"swedas01\", email=\"Sweta.Das@comp.com\", groups=[]"

但是为什么仍然允许我登录?如果组Serach返回空，登录应该失败，有什么办法可以强制执行此设置?

But why is it still allowing me to login? Is there any way I can mandate this setting if group serach returns empty, login should fail?

推荐答案

我仍然不确定这是否是正确的答案.但据我所知，Dex的组搜索仅用于ldap搜索.它返回用户所属的组.重新获得组后，可以将RBAC策略放在这些组上，以控制要授予用户的访问权限.

I am still not sure if this is the right answer. But as far as I could understood, Dex's group search is just for ldap search. It returns the groups a user is memberof. Once you get the groups back, you can put RBAC policies on those group to control what kind of access you want to give to the user.

但是，对于没有任何身份验证方法的工具(例如Prometheus)，我仍然不确定如何实现ldap组身份验证！

However, for tools which do not have any auth methods of its ownn(eg Prometheus), I am still not sure how to implement ldap group auth!

这篇关于Dex LDAP Coonector中的任务组搜索条件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！