Fixed#10211: Enable LDAP configuration to be configured via environment variable (#10252)

* Fixed#10211: Enable LDAP configuration to be configured via environment variable * Fixed#10211: Enable LDAP configuration to be configured via environment variable
2025-12-12 15:57:44 +00:00 · 2023-02-22 12:53:24 +05:30 · 2023-02-22 12:53:24 +05:30 · 9bd22369d7
commit 9bd22369d7
parent c678b54b05
6 changed files with 104 additions and 53 deletions
--- a/conf/openmetadata.yaml
+++ b/conf/openmetadata.yaml
@ -151,6 +151,31 @@ authenticationConfiguration:
  callbackUrl: ${AUTHENTICATION_CALLBACK_URL:-""}
  jwtPrincipalClaims: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
  enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
+  ldapConfiguration:
+    host: ${AUTHENTICATION_LDAP_HOST:-}
+    port: ${AUTHENTICATION_LDAP_PORT:-}
+    dnAdminPrincipal: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-""}
+    dnAdminPassword: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-""}
+    userBaseDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-""}
+    mailAttributeName: ${AUTHENTICATION_USER_MAIL_ATTR:-}
+    #optional
+    maxPoolSize: ${AUTHENTICATION_LDAP_POOL_SIZE:-3}
+    sslEnabled: ${AUTHENTICATION_LDAP_SSL_ENABLED:-}
+    truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll}
+    trustStoreConfig:
+      customTrustManagerConfig:
+        trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-}
+        trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-}
+        trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-}
+        verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
+        examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-}
+      hostNameConfig:
+        allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-}
+        acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]}
+      jvmDefaultConfig:
+        verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
+      trustAllConfig:
+        examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}

 jwtTokenConfiguration:
  rsapublicKeyFilePath: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"}
--- a/openmetadata-docs/content/deployment/security/ldap/index.md
+++ b/openmetadata-docs/content/deployment/security/ldap/index.md
@ -23,18 +23,30 @@ authenticationConfiguration:
  authority: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com}
  enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-false}
  ldapConfiguration:
-    "host": ${AUTHENTICATION_LDAP_HOST:-localhost}
-    "port": ${AUTHENTICATION_LDAP_PORT:-10636}
-    "dnAdminPrincipal": ${AUTHENTICATION_LOOKUP_ADMIN_DN:-"cn=admin,dc=example,dc=com"}
-    "dnAdminPassword": ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-"secret"}
-    "userBaseDN": ${AUTHENTICATION_USER_LOOKUP_BASEDN:-"ou=people,dc=example,dc=com"}
-    "mailAttributeName": ${AUTHENTICATION_USER_MAIL_ATTR:-email}
+    host: ${AUTHENTICATION_LDAP_HOST:-localhost}
+    port: ${AUTHENTICATION_LDAP_PORT:-10636}
+    dnAdminPrincipal: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-"cn=admin,dc=example,dc=com"}
+    dnAdminPassword: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-"secret"}
+    userBaseDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-"ou=people,dc=example,dc=com"}
+    mailAttributeName: ${AUTHENTICATION_USER_MAIL_ATTR:-email}
    # Optional
-    "maxPoolSize": ${AUTHENTICATION_LDAP_POOL_SIZE:-3}
-    "sslEnabled": ${AUTHENTICATION_LDAP_SSL_ENABLED:-true}
-    "truststoreConfigType": ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} # {CustomTrustStore, HostName, JVMDefault, TrustAll}
-    "trustStoreConfig":
-      "examineValidityDates": ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}
+    maxPoolSize: ${AUTHENTICATION_LDAP_POOL_SIZE:-3}
+    sslEnabled: ${AUTHENTICATION_LDAP_SSL_ENABLED:-true}
+    truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} # {CustomTrustStore, HostName, JVMDefault, TrustAll}
+    trustStoreConfig:
+      customTrustManagerConfig:
+        trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-}
+        trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-}
+        trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-}
+        verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
+        examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-}
+      hostNameConfig:
+        allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-}
+        acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]}
+      jvmDefaultConfig:
+        verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
+      trustAllConfig:
+        examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}
 ```

 For the LDAP auth we need to set:
@ -76,9 +88,10 @@ Based on the different `truststoreConfigType`, we have following different `trus
 1. **TrustAll**: Provides an SSL trust manager which will blindly trust any certificate that is presented to it, although it may optionally reject certificates that are expired or not yet valid. It can be convenient for testing purposes, but it is recommended that production environments use trust managers that perform stronger validation.

 ```yaml
-  "truststoreConfigType": ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll}
-  "trustStoreConfig":
-    "examineValidityDates": ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}
+  truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll}
+  trustStoreConfig:
+    trustAllConfig:
+      examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}
 ```

 - `examineValidityDates`: Indicates whether to reject certificates if the current time is outside the validity window for the certificate.
@ -86,9 +99,10 @@ Based on the different `truststoreConfigType`, we have following different `trus
 2. **JVMDefault**: Provides an implementation of a trust manager that relies on the JVM's default set of trusted issuers.

 ```yaml
-  "truststoreConfigType": ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-CustomTrustStore}
-  "trustStoreConfig":
-    "verifyHostname": ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true}
+  truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-JVMDefault}
+  trustStoreConfig:
+    jvmDefaultConfig:
+      verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true}
 ```

 - `verifyHostname`: Controls using TrustAllSSLSocketVerifier vs HostNameSSLSocketVerifier. In case the certificate contains cn=hostname of the Ldap Server set it to true.
@ -96,10 +110,11 @@ Based on the different `truststoreConfigType`, we have following different `trus
 3. **HostName**: Provides an SSL trust manager that will only accept certificates whose hostname matches an expected value.

 ```yaml
-  "truststoreConfigType": ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-HostName}
-  "trustStoreConfig":
-    "allowWildCards": ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-false}
-    "acceptableHostNames": ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[localhost]}
+  truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-HostName}
+  trustStoreConfig:
+    hostNameConfig:
+      allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-false}
+      acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[localhost]}
 ```

 - `allowWildCards`: Indicates whether to allow wildcard certificates which contain an asterisk as the first component of a CN subject attribute or dNSName subjectAltName extension.
@ -108,13 +123,14 @@ Based on the different `truststoreConfigType`, we have following different `trus
 4. **CustomTrustStore**: Use the custom Truststore by providing the below details in the config.

 ```yaml
-  "truststoreConfigType": ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-CustomTrustStore}
-  "trustStoreConfig":
-    "trustStoreFilePath": ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-/Users/parthpanchal/trusted.ks}
-    "trustStoreFilePassword": ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-secret}
-    "trustStoreFileFormat": ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-JKS}
-    "verifyHostname": ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true}
-    "examineValidityDates": ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}
+  truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-CustomTrustStore}
+  trustStoreConfig:
+    customTrustManagerConfig:
+      trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-/Users/parthpanchal/trusted.ks}
+      trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-secret}
+      trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-JKS}
+      verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-true}
+      examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}
 ```

 - `trustStoreFilePath`: The path to the trust store file to use. It must not be null.
--- a/openmetadata-service/src/main/java/org/openmetadata/service/security/auth/LdapAuthenticator.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/security/auth/LdapAuthenticator.java
@ -22,10 +22,7 @@ import com.unboundid.ldap.sdk.SearchRequest;
 import com.unboundid.ldap.sdk.SearchResult;
 import com.unboundid.ldap.sdk.SearchResultEntry;
 import com.unboundid.ldap.sdk.SearchScope;
-import com.unboundid.util.ssl.HostNameSSLSocketVerifier;
-import com.unboundid.util.ssl.SSLSocketVerifier;
 import com.unboundid.util.ssl.SSLUtil;
-import com.unboundid.util.ssl.TrustAllSSLSocketVerifier;
 import freemarker.template.TemplateException;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
@ -75,10 +72,6 @@ public class LdapAuthenticator implements AuthenticatorHandler {
    this.loginConfiguration = config.getLoginSettings();
  }

-  private SSLSocketVerifier hostNameVerifier(boolean verifyHostName) {
-    return verifyHostName ? new HostNameSSLSocketVerifier(true) : TrustAllSSLSocketVerifier.getInstance();
-  }
-
  private LDAPConnectionPool getLdapConnectionPool(LdapConfiguration ldapConfiguration) {
    try {
      if (ldapConfiguration.getSslEnabled()) {
--- a/openmetadata-service/src/main/java/org/openmetadata/service/util/LdapUtil.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/util/LdapUtil.java
@ -26,7 +26,8 @@ public class LdapUtil {
    switch (configType) {
      case CUSTOM_TRUST_STORE:
        CustomTrustManagerConfig customTrustManagerConfig =
-            JsonUtils.convertValue(ldapConfiguration.getTrustStoreConfig(), CustomTrustManagerConfig.class);
+            JsonUtils.convertValue(
+                ldapConfiguration.getTrustStoreConfig().getCustomTrustManagerConfig(), CustomTrustManagerConfig.class);
        x509TrustManager =
            new TrustStoreTrustManager(
                customTrustManagerConfig.getTrustStoreFilePath(),
@ -38,20 +39,21 @@ public class LdapUtil {
        break;
      case HOST_NAME:
        HostNameConfig hostNameConfig =
-            JsonUtils.convertValue(ldapConfiguration.getTrustStoreConfig(), HostNameConfig.class);
+            JsonUtils.convertValue(ldapConfiguration.getTrustStoreConfig().getHostNameConfig(), HostNameConfig.class);
        x509TrustManager =
            new HostNameTrustManager(hostNameConfig.getAllowWildCards(), hostNameConfig.getAcceptableHostNames());
        break;
      case JVM_DEFAULT:
        JVMDefaultConfig jvmDefaultConfig =
-            JsonUtils.convertValue(ldapConfiguration.getTrustStoreConfig(), JVMDefaultConfig.class);
+            JsonUtils.convertValue(
+                ldapConfiguration.getTrustStoreConfig().getJvmDefaultConfig(), JVMDefaultConfig.class);
        x509TrustManager = JVMDefaultTrustManager.getInstance();
        sslSocketVerifier = hostNameVerifier(jvmDefaultConfig.getVerifyHostname());
        connectionOptions.setSSLSocketVerifier(sslSocketVerifier);
        break;
      case TRUST_ALL:
        TrustAllConfig trustAllConfig =
-            JsonUtils.convertValue(ldapConfiguration.getTrustStoreConfig(), TrustAllConfig.class);
+            JsonUtils.convertValue(ldapConfiguration.getTrustStoreConfig().getTrustAllConfig(), TrustAllConfig.class);
        x509TrustManager = new TrustAllTrustManager(trustAllConfig.getExamineValidityDates());
        break;
      default:
--- a/openmetadata-spec/src/main/resources/json/schema/configuration/ldapConfiguration.json
+++ b/openmetadata-spec/src/main/resources/json/schema/configuration/ldapConfiguration.json
@ -55,20 +55,8 @@
      "enum": ["TrustAll", "JVMDefault", "HostName", "CustomTrustStore"]
    },
    "trustStoreConfig": {
-      "oneOf": [
-        {
-          "$ref": "./ldapTrustStoreConfig/customTrustManagerConfig.json"
-        },
-        {
-          "$ref": "./ldapTrustStoreConfig/hostNameConfig.json"
-        },
-        {
-          "$ref": "./ldapTrustStoreConfig/jvmDefaultConfig.json"
-        },
-        {
-          "$ref": "./ldapTrustStoreConfig/trustAllConfig.json"
-        }
-      ]
+      "description": "Truststore Configuration",
+      "$ref": "ldapTrustStoreConfig/truststoreConfig.json"
    }
  },
  "required": ["host", "port", "dnAdminPrincipal","dnAdminPassword", "userBaseDN", "mailAttributeName"],
--- a/openmetadata-spec/src/main/resources/json/schema/configuration/ldapTrustStoreConfig/truststoreConfig.json
+++ b/openmetadata-spec/src/main/resources/json/schema/configuration/ldapTrustStoreConfig/truststoreConfig.json
@ -0,0 +1,27 @@
+{
+  "$id": "https://open-metadata.org/schema/configuration/ldapTrustStoreConfig/truststoreConfig.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "TruststoreConfig",
+  "description": "Truststore Configuration",
+  "type": "object",
+  "javaType": "org.openmetadata.schema.auth.ldapTrustStoreConfig.TruststoreConfig",
+  "properties": {
+    "customTrustManagerConfig": {
+      "description": "CustomTrust Configuration",
+      "$ref": "./customTrustManagerConfig.json"
+    },
+    "hostNameConfig": {
+      "description": "HostName Configuration",
+      "$ref": "./hostNameConfig.json"
+    },
+    "jvmDefaultConfig": {
+      "description": "JVMDefault Configuration",
+      "$ref": "./jvmDefaultConfig.json"
+    },
+    "trustAllConfig": {
+      "description": "TrustAll Configuration",
+      "$ref": "./trustAllConfig.json"
+    }
+  },
+  "additionalProperties": false
+}