From 90bfa6260a8ac83199d522ed4c8fe1097dbd5153 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Wed, 2 Oct 2019 13:14:57 -0700
Subject: [PATCH] Fix LDAP TLS support to use custom CAs (#8352)

---
 cmd/config-current.go        |  2 +-
 cmd/gateway/s3/gateway-s3.go |  2 +-
 cmd/ldap-ops.go              | 20 +++++++++++---------
 docs/sts/ldap.md             |  4 ++--
 go.mod                       |  2 +-
 go.sum                       |  2 ++
 6 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/cmd/config-current.go b/cmd/config-current.go
index c43990787..a989d7594 100644
--- a/cmd/config-current.go
+++ b/cmd/config-current.go
@@ -305,7 +305,7 @@ func (s *serverConfig) loadFromEnvs() {
 	}
 
 	var err error
-	s.LDAPServerConfig, err = newLDAPConfigFromEnv()
+	s.LDAPServerConfig, err = newLDAPConfigFromEnv(globalRootCAs)
 	if err != nil {
 		logger.FatalIf(err, "Unable to parse LDAP configuration from env")
 	}
diff --git a/cmd/gateway/s3/gateway-s3.go b/cmd/gateway/s3/gateway-s3.go
index 8b141e94b..f0525c966 100644
--- a/cmd/gateway/s3/gateway-s3.go
+++ b/cmd/gateway/s3/gateway-s3.go
@@ -442,7 +442,7 @@ func (l *s3Objects) GetObject(ctx context.Context, bucket string, key string, st
 			return minio.ErrorRespToObjectError(err, bucket, key)
 		}
 	}
-	object, _, err := l.Client.GetObject(bucket, key, opts)
+	object, _, _, err := l.Client.GetObject(bucket, key, opts)
 	if err != nil {
 		return minio.ErrorRespToObjectError(err, bucket, key)
 	}
diff --git a/cmd/ldap-ops.go b/cmd/ldap-ops.go
index 5ae511691..0fe345f71 100644
--- a/cmd/ldap-ops.go
+++ b/cmd/ldap-ops.go
@@ -18,6 +18,7 @@ package cmd
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"log"
@@ -40,8 +41,9 @@ type ldapServerConfig struct {
 	ServerAddr string `json:"serverAddr"`
 
 	// STS credentials expiry duration
-	STSExpiryDuration string        `json:"stsExpiryDuration"`
-	stsExpiryDuration time.Duration // contains converted value
+	STSExpiryDuration string         `json:"stsExpiryDuration"`
+	stsExpiryDuration time.Duration  // contains converted value
+	rootCAs           *x509.CertPool // contains custom CAs for ldaps server.
 
 	// Skips TLS verification (for testing, not
 	// recommended in production).
@@ -61,22 +63,22 @@ func (l *ldapServerConfig) Connect() (ldapConn *ldap.Conn, err error) {
 		return
 	}
 	if l.SkipTLSVerify {
-		ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{InsecureSkipVerify: true})
+		ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{RootCAs: l.rootCAs, InsecureSkipVerify: true})
 	} else {
-		ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{})
+		ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{RootCAs: l.rootCAs})
 	}
 	return
 }
 
 // newLDAPConfigFromEnv loads configuration from the environment
-func newLDAPConfigFromEnv() (l ldapServerConfig, err error) {
+func newLDAPConfigFromEnv(rootCAs *x509.CertPool) (l ldapServerConfig, err error) {
 	if ldapServer, ok := os.LookupEnv("MINIO_IDENTITY_LDAP_SERVER_ADDR"); ok {
-		l.IsEnabled = true
+		l.IsEnabled = ok
 		l.ServerAddr = ldapServer
 
-		if v := os.Getenv("MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"); v == "true" {
-			l.SkipTLSVerify = true
-		}
+		// Save root CAs
+		l.rootCAs = rootCAs
+		l.SkipTLSVerify = os.Getenv("MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY") == "true"
 
 		if v := os.Getenv("MINIO_IDENTITY_LDAP_STS_EXPIRY"); v != "" {
 			expDur, err := time.ParseDuration(v)
diff --git a/docs/sts/ldap.md b/docs/sts/ldap.md
index 47972db04..8e0678dbc 100644
--- a/docs/sts/ldap.md
+++ b/docs/sts/ldap.md
@@ -106,7 +106,7 @@ The group search filter looks like `(&(objectclass=group)(member=${usernamedn}))
 Thus the key configuration parameters look like:
 
 ```
-MINIO_IDENTITY_LDAP_SERVER_ADDR='ldaps://my.ldap-active-dir-server.com:636'
+MINIO_IDENTITY_LDAP_SERVER_ADDR='my.ldap-active-dir-server.com:636'
 MINIO_IDENTITY_LDAP_USERNAME_FORMAT='cn=${username},cn=users,dc=minioad,dc=local'
 MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN='dc=minioad,dc=local'
 MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER='(&(objectclass=group)(member=${usernamedn}))'
@@ -211,7 +211,7 @@ http://minio.cluster:9000?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=foouser
 ```
 $ export MINIO_ACCESS_KEY=minio
 $ export MINIO_SECRET_KEY=minio123
-$ export MINIO_IDENTITY_LDAP_SERVER_ADDR='ldaps://my.ldap-active-dir-server.com:636'
+$ export MINIO_IDENTITY_LDAP_SERVER_ADDR='my.ldap-active-dir-server.com:636'
 $ export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='cn=${username},cn=users,dc=minioad,dc=local'
 $ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN='dc=minioad,dc=local'
 $ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER='(&(objectclass=group)(member=${usernamedn}))'
diff --git a/go.mod b/go.mod
index a64f79e9f..3cb38a6d1 100644
--- a/go.mod
+++ b/go.mod
@@ -44,7 +44,7 @@ require (
 	github.com/minio/lsync v1.0.1
 	github.com/minio/mc v0.0.0-20190924013003-643835013047
 	github.com/minio/minio-go v0.0.0-20190327203652-5325257a208f
-	github.com/minio/minio-go/v6 v6.0.37
+	github.com/minio/minio-go/v6 v6.0.38
 	github.com/minio/parquet-go v0.0.0-20190318185229-9d767baf1679
 	github.com/minio/sha256-simd v0.1.1
 	github.com/minio/sio v0.2.0
diff --git a/go.sum b/go.sum
index f863d39fd..87db7c1fd 100644
--- a/go.sum
+++ b/go.sum
@@ -436,6 +436,8 @@ github.com/minio/minio-go/v6 v6.0.29 h1:p4YPxK1beY13reFJjCE5QwCnXUMT9D5sV5wl0BSy
 github.com/minio/minio-go/v6 v6.0.29/go.mod h1:vaNT59cWULS37E+E9zkuN/BVnKHyXtVGS+b04Boc66Y=
 github.com/minio/minio-go/v6 v6.0.37 h1:rqot4cO9+mLpf56q+yumA0xZlncbkFpqa4A8jw1Y2XE=
 github.com/minio/minio-go/v6 v6.0.37/go.mod h1:qD0lajrGW49lKZLtXKtCB4X/qkMf0a5tBvN2PaZg7Gg=
+github.com/minio/minio-go/v6 v6.0.38 h1:zd3yagckaBVAMJT+HsbpURx9ndqYQp/N/udc1UVS72E=
+github.com/minio/minio-go/v6 v6.0.38/go.mod h1:qD0lajrGW49lKZLtXKtCB4X/qkMf0a5tBvN2PaZg7Gg=
 github.com/minio/parquet-go v0.0.0-20190318185229-9d767baf1679 h1:OMKaN/82sBHUZPvjYNBFituHExa1OGY63eACDGtetKs=
 github.com/minio/parquet-go v0.0.0-20190318185229-9d767baf1679/go.mod h1:J+goXSuzlte5imWMqb6cUWC/tbYYysUHctwmKXomYzM=
 github.com/minio/sha256-simd v0.0.0-20190131020904-2d45a736cd16/go.mod h1:2FMWW+8GMoPweT6+pI63m9YE3Lmw4J71hV56Chs1E/U=