diff --git a/cmd/iam.go b/cmd/iam.go index a4f918ccc..ef4f0c22b 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -238,7 +238,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc // Initialize if LDAP is enabled ldapConfig, err := xldap.Lookup(s, globalRootCAs) if err != nil { - iamLogIf(ctx, fmt.Errorf("Unable to parse LDAP configuration: %w", err), logger.WarningKind) + iamLogIf(ctx, fmt.Errorf("Unable to load LDAP configuration (LDAP configuration will be disabled!): %w", err), logger.WarningKind) } stsTLSConfig, err := xtls.Lookup(s[config.IdentityTLSSubSys][config.Default]) diff --git a/internal/config/identity/ldap/config.go b/internal/config/identity/ldap/config.go index 0ed0bb480..dbf88c838 100644 --- a/internal/config/identity/ldap/config.go +++ b/internal/config/identity/ldap/config.go @@ -183,15 +183,15 @@ func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error) { return l, nil } l.LDAP = ldap.Config{ - Enabled: true, RootCAs: rootCAs, ServerAddr: ldapServer, SRVRecordName: getCfgVal(SRVRecordName), } - // Parse explicitly enable=on/off flag. If not set, defaults to `true` - // because ServerAddr is set. + // Parse explicitly set enable=on/off flag. + isEnableFlagExplicitlySet := false if v := getCfgVal(config.Enable); v != "" { + isEnableFlagExplicitlySet = true l.LDAP.Enabled, err = config.ParseBool(v) if err != nil { return l, err @@ -232,9 +232,16 @@ func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error) { l.LDAP.GroupSearchFilter = getCfgVal(GroupSearchFilter) l.LDAP.GroupSearchBaseDistName = getCfgVal(GroupSearchBaseDN) + // If enable flag was not explicitly set, we treat it as implicitly set at + // this point as necessary configuration is available. + if !isEnableFlagExplicitlySet && !l.LDAP.Enabled { + l.LDAP.Enabled = true + } // Validate and test configuration. valResult := l.LDAP.Validate() if !valResult.IsOk() { + // Set to false if configuration fails to validate. + l.LDAP.Enabled = false return l, valResult }