From 0c855638de67f2200859914b337ab58cc8b3224f Mon Sep 17 00:00:00 2001
From: Aditya Manthramurthy <donatello@users.noreply.github.com>
Date: Thu, 25 Apr 2024 14:28:16 -0700
Subject: [PATCH] fix: LDAP init. issue when LDAP server is down (#19619)

At server startup, LDAP configuration is validated against the LDAP
server. If the LDAP server is down at that point, we need to cleanly
disable LDAP configuration. Previously, LDAP would remain configured but
error out in strange ways because initialization did not complete
without errors.
---
 cmd/iam.go                              |  2 +-
 internal/config/identity/ldap/config.go | 13 ++++++++++---
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/cmd/iam.go b/cmd/iam.go
index a4f918ccc..ef4f0c22b 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -238,7 +238,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
 	// Initialize if LDAP is enabled
 	ldapConfig, err := xldap.Lookup(s, globalRootCAs)
 	if err != nil {
-		iamLogIf(ctx, fmt.Errorf("Unable to parse LDAP configuration: %w", err), logger.WarningKind)
+		iamLogIf(ctx, fmt.Errorf("Unable to load LDAP configuration (LDAP configuration will be disabled!): %w", err), logger.WarningKind)
 	}
 
 	stsTLSConfig, err := xtls.Lookup(s[config.IdentityTLSSubSys][config.Default])
diff --git a/internal/config/identity/ldap/config.go b/internal/config/identity/ldap/config.go
index 0ed0bb480..dbf88c838 100644
--- a/internal/config/identity/ldap/config.go
+++ b/internal/config/identity/ldap/config.go
@@ -183,15 +183,15 @@ func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error) {
 		return l, nil
 	}
 	l.LDAP = ldap.Config{
-		Enabled:       true,
 		RootCAs:       rootCAs,
 		ServerAddr:    ldapServer,
 		SRVRecordName: getCfgVal(SRVRecordName),
 	}
 
-	// Parse explicitly enable=on/off flag. If not set, defaults to `true`
-	// because ServerAddr is set.
+	// Parse explicitly set enable=on/off flag.
+	isEnableFlagExplicitlySet := false
 	if v := getCfgVal(config.Enable); v != "" {
+		isEnableFlagExplicitlySet = true
 		l.LDAP.Enabled, err = config.ParseBool(v)
 		if err != nil {
 			return l, err
@@ -232,9 +232,16 @@ func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error) {
 	l.LDAP.GroupSearchFilter = getCfgVal(GroupSearchFilter)
 	l.LDAP.GroupSearchBaseDistName = getCfgVal(GroupSearchBaseDN)
 
+	// If enable flag was not explicitly set, we treat it as implicitly set at
+	// this point as necessary configuration is available.
+	if !isEnableFlagExplicitlySet && !l.LDAP.Enabled {
+		l.LDAP.Enabled = true
+	}
 	// Validate and test configuration.
 	valResult := l.LDAP.Validate()
 	if !valResult.IsOk() {
+		// Set to false if configuration fails to validate.
+		l.LDAP.Enabled = false
 		return l, valResult
 	}