Add optional --ldap-max-search-depth to fix issue #601

api/setup_service.go

@@ -17,6 +17,7 @@ type LDAPSettings struct {
  LDAPRBACAdminGroup string `json:"ldap_rbac_admin_group_name,omitempty"`
  LDAPReferral string `json:"ldap_referrals,omitempty"`
  LDAPUsername string `json:"ldap_username,omitempty"`
+ LDAPMaxSearchDepth uint `json:"ldap_max_search_depth,omitempty"`
  ServerSSLCert string `json:"server_ssl_cert,omitempty"`
  ServerURL string `json:"server_url,omitempty"`
  UserSearchBase string `json:"user_search_base,omitempty"`

commands/configure_ldap_authentication.go

@@ -25,6 +25,7 @@ type ConfigureLDAPAuthentication struct {
  LDAPRBACAdminGroup string `long:"ldap-rbac-admin-group-name" required:"true" description:"the name of LDAP group whose members should be considered admins of OpsManager"`
  LDAPReferral string `long:"ldap-referrals" required:"true" description:"configure the UAA LDAP referral behavior"`
  LDAPUsername string `long:"ldap-username" required:"true" description:"DN for the LDAP credentials used to search the directory"`
+ LDAPMaxSearchDepth uint `long:"ldap-max-search-depth" description:"The LDAP group search depth. Allowed values are between 1 and 10. The default value is 1, which will turn off the nested group search."`
  ServerSSLCert string `long:"server-ssl-cert" description:"the server certificate when using ldaps://"`
  ServerURL string `long:"server-url" required:"true" description:"URL to the ldap server, must start with ldap:// or ldaps://"`
  UserSearchBase string `long:"user-search-base" required:"true" description:"a base at which the search starts, e.g. 'ou=users,dc=mycompany,dc=com'"`
@@ -80,6 +81,7 @@ func (ca ConfigureLDAPAuthentication) Execute(args []string) error {
  LDAPRBACAdminGroup: ca.Options.LDAPRBACAdminGroup,
  LDAPReferral: ca.Options.LDAPReferral,
  LDAPUsername: ca.Options.LDAPUsername,
+ LDAPMaxSearchDepth: ca.Options.LDAPMaxSearchDepth,
  ServerSSLCert: ca.Options.ServerSSLCert,
  ServerURL: ca.Options.ServerURL,
  UserSearchBase: ca.Options.UserSearchBase,
@@ -102,6 +104,11 @@ func (ca ConfigureLDAPAuthentication) Execute(args []string) error {
  return err
  }
 
+ versionAtLeast3, err := info.VersionAtLeast(3, 0)
+ if err != nil {
+ return err
+ }
+
  if versionAtLeast24 {
  input.CreateBoshAdminClient = !ca.Options.SkipCreateBoshAdminClient
  boshAdminClientMsg = `
@@ -139,6 +146,19 @@ This is only supported in OpsManager 2.5 and up.
  }
  }
 
+ if versionAtLeast3 {
+ if input.LDAPSettings.LDAPMaxSearchDepth > 10 {
+ return errors.New(`
+The "--ldap-max-search-depth" argument must be between 1 and 10.
+`)
+ }
+ } else if input.LDAPSettings.LDAPMaxSearchDepth != 0 {
+ return errors.New(`
+Cannot use the "--ldap-max-search-depth" argument.
+This is only supported in OpsManager 3.0 and up.
+`)
+ }
+
  _, err = ca.service.Setup(input)
  if err != nil {
  return fmt.Errorf("could not configure authentication: %s", err)

commands/configure_ldap_authentication_test.go

@@ -153,6 +153,67 @@ This is only supported in OpsManager 2.5 and up.
  })
  })
 
+ When("OpsMan is < 3.0", func() {
+ BeforeEach(func() {
+ service.InfoReturns(api.Info{
+ Version: "2.4-build.1",
+ }, nil)
+ })
+
+ When("the ldap-max-search-depth flag is set", func() {
+ BeforeEach(func() {
+ commandLineArgs = append(commandLineArgs, "--ldap-max-search-depth", "5")
+ })
+
+ It("errors out if you try to provide a ldap max search depth", func() {
+ err := executeCommand(command, commandLineArgs)
+ Expect(err).To(MatchError(ContainSubstring(`
+Cannot use the "--ldap-max-search-depth" argument.
+This is only supported in OpsManager 3.0 and up.
+`)))
+ })
+ })
+ })
+
+ When("OpsMan is >= 3.0", func() {
+ BeforeEach(func() {
+ service.InfoReturns(api.Info{
+ Version: "3.0.27-build.1300",
+ }, nil)
+ })
+
+ When("the ldap-max-search-depth flag is set to 5", func() {
+ BeforeEach(func() {
+ commandLineArgs = append(commandLineArgs, "--ldap-max-search-depth", "5")
+ expectedPayload.LDAPSettings.LDAPMaxSearchDepth = 5
+ })
+
+ It("configures LDAP with a max search depth", func() {
+ err := executeCommand(command, commandLineArgs)
+ Expect(err).ToNot(HaveOccurred())
+
+ Expect(service.SetupArgsForCall(0)).To(Equal(expectedPayload))
+
+ Expect(stdout).To(gbytes.Say("configuring LDAP authentication..."))
+ Expect(stdout).To(gbytes.Say("waiting for configuration to complete..."))
+ Expect(stdout).To(gbytes.Say("configuration complete"))
+ })
+ })
+
+ When("the ldap-max-search-depth flag is set to 11", func() {
+ BeforeEach(func() {
+ commandLineArgs = append(commandLineArgs, "--ldap-max-search-depth", "11")
+ })
+
+ It("errors out", func() {
+ err := executeCommand(command, commandLineArgs)
+ Expect(err).To(MatchError(ContainSubstring(`
+The "--ldap-max-search-depth" argument must be between 1 and 10.
+`)))
+ })
+ })
+ })
+
  When("the skip-create-bosh-admin-client flag is set", func() {
  BeforeEach(func() {
  commandLineArgs = append(commandLineArgs, "--skip-create-bosh-admin-client")

docs/configure-ldap-authentication/README.md

@@ -80,6 +80,10 @@ Help Options:
  behavior
  --ldap-username= DN for the LDAP credentials used to
  search the directory
+ --ldap-max-search-depth= The LDAP group search depth. Allowed
+ values are between 1 and 10. The
+ default value is 1, which will turn
+ off the nested group search.
  --server-ssl-cert= the server certificate when using
  ldaps://
  --server-url= URL to the ldap server, must start