1

I am using Dex as our Identity provider and connecting it to LDAP. Below is my ldap config in Dex:

connectors:
- type: ldap
 id: ldap
 name: LDAP
 config:
   host: myhost.staging.com:636
   insecureNoSSL: false
   insecureSkipVerify: false
   bindDN: cn=prometheus-proxy,ou=serviceaccounts,dc=staging,dc=comp,dc=com
   bindPW: 'prometheus'
   rootCA: /etc/dex/ldap/ca-bundle.pem
   userSearch:
     baseDN: ou=people,dc=staging,dc=comp,dc=com
     filter: "(objectClass=person)"
     username: uid
     idAttr: uid
     emailAttr: mail
     nameAttr: uid
   groupSearch:
     baseDN: ou=appgroups,dc=staging,dc=comp,dc=com
     filter: "(objectClass=groupOfMembers)"
     userAttr: DN
     groupAttr: member
     nameAttr: cn

And below is a sample userSearch & groupSearch Result:

dn: uid=swedas01,ou=people,dc=staging,dc=comp,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Sweta Das
gecos: Sweta Das
gidNumber: 50000
givenName: Sweta
mail: Sweta.Das@comp.com
sn: Das
uid: swedas01
memberOf: cn=jenkins,ou=appgroups,dc=staging,dc=comp,dc=com
homeDirectory: /home/swedas01

dn: cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com
objectClass: top
objectClass: groupOfMembers
cn: prometheus
member: uid=testl01,ou=people,dc=staging,dc=comp,dc=com

When I login to my Prometheus instance which uses the above config, even though my userID is not part of the Group that is being used ie Prometheus, I am still able to login.

Dex logs shows there is no groups associated with my id. 

time="2019-10-07T19:05:48Z" level=info msg="performing ldap search ou=people,dc=staging,dc=comp,dc=com sub (&(objectClass=person)(uid=swedas01))"
time="2019-10-07T19:05:48Z" level=info msg="username \"swedas01\" mapped to entry uid=swedas01,ou=people,dc=staging,dc=comp,dc=com"
time="2019-10-07T19:05:48Z" level=info msg="performing ldap search cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com sub (&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))"
time="2019-10-07T19:05:48Z" level=error msg="ldap: groups search with filter \"(&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))\" returned no groups"
time="2019-10-07T19:05:48Z" level=info msg="login successful: connector \"ldap\", username=\"swedas01\", email=\"Sweta.Das@comp.com\", groups=[]"

But why is it still allowing me to login? Is there any way I can mandate this setting if group serach returns empty, login should fail?

4

2 回答 2

2

由于您的目录支持memberOf属性,您可以尝试在 userSearch 过滤器中添加成员资格条件。

现在看:

username: uid
filter: "(objectClass=person)"

产生以下 ldap 过滤器:

"(&(objectClass=person)(uid=<uid>))"

因此,可以在过滤器设置中添加不带运算符的成员条件,因为 dex 实际上是添加运算符本身(由@MohammadYusefpur 测试和确认)。

喜欢 :

filter: "(objectClass=person)(memberOf=cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com)"

以便实际的 ldap 过滤器导致

(&(objectClass=person)(memberOf=cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com)(uid=<uid>))
于 2020-12-19T11:15:04.520 回答
0

我仍然不确定这是否是正确的答案。但据我了解,Dex 的组搜索仅适用于 ldap 搜索。它返回用户所属的组。取回组后,您可以将 RBAC 策略放在这些组上,以控制您要授予用户的访问权限类型。

但是,对于自己没有任何身份验证方法的工具(例如 Prometheus),我仍然不确定如何实现 ldap 组身份验证!

于 2019-10-13T20:02:13.980 回答