connector/ldap: add multiple user to group mapping

Add an ability to fetch user's membership from groups of a different type by specifying multiple group attribute to user attribute value matchers in the Dex config: userMatchers: - userAttr: uid groupAttr: memberUid - userAttr: DN groupAttr: member In other words the user's groups can be fetched now from ldap structure similar to the following: dn: cn=john,ou=People,dc=example,dc=org objectClass: person objectClass: inetOrgPerson sn: doe cn: john uid: johndoe mail: johndoe@example.com userpassword: bar dn: cn=qa,ou=Groups,ou=Portland,dc=example,dc=org objectClass: groupOfNames cn: qa member: cn=john,ou=People,dc=example,dc=org dn: cn=logger,ou=UnixGroups,ou=Portland,dc=example,dc=org objectClass: posixGroup gidNumber: 1000 cn: logger memberUid: johndoe Signed-off-by: Vitaliy Dmitriev <vi7alya@gmail.com>
2020-01-03 10:40:08 +01:00
parent 6318c105ec
commit f2e7823db9
5 changed files with 247 additions and 65 deletions
--- a/Documentation/connectors/ldap.md
+++ b/Documentation/connectors/ldap.md
@@ -123,11 +123,12 @@ connectors:
      # Optional filter to apply when searching the directory.
      filter: "(objectClass=group)"

-      # Following two fields are used to match a user to a group. It adds an additional
+      # Following list contains field pairs that are used to match a user to a group. It adds an additional
      # requirement to the filter that an attribute in the group must match the user's
      # attribute value.
-      userAttr: uid
-      groupAttr: member
+      userMatchers:
+      - userAttr: uid
+        groupAttr: member

      # Represents group name.
      nameAttr: name
@@ -215,8 +216,9 @@ groupSearch:

  # The group search needs to match the "uid" attribute on
  # the user with the "memberUid" attribute on the group.
-  userAttr: uid
-  groupAttr: memberUid
+  userMatchers:
+  - userAttr: uid
+    groupAttr: memberUid

  # Unique name of the group.
  nameAttr: cn
@@ -242,8 +244,27 @@ groupSearch:
  # Optional filter to apply when searching the directory.
  filter: "(objectClass=group)"

-  userAttr: DN # Use "DN" here not "uid"
-  groupAttr: member
+  userMatchers:
+  - userAttr: DN # Use "DN" here not "uid"
+    groupAttr: member
+
+  nameAttr: name
+```
+
+There are cases when different types (objectClass) of groups use different attributes to keep a list of members. Below is an example of group query for such case:
+
+```yaml
+groupSearch:
+  baseDN: cn=groups,cn=compat,dc=example,dc=com
+  # Optional filter to search for different group types
+  filter: "(|(objectClass=posixGroup)(objectClass=group))"
+
+  # Use multiple user matchers so Dex will know which attribute names should be used to search for group members
+  userMatchers:
+  - userAttr: uid
+    groupAttr: memberUid
+  - userAttr: DN
+    groupAttr: member

  nameAttr: name
 ```
@@ -275,8 +296,9 @@ connectors:
      # Would translate to the query "(&(objectClass=group)(member=<user uid>))".
      baseDN: cn=groups,dc=freeipa,dc=example,dc=com
      filter: "(objectClass=group)"
-      userAttr: uid
-      groupAttr: member
+      userMatchers:
+      - userAttr: uid
+        groupAttr: member
      nameAttr: name
 ```

@@ -315,8 +337,9 @@ connectors:
    groupSearch:
      baseDN: cn=Users,dc=example,dc=com
      filter: "(objectClass=group)"
-      userAttr: DN
-      groupAttr: member
+      userMatchers:
+      - userAttr: DN
+        groupAttr: member
      nameAttr: cn
 ```