Skip to content

Commit

Permalink
idp-ldap: Fix create-with-login command (#5036)
Browse files Browse the repository at this point in the history
Currently, LDAP create-with-login command is not working properly when
the LDAP user does not have admin:CreateServiceAccount permission.

The permission is normally not needed since a user is allowed
to create a service account for itself. In that case, a temporary
account should be created and a new service account should be issued to
the temporary account access key, and not to the LDAP username as what
the code currently does.

This commit will send the correct target user in that case to make
create-with-login always successful.

Co-authored-by: Anis Eleuch <[email protected]>
  • Loading branch information
vadmeste and Anis Eleuch authored Sep 15, 2024
1 parent 04c5116 commit bbfe577
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions cmd/idp-ldap-accesskey-create-with-login.go
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,9 @@ func mainIDPLdapAccesskeyCreateWithLogin(ctx *cli.Context) error {
func loginLDAPAccesskey(ctx *cli.Context) (*madmin.AdminClient, madmin.AddServiceAccountReq) {
urlStr := ctx.Args().First()

u, e := url.Parse(urlStr)
fatalIf(probe.NewError(e), "unable to parse server URL")

console.SetColor(cred, color.New(color.FgYellow, color.Italic))
reader := bufio.NewReader(os.Stdin)

Expand All @@ -107,14 +110,14 @@ func loginLDAPAccesskey(ctx *cli.Context) (*madmin.AdminClient, madmin.AddServic
stsCreds, e := credentials.NewLDAPIdentity(urlStr, username, password)
fatalIf(probe.NewError(e), "unable to initialize LDAP identity")

u, e := url.Parse(urlStr)
fatalIf(probe.NewError(e), "unable to parse server URL")
tempCreds, e := stsCreds.Get()
fatalIf(probe.NewError(e), "unable to create a temporary account from LDAP identity")

client, e := madmin.NewWithOptions(u.Host, &madmin.Options{
Creds: stsCreds,
Secure: u.Scheme == "https",
})
fatalIf(probe.NewError(e), "unable to initialize admin connection")

return client, accessKeyCreateOpts(ctx, username)
return client, accessKeyCreateOpts(ctx, tempCreds.AccessKeyID)
}

0 comments on commit bbfe577

Please sign in to comment.