ydb-platform
diff --git a/‎ydb/core/protos/auth.proto
Lines changed: 6 additions & 0 deletions b/‎ydb/core/protos/auth.proto
Lines changed: 6 additions & 0 deletions
diff --git a/‎ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp
Lines changed: 109 additions & 45 deletions b/‎ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp
Lines changed: 109 additions & 45 deletions
diff --git a/‎ydb/core/security/ldap_auth_provider/ldap_auth_provider_linux.cpp
Lines changed: 4 additions & 0 deletions b/‎ydb/core/security/ldap_auth_provider/ldap_auth_provider_linux.cpp
Lines changed: 4 additions & 0 deletions
@@ -54,6 +54,7 @@ message TAuthConfig {
     optional bool UseBuiltinDomain = 78 [default = true];
     optional string AccessServiceType = 79 [default = "Yandex_v2"]; // For now the following values are supported: "Yandex_v2", "Nebius_v1"
     optional string CertificateAuthenticationDomain = 80 [default = "cert"];
+    optional bool EnableLoginAuthentication = 81 [default = true];
 }
 
 message TUserRegistryConfig {
@@ -103,6 +104,10 @@ message TLdapAuthentication {
         optional TCertRequire CertRequire = 3 [default = DEMAND];
     }
 
+    message TExtendedSettings {
+        optional bool EnableNestedGroupsSearch = 1 [default = false];
+    }
+
     optional string Host = 1; // DEPRECATED: Use Hosts instead it
     optional uint32 Port = 2;
     optional string BaseDn = 3;
@@ -114,4 +119,5 @@ message TLdapAuthentication {
     optional string RequestedGroupAttribute = 9;
     repeated string Hosts = 10;
     optional string Scheme = 11 [default = "ldap"];
+    optional TExtendedSettings ExtendedSettings = 12;
 }
@@ -2,6 +2,8 @@
 #include <ydb/library/actors/core/log.h>
 #include <ydb/core/base/ticket_parser.h>
 #include <ydb/core/security/ticket_parser_log.h>
+#include <ydb/core/util/address_classifier.h>
+#include <queue>
 #include "ldap_auth_provider.h"
 #include "ldap_utils.h"
 
@@ -69,6 +71,7 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
     TLdapAuthProvider(const NKikimrProto::TLdapAuthentication& settings)
         : Settings(settings)
         , FilterCreator(Settings)
+        , UrisCreator(Settings, Settings.GetPort() != 0 ? Settings.GetPort() : NKikimrLdap::GetPort(Settings.GetScheme()))
     {
         const TString& requestedGroupAttribute = Settings.GetRequestedGroupAttribute();
         RequestedAttributes[0] = const_cast<char*>(requestedGroupAttribute.empty() ? "memberOf" : requestedGroupAttribute.c_str());
@@ -135,18 +138,33 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
         }
         LDAPMessage* entry = NKikimrLdap::FirstEntry(ld, searchUserResponse.SearchMessage);
         BerElement* ber = nullptr;
-        std::vector<TString> groupsDn;
+        std::vector<TString> directUserGroups;
         char* attribute = NKikimrLdap::FirstAttribute(ld, entry, &ber);
         if (attribute != nullptr) {
-            groupsDn = NKikimrLdap::GetAllValuesOfAttribute(ld, entry, attribute);
+            directUserGroups = NKikimrLdap::GetAllValuesOfAttribute(ld, entry, attribute);
             NKikimrLdap::MemFree(attribute);
         }
         if (ber) {
             NKikimrLdap::BerFree(ber, 0);
         }
+        std::vector<TString> allUserGroups;
+        auto& extendedSettings = Settings.GetExtendedSettings();
+        if (extendedSettings.GetEnableNestedGroupsSearch() && !directUserGroups.empty()) {
+            // Active Directory has special matching rule to fetch nested groups in one request it is MatchingRuleInChain
+            // We don`t know what is ldap server. Is it Active Directory or OpenLdap or other server?
+            // If using MatchingRuleInChain return empty list of groups it means that ldap server isn`t Active Directory
+            // but it is known that there are groups and we are trying to do tree traversal
+            allUserGroups = TryToGetGroupsUseMatchingRuleInChain(ld, entry);
+            if (allUserGroups.empty()) {
+                allUserGroups = std::move(directUserGroups);
+                GetNestedGroups(ld, &allUserGroups);
+            }
+        } else {
+            allUserGroups = std::move(directUserGroups);
+        }
         NKikimrLdap::MsgFree(entry);
         NKikimrLdap::Unbind(ld);
-        Send(ev->Sender, new TEvLdapAuthProvider::TEvEnrichGroupsResponse(request->Key, request->User, groupsDn));
+        Send(ev->Sender, new TEvLdapAuthProvider::TEvEnrichGroupsResponse(request->Key, request->User, allUserGroups));
     }
 
     TInitAndBindResponse InitAndBind(LDAP** ld, std::function<THolder<IEventBase>(const TEvLdapAuthProvider::EStatus&, const TEvLdapAuthProvider::TError&)> eventFabric) {
@@ -173,7 +191,7 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
         result = NKikimrLdap::Bind(*ld, Settings.GetBindDn(), Settings.GetBindPassword());
         if (!NKikimrLdap::IsSuccess(result)) {
             TEvLdapAuthProvider::TError error {
-                .Message = "Could not perform initial LDAP bind for dn " + Settings.GetBindDn() + " on server " + UrisList + "\n"
+                .Message = "Could not perform initial LDAP bind for dn " + Settings.GetBindDn() + " on server " + UrisCreator.GetUris() + "\n"
                             + NKikimrLdap::ErrorToString(result),
                 .Retryable = NKikimrLdap::IsRetryableError(result)
             };
@@ -202,12 +220,10 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
             }
         }
 
-        const ui32 port = Settings.GetPort() != 0 ? Settings.GetPort() : NKikimrLdap::GetPort(Settings.GetScheme());
-        UrisList = GetUris(port);
-        result = NKikimrLdap::Init(ld, Settings.GetScheme(), UrisList, port);
+        result = NKikimrLdap::Init(ld, Settings.GetScheme(), UrisCreator.GetUris(), UrisCreator.GetConfiguredPort());
         if (!NKikimrLdap::IsSuccess(result)) {
             return {{TEvLdapAuthProvider::EStatus::UNAVAILABLE,
-                    {.Message = "Could not initialize LDAP connection for uris: " + UrisList + ". " + NKikimrLdap::LdapError(*ld),
+                    {.Message = "Could not initialize LDAP connection for uris: " + UrisCreator.GetUris() + ". " + NKikimrLdap::LdapError(*ld),
                     .Retryable = false}}};
         }
 
@@ -237,14 +253,14 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
         char* dn = NKikimrLdap::GetDn(*request.Ld, request.Entry);
         if (dn == nullptr) {
             return {{TEvLdapAuthProvider::EStatus::UNAUTHORIZED,
-                    {.Message = "Could not get dn for the first entry matching " + FilterCreator.GetFilter(request.Login) + " on server " + UrisList + "\n"
+                    {.Message = "Could not get dn for the first entry matching " + FilterCreator.GetFilter(request.Login) + " on server " + UrisCreator.GetUris() + "\n"
                             + NKikimrLdap::LdapError(*request.Ld),
                     .Retryable = false}}};
         }
         TEvLdapAuthProvider::TError error;
         int result = NKikimrLdap::Bind(*request.Ld, dn, request.Password);
         if (!NKikimrLdap::IsSuccess(result)) {
-            error.Message = "LDAP login failed for user " + TString(dn) + " on server " + UrisList + "\n"
+            error.Message = "LDAP login failed for user " + TString(dn) + " on server " + UrisCreator.GetUris() + "\n"
                             + NKikimrLdap::ErrorToString((result));
             error.Retryable = NKikimrLdap::IsRetryableError(result);
         }
@@ -266,7 +282,7 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
         TSearchUserResponse response;
         if (!NKikimrLdap::IsSuccess(result)) {
             response.Status = NKikimrLdap::ErrorToStatus(result);
-            response.Error = {.Message = "Could not search for filter " + searchFilter + " on server " + UrisList + "\n"
+            response.Error = {.Message = "Could not search for filter " + searchFilter + " on server " + UrisCreator.GetUris() + "\n"
                                          + NKikimrLdap::ErrorToString(result),
                               .Retryable = NKikimrLdap::IsRetryableError(result)};
             return response;
@@ -275,11 +291,11 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
         if (countEntries != 1) {
             if (countEntries == 0) {
                 response.Error  = {.Message = "LDAP user " + request.User + " does not exist. "
-                                              "LDAP search for filter " + searchFilter + " on server " + UrisList + " return no entries",
+                                              "LDAP search for filter " + searchFilter + " on server " + UrisCreator.GetUris() + " return no entries",
                                    .Retryable = false};
             } else {
                 response.Error = {.Message = "LDAP user " + request.User + " is not unique. "
-                                             "LDAP search for filter " + searchFilter + " on server " + UrisList + " return " + countEntries + " entries",
+                                             "LDAP search for filter " + searchFilter + " on server " + UrisCreator.GetUris() + " return " + countEntries + " entries",
                                   .Retryable = false};
             }
             response.Status = TEvLdapAuthProvider::EStatus::UNAUTHORIZED;
@@ -290,6 +306,85 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
         return response;
     }
 
+    std::vector<TString> TryToGetGroupsUseMatchingRuleInChain(LDAP* ld, LDAPMessage* entry) const {
+        static const TString matchingRuleInChain = "1.2.840.113556.1.4.1941"; // Only Active Directory supports
+        TStringBuilder filter;
+        char* dn = NKikimrLdap::GetDn(ld, entry);
+        filter << "(member:" << matchingRuleInChain << ":=" << dn << ')';
+        NKikimrLdap::MemFree(dn);
+        dn = nullptr;
+        LDAPMessage* searchMessage = nullptr;
+        int result = NKikimrLdap::Search(ld, Settings.GetBaseDn(), NKikimrLdap::EScope::SUBTREE, filter, NKikimrLdap::noAttributes, 0, &searchMessage);
+        if (!NKikimrLdap::IsSuccess(result)) {
+            return {};
+        }
+        const int countEntries = NKikimrLdap::CountEntries(ld, searchMessage);
+        if (countEntries == 0) {
+            NKikimrLdap::MsgFree(searchMessage);
+            return {};
+        }
+        std::vector<TString> groups;
+        groups.reserve(countEntries);
+        for (LDAPMessage* groupEntry = NKikimrLdap::FirstEntry(ld, searchMessage); groupEntry != nullptr; groupEntry = NKikimrLdap::NextEntry(ld, groupEntry)) {
+            dn = NKikimrLdap::GetDn(ld, groupEntry);
+            groups.push_back(dn);
+            NKikimrLdap::MemFree(dn);
+            dn = nullptr;
+        }
+        NKikimrLdap::MsgFree(searchMessage);
+        return groups;
+    }
+
+    void GetNestedGroups(LDAP* ld, std::vector<TString>* groups) {
+        std::unordered_set<TString> viewedGroups(groups->cbegin(), groups->cend());
+        std::queue<TString> queue;
+        for (const auto& group : *groups) {
+            queue.push(group);
+        }
+        while (!queue.empty()) {
+            TStringBuilder filter;
+            filter << "(|";
+            filter << "(entryDn=" << queue.front() << ')';
+            queue.pop();
+            //should filter string is separated into several batches
+            while (!queue.empty()) {
+                // entryDn specific for OpenLdap, may get this value from config
+                filter << "(entryDn=" << queue.front() << ')';
+                queue.pop();
+            }
+            filter << ')';
+            LDAPMessage* searchMessage = nullptr;
+            int result = NKikimrLdap::Search(ld, Settings.GetBaseDn(), NKikimrLdap::EScope::SUBTREE, filter, RequestedAttributes, 0, &searchMessage);
+            if (!NKikimrLdap::IsSuccess(result)) {
+                return;
+            }
+            if (NKikimrLdap::CountEntries(ld, searchMessage) == 0) {
+                NKikimrLdap::MsgFree(searchMessage);
+                return;
+            }
+            for (LDAPMessage* groupEntry = NKikimrLdap::FirstEntry(ld, searchMessage); groupEntry != nullptr; groupEntry = NKikimrLdap::NextEntry(ld, groupEntry)) {
+                BerElement* ber = nullptr;
+                std::vector<TString> foundGroups;
+                char* attribute = NKikimrLdap::FirstAttribute(ld, groupEntry, &ber);
+                if (attribute != nullptr) {
+                    foundGroups = NKikimrLdap::GetAllValuesOfAttribute(ld, groupEntry, attribute);
+                    NKikimrLdap::MemFree(attribute);
+                }
+                if (ber) {
+                    NKikimrLdap::BerFree(ber, 0);
+                }
+                for (const auto& newGroup : foundGroups) {
+                    if (!viewedGroups.contains(newGroup)) {
+                        viewedGroups.insert(newGroup);
+                        queue.push(newGroup);
+                        groups->push_back(newGroup);
+                    }
+                }
+            }
+            NKikimrLdap::MsgFree(searchMessage);
+        }
+    }
+
     TInitializeLdapConnectionResponse CheckRequiredSettingsParameters() const {
         if (Settings.GetHosts().empty() && Settings.GetHost().empty()) {
             return {TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = "List of ldap server hosts is empty", .Retryable = false}};
@@ -306,42 +401,11 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
         return {TEvLdapAuthProvider::EStatus::SUCCESS, {}};
     }
 
-    TString GetUris(ui32 port) const {
-        TStringBuilder uris;
-        if (Settings.HostsSize() > 0) {
-            for (const auto& host : Settings.GetHosts()) {
-                uris << CreateUri(host, port) << " ";
-            }
-            uris.remove(uris.size() - 1);
-        } else {
-            uris << CreateUri(Settings.GetHost(), port);
-        }
-        return uris;
-    }
-
-    TString CreateUri(const TString& endpoint, ui32 port) const {
-        TStringBuilder uri;
-        uri << Settings.GetScheme() << "://" << endpoint;
-        if (!HasEndpointPort(endpoint)) {
-            uri << ':' << port;
-        }
-        return uri;
-    }
-
-    static bool HasEndpointPort(const TString& endpoint) {
-        size_t colonPos = endpoint.rfind(':');
-        if (colonPos == TString::npos) {
-            return false;
-        }
-        ++colonPos;
-        return (endpoint.size() - colonPos) > 0;
-    }
-
 private:
     const NKikimrProto::TLdapAuthentication Settings;
     const TSearchFilterCreator FilterCreator;
+    const TLdapUrisCreator UrisCreator;
     char* RequestedAttributes[2];
-    TString UrisList;
 };
 
 IActor* CreateLdapAuthProvider(const NKikimrProto::TLdapAuthentication& settings) {
 
@@ -77,6 +77,10 @@ LDAPMessage* FirstEntry(LDAP* ld, LDAPMessage* chain) {
     return ldap_first_entry(ld, chain);
 }
 
+LDAPMessage* NextEntry(LDAP* ld, LDAPMessage* entry) {
+    return ldap_next_entry(ld, entry);
+}
+
 char* FirstAttribute(LDAP* ld, LDAPMessage* entry, BerElement** berout) {
     return ldap_first_attribute(ld, entry, berout);
 }
Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,10 @@ LDAPMessage* FirstEntry(LDAP* ld, LDAPMessage* chain) {`
`77`	`77`	`return ldap_first_entry(ld, chain);`
`78`	`78`	`}`
`79`	`79`
	`80`	`+LDAPMessage* NextEntry(LDAP* ld, LDAPMessage* entry) {`
	`81`	`+ return ldap_next_entry(ld, entry);`
	`82`	`+}`
	`83`	`+`
`80`	`84`	`char* FirstAttribute(LDAP* ld, LDAPMessage* entry, BerElement** berout) {`
`81`	`85`	`return ldap_first_attribute(ld, entry, berout);`
`82`	`86`	`}`