diff --git a/api/setup_service.go b/api/setup_service.go index 2b807d91..eee452b2 100644 --- a/api/setup_service.go +++ b/api/setup_service.go @@ -17,6 +17,7 @@ type LDAPSettings struct { LDAPRBACAdminGroup string `json:"ldap_rbac_admin_group_name,omitempty"` LDAPReferral string `json:"ldap_referrals,omitempty"` LDAPUsername string `json:"ldap_username,omitempty"` + LDAPMaxSearchDepth uint `json:"ldap_max_search_depth,omitempty"` ServerSSLCert string `json:"server_ssl_cert,omitempty"` ServerURL string `json:"server_url,omitempty"` UserSearchBase string `json:"user_search_base,omitempty"` diff --git a/commands/configure_ldap_authentication.go b/commands/configure_ldap_authentication.go index e4374772..a63122ff 100644 --- a/commands/configure_ldap_authentication.go +++ b/commands/configure_ldap_authentication.go @@ -25,6 +25,7 @@ type ConfigureLDAPAuthentication struct { LDAPRBACAdminGroup string `long:"ldap-rbac-admin-group-name" required:"true" description:"the name of LDAP group whose members should be considered admins of OpsManager"` LDAPReferral string `long:"ldap-referrals" required:"true" description:"configure the UAA LDAP referral behavior"` LDAPUsername string `long:"ldap-username" required:"true" description:"DN for the LDAP credentials used to search the directory"` + LDAPMaxSearchDepth uint `long:"ldap-max-search-depth" description:"The LDAP group search depth. Allowed values are between 1 and 10. The default value is 1, which will turn off the nested group search."` ServerSSLCert string `long:"server-ssl-cert" description:"the server certificate when using ldaps://"` ServerURL string `long:"server-url" required:"true" description:"URL to the ldap server, must start with ldap:// or ldaps://"` UserSearchBase string `long:"user-search-base" required:"true" description:"a base at which the search starts, e.g. 'ou=users,dc=mycompany,dc=com'"` @@ -80,6 +81,7 @@ func (ca ConfigureLDAPAuthentication) Execute(args []string) error { LDAPRBACAdminGroup: ca.Options.LDAPRBACAdminGroup, LDAPReferral: ca.Options.LDAPReferral, LDAPUsername: ca.Options.LDAPUsername, + LDAPMaxSearchDepth: ca.Options.LDAPMaxSearchDepth, ServerSSLCert: ca.Options.ServerSSLCert, ServerURL: ca.Options.ServerURL, UserSearchBase: ca.Options.UserSearchBase, @@ -102,6 +104,11 @@ func (ca ConfigureLDAPAuthentication) Execute(args []string) error { return err } + versionAtLeast3, err := info.VersionAtLeast(3, 0) + if err != nil { + return err + } + if versionAtLeast24 { input.CreateBoshAdminClient = !ca.Options.SkipCreateBoshAdminClient boshAdminClientMsg = ` @@ -139,6 +146,19 @@ This is only supported in OpsManager 2.5 and up. } } + if versionAtLeast3 { + if input.LDAPSettings.LDAPMaxSearchDepth > 10 { + return errors.New(` +The "--ldap-max-search-depth" argument must be between 1 and 10. +`) + } + } else if input.LDAPSettings.LDAPMaxSearchDepth != 0 { + return errors.New(` +Cannot use the "--ldap-max-search-depth" argument. +This is only supported in OpsManager 3.0 and up. +`) + } + _, err = ca.service.Setup(input) if err != nil { return fmt.Errorf("could not configure authentication: %s", err) diff --git a/commands/configure_ldap_authentication_test.go b/commands/configure_ldap_authentication_test.go index bfc6236c..8334f479 100644 --- a/commands/configure_ldap_authentication_test.go +++ b/commands/configure_ldap_authentication_test.go @@ -153,6 +153,67 @@ This is only supported in OpsManager 2.5 and up. }) }) + When("OpsMan is < 3.0", func() { + BeforeEach(func() { + service.InfoReturns(api.Info{ + Version: "2.4-build.1", + }, nil) + }) + + When("the ldap-max-search-depth flag is set", func() { + BeforeEach(func() { + commandLineArgs = append(commandLineArgs, "--ldap-max-search-depth", "5") + }) + + It("errors out if you try to provide a ldap max search depth", func() { + err := executeCommand(command, commandLineArgs) + Expect(err).To(MatchError(ContainSubstring(` +Cannot use the "--ldap-max-search-depth" argument. +This is only supported in OpsManager 3.0 and up. +`))) + }) + }) + }) + + When("OpsMan is >= 3.0", func() { + BeforeEach(func() { + service.InfoReturns(api.Info{ + Version: "3.0.27-build.1300", + }, nil) + }) + + When("the ldap-max-search-depth flag is set to 5", func() { + BeforeEach(func() { + commandLineArgs = append(commandLineArgs, "--ldap-max-search-depth", "5") + expectedPayload.LDAPSettings.LDAPMaxSearchDepth = 5 + }) + + It("configures LDAP with a max search depth", func() { + err := executeCommand(command, commandLineArgs) + Expect(err).ToNot(HaveOccurred()) + + Expect(service.SetupArgsForCall(0)).To(Equal(expectedPayload)) + + Expect(stdout).To(gbytes.Say("configuring LDAP authentication...")) + Expect(stdout).To(gbytes.Say("waiting for configuration to complete...")) + Expect(stdout).To(gbytes.Say("configuration complete")) + }) + }) + + When("the ldap-max-search-depth flag is set to 11", func() { + BeforeEach(func() { + commandLineArgs = append(commandLineArgs, "--ldap-max-search-depth", "11") + }) + + It("errors out", func() { + err := executeCommand(command, commandLineArgs) + Expect(err).To(MatchError(ContainSubstring(` +The "--ldap-max-search-depth" argument must be between 1 and 10. +`))) + }) + }) + }) + When("the skip-create-bosh-admin-client flag is set", func() { BeforeEach(func() { commandLineArgs = append(commandLineArgs, "--skip-create-bosh-admin-client") diff --git a/docs/configure-ldap-authentication/README.md b/docs/configure-ldap-authentication/README.md index cf69a5d1..ac302c57 100644 --- a/docs/configure-ldap-authentication/README.md +++ b/docs/configure-ldap-authentication/README.md @@ -80,6 +80,10 @@ Help Options: behavior --ldap-username= DN for the LDAP credentials used to search the directory + --ldap-max-search-depth= The LDAP group search depth. Allowed + values are between 1 and 10. The + default value is 1, which will turn + off the nested group search. --server-ssl-cert= the server certificate when using ldaps:// --server-url= URL to the ldap server, must start