mc client doesn't allow creation of svcacct on behalf of a user

[titansmc]

Is your feature request related to a problem? Please describe. MC command states that I could create svcacct on behalf of an minio user, sts or LDAP user, which doesn't seem to be the case if you are using LDAP. Ravind Kumar suggested to open an issue.

mc admin user svcacct add -h                                                                                                               1 ✘ 
NAME:
  mc admin user svcacct add - add a new service account

USAGE:
  mc admin user svcacct add ALIAS ACCOUNT

ACCOUNT:
  An account could be a regular MinIO user, STS ou LDAP user.

FLAGS:
  --access-key value            set an access key for the service account
  --secret-key value            set a secret key for the service account
  --policy value                path to a JSON policy file
  --config-dir value, -C value  path to configuration folder (default: "/home/ravindkminio/.mc")
  --quiet, -q                   disable progress bar display
  --no-color                    disable color theme
  --json                        enable JSON lines formatted output
  --debug                       enable debug output
  --insecure                    disable SSL certificate verification
  --help, -h                    show help
  
EXAMPLES:
  1. Add a new service account for user 'foobar' to MinIO server.
     $ mc admin user svcacct add myminio foobar

Describe the solution you'd like mc to work as expected

[vadmeste]

@titansmc can you show what you did to see the issue ?

[titansmc]

14:35 $ mc admin user svcacct add  minio-test/ user='cn=Joe Smith,cn=Users,dc=domain,dc=org'
mc: <ERROR> Unable to add a new service account. We encountered an internal error, please try again. (Unable to find user DN: User DN for user=cn=JJoe Smith,cn=Users,dc=domain,dc=org not found).

[vadmeste]

@titansmc what's your MinIO version ?

[titansmc]

14:35 $ mc --version
mc version RELEASE.2022-02-23T03-15-59Z

server

Version: 2022-02-07T08:17:33Z

[vadmeste]

@titansmc can we try the same mc command but with a username instead of that user's full DN ?

[titansmc]

those are the username when connecting Minio to LDAP

[vadmeste]

those are the username when connecting Minio to LDAP

You actually need to provide a username or something else that is used to help MinIO performs searching in LDAP database, https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html#envvar.MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN

[titansmc]

user_dn_search_base_dn="dc=example,dc=com" this I have it configured already, but as per the documentation, this is how you would assign a policy to an ldap user: mc admin policy set consoleAdmin user='cn=sisko,cn=users,dc=example,dc=com' giving the username instead of DN it just gives the same error.

[vadmeste]

Sorry, I mean this MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER

[titansmc]

sorry, you are right, it works fine.... So why, for example, when assigning a policy to a user I need to specify the DN like: mc admin policy set consoleAdmin user='cn=sisko,cn=users,dc=example,dc=com' but when creating a svcacct I only need the uid ? mc admin user svcacct add minio-test/ moscardo

[harshavardhana]

svcacct wanted this to be more friendlier than policy since there the API expects that you specify an actual user DN as we are not cross verifying this again with an LDAP endpoint.

We can however allow when LDAP is configured if the user=<value> if the value is a simple username without a DN like format we can ask the LDAP provider.

However this is a low priority.

[harshavardhana]

We have decided not to do this since we support multiple hierarchies already and there is no way to automatically deduce which is the parent user in such a situation.

We do not want to be in a guessing game here with LDAP. Closing as wont fix.