我正在使用Dex作为我们的身份提供程序,并将其连接到LDAP。下面是我在dex中的ldap配置:
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: myhost.staging.com:636
insecureNoSSL: false
insecureSkipVerify: false
bindDN: cn=prometheus-proxy,ou=serviceaccounts,dc=staging,dc=comp,dc=com
bindPW: 'prometheus'
rootCA: /etc/dex/ldap/ca-bundle.pem
userSearch:
baseDN: ou=people,dc=staging,dc=comp,dc=com
filter: "(objectClass=person)"
username: uid
idAttr: uid
emailAttr: mail
nameAttr: uid
groupSearch:
baseDN: ou=appgroups,dc=staging,dc=comp,dc=com
filter: "(objectClass=groupOfMembers)"
userAttr: DN
groupAttr: member
nameAttr: cn
下面是一个示例userSearch和groupSearch结果:
dn: uid=swedas01,ou=people,dc=staging,dc=comp,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Sweta Das
gecos: Sweta Das
gidNumber: 50000
givenName: Sweta
mail: [email protected]
sn: Das
uid: swedas01
memberOf: cn=jenkins,ou=appgroups,dc=staging,dc=comp,dc=com
homeDirectory: /home/swedas01
dn: cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com
objectClass: top
objectClass: groupOfMembers
cn: prometheus
member: uid=testl01,ou=people,dc=staging,dc=comp,dc=com
当我登录使用上述配置的Prometheus实例时,即使我的userID不属于所使用的组(即Prometheus),我仍然可以登录。
Dex日志显示没有与我的ID相关的组。
time="2019-10-07T19:05:48Z" level=info msg="performing ldap search ou=people,dc=staging,dc=comp,dc=com sub (&(objectClass=person)(uid=swedas01))"
time="2019-10-07T19:05:48Z" level=info msg="username \"swedas01\" mapped to entry uid=swedas01,ou=people,dc=staging,dc=comp,dc=com"
time="2019-10-07T19:05:48Z" level=info msg="performing ldap search cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com sub (&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))"
time="2019-10-07T19:05:48Z" level=error msg="ldap: groups search with filter \"(&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))\" returned no groups"
time="2019-10-07T19:05:48Z" level=info msg="login successful: connector \"ldap\", username=\"swedas01\", email=\"[email protected]\", groups=[]"
但是为什么仍然允许我登录?如果组Serach返回空,登录应该失败,有什么办法可以强制执行此设置?
我仍然不确定这是否是正确的答案。但据我所知,Dex的组搜索仅用于ldap搜索。它返回用户所属的组。返回组后,可以将RBAC策略放在这些组上,以控制要授予用户的访问权限。
但是,对于没有任何身份验证方法的工具(例如Prometheus),我仍然不确定如何实现ldap组身份验证!