From 35f473581845233a26b53679798964de7ee7b13a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Palancher?= Date: Tue, 4 Feb 2025 09:21:42 +0100 Subject: [PATCH] feat(gateway): lookup user DN in LDAP Lookup user DN in the scope of user base subtree before authentication on LDAP directory by default. This has 2 main benefits: - Support LDAP directory layout with users distributed in multiple branches in the user base. - Support LDAP directory without the user name attribute in the user DN (eg. the full name). Note this new default behavior can be reverted to the previous behavior by setting lookup_user_dn=no in [ldap] section of the gateway configuration. fix #446 #447 --- CHANGELOG.md | 4 ++++ slurmweb/apps/gateway.py | 1 + 2 files changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0cc3b893..8fe8e989 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Check RacksDB version executed by agent is greater or equal to the minimal supported version specified in gateway configuration settings (#415→#417). - Do not return clusters global stats in `/clusters` endpoint anymore. + - Lookup user DN in the scope of user base subtree before authentication on + LDAP directory by default (#446,447). This can be reverted to the previous + behavior by setting `lookup_user_dn=no` in `[ldap]` section of the gateway + configuration. - agent: - Skip registering of RacksDB API endpoints when disabled (#440). - Report error in logs instead of failing with critical error when unable to diff --git a/slurmweb/apps/gateway.py b/slurmweb/apps/gateway.py index 18c389b6..cfe7d990 100644 --- a/slurmweb/apps/gateway.py +++ b/slurmweb/apps/gateway.py @@ -170,6 +170,7 @@ def __init__(self, seed): bind_dn=self.settings.ldap.bind_dn, bind_password=self.settings.ldap.bind_password, restricted_groups=self.settings.ldap.restricted_groups, + lookup_user_dn=self.settings.ldap.lookup_user_dn, ) else: raise SlurmwebConfigurationError(