operator icon indicating copy to clipboard operation
operator copied to clipboard

Published 20 hours ago verified publisher icon minio

Better LDAP Support

Open gwisaacs2 opened this issue 3 years ago • 4 comments
trafficstars

Not sure if this falls under Operator or Minio, but I'll put it here for now unless you guys want me to move it

Is your feature request related to a problem? Please describe. I'm trying to configure a Minio Tenant to use LDAP, and I have found the process very frustrating. Other services provide easier auth methods, but I think the main disadvantage is not being able to see the selected users / groups. My LDAP might bind successfully, but the DN User Search doesn't populate any users. Minio Console prompts me to restart the service, and once I restart I lose the local admin account and if my LDAP users didn't populate, I have no way of signing back into the Tenant and need to delete the tenant and restart.

Describe the solution you'd like

  1. Easier Bind Methods
  2. Button to verify bind / show list of new users from LDAP server so I can validate everything will populate correctly
  3. Ability to maintain the local admin account? I understand why it's removed but at least give me the option to keep it if I want (low priority)
  4. I have also noticed that if I spawn the tenant with built-in users and then inside the tenant I change the users to LDAP, the operator has no awareness of that change, and if I try to revert it back to Built In from the Operator, I get this "env config already present" error.

Describe alternatives you've considered No way I can really get around this. I'm just continuously deleting and recreating tenants until I finally get it right

Additional context I think Sonatype's Nexus service does a great job with all of this. They also support dynamic mapping from AD groups to internal groups

gwisaacs2 avatar Jul 20 '22 00:07 gwisaacs2 

commit 9b87e9d2e38b91193d2385ef1466576a9746eedf
Author: Lenin Alevski <[email protected]>
Date:   Mon Jul 18 22:31:34 2022 -0700

    Various LDAP fixes (#1209)
    
    - update: `examples/kustomization/tenant-external-idp-ldap` deployment
      example to use LDAP Lookup-Bind mode
    - fix: create buckets during tenant creation when LDAP is enabled
    - fix: tenant stuck in provisioning users during tenant creation when
      LDAP is enabled and tenant configuration is readed from configuration
      file
    
    Signed-off-by: Lenin Alevski <[email protected]>

Is the first step.

harshavardhana avatar Jul 20 '22 18:07 harshavardhana

Ugh you guys are awesome :)

gwisaacs2 avatar Jul 20 '22 18:07 gwisaacs2

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Oct 20 '22 03:10 stale[bot]

We can start by listing the users via UI; but currently mc is the only way we have. @jinapurapu to start looking at this. Maybe this can be parent task and we can have as many sub-tasks as needed to improve the experience on LDAP config. @jinapurapu feel free to look into this and synch with @oscarocastellanos for any needed design. Thank you @jinapurapu

cniackz avatar Nov 14 '23 17:11 cniackz

closing this since operator ui has been deprecated, see https://github.com/minio/operator/blob/master/docs/notes/v6.0.0.md#whats-new for more.

cesnietor avatar Jul 22 '24 16:07 cesnietor