Dex LDAP Coonector中的任务组搜索条件

问题描述 投票:1回答:1

我正在使用Dex作为我们的身份提供程序,并将其连接到LDAP。下面是我在dex中的ldap配置:

connectors:
- type: ldap
 id: ldap
 name: LDAP
 config:
   host: myhost.staging.com:636
   insecureNoSSL: false
   insecureSkipVerify: false
   bindDN: cn=prometheus-proxy,ou=serviceaccounts,dc=staging,dc=comp,dc=com
   bindPW: 'prometheus'
   rootCA: /etc/dex/ldap/ca-bundle.pem
   userSearch:
     baseDN: ou=people,dc=staging,dc=comp,dc=com
     filter: "(objectClass=person)"
     username: uid
     idAttr: uid
     emailAttr: mail
     nameAttr: uid
   groupSearch:
     baseDN: ou=appgroups,dc=staging,dc=comp,dc=com
     filter: "(objectClass=groupOfMembers)"
     userAttr: DN
     groupAttr: member
     nameAttr: cn

下面是一个示例userSearch和groupSearch结果:

dn: uid=swedas01,ou=people,dc=staging,dc=comp,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Sweta Das
gecos: Sweta Das
gidNumber: 50000
givenName: Sweta
mail: [email protected]
sn: Das
uid: swedas01
memberOf: cn=jenkins,ou=appgroups,dc=staging,dc=comp,dc=com
homeDirectory: /home/swedas01

dn: cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com
objectClass: top
objectClass: groupOfMembers
cn: prometheus
member: uid=testl01,ou=people,dc=staging,dc=comp,dc=com

当我登录使用上述配置的Prometheus实例时,即使我的userID不属于所使用的组(即Prometheus),我仍然可以登录。

Dex日志显示没有与我的ID相关的组。 

time="2019-10-07T19:05:48Z" level=info msg="performing ldap search ou=people,dc=staging,dc=comp,dc=com sub (&(objectClass=person)(uid=swedas01))"
time="2019-10-07T19:05:48Z" level=info msg="username \"swedas01\" mapped to entry uid=swedas01,ou=people,dc=staging,dc=comp,dc=com"
time="2019-10-07T19:05:48Z" level=info msg="performing ldap search cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com sub (&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))"
time="2019-10-07T19:05:48Z" level=error msg="ldap: groups search with filter \"(&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))\" returned no groups"
time="2019-10-07T19:05:48Z" level=info msg="login successful: connector \"ldap\", username=\"swedas01\", email=\"[email protected]\", groups=[]"

但是为什么仍然允许我登录?如果组Serach返回空,登录应该失败,有什么办法可以强制执行此设置?

kubernetes openid-connect openldap openid-dex
1个回答
0
投票

我仍然不确定这是否是正确的答案。但据我所知,Dex的组搜索仅用于ldap搜索。它返回用户所属的组。返回组后,可以将RBAC策略放在这些组上,以控制要授予用户的访问权限。

但是,对于没有任何身份验证方法的工具(例如Prometheus),我仍然不确定如何实现ldap组身份验证!

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.