HPCC-24833 Add azure_ldap auth option to helm installed ESP

- Add azure_ldap as another auth type
- Add default config for azure ldap
- Move original (and new) ldap configs to "common/ldap" sub-directory

Signed-off-by: Yanrui Ma <yanrui.ma@lexisnexisrisk.com>

esp/applications/common/CMakeLists.txt

@@ -15,10 +15,11 @@
 ################################################################################
 
 set ( ESP_APPLICATION_FILES
-    ${CMAKE_CURRENT_SOURCE_DIR}/ldap.yaml
     ${CMAKE_CURRENT_SOURCE_DIR}/directories.yaml
 )
 
 FOREACH( iFile ${ESP_APPLICATION_FILES} )
     Install( FILES ${iFile} DESTINATION componentfiles/applications/common COMPONENT Runtime )
 ENDFOREACH ( iFile )
+
+HPCC_ADD_SUBDIRECTORY (ldap)

esp/applications/common/ldap/CMakeLists.txt

@@ -0,0 +1,24 @@
+################################################################################
+#    HPCC SYSTEMS software Copyright (C) 2020 HPCC Systems®.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+################################################################################
+
+set ( ESP_LDAP_FILES
+    ${CMAKE_CURRENT_SOURCE_DIR}/ldap.yaml
+    ${CMAKE_CURRENT_SOURCE_DIR}/azure_ldap.yaml
+)
+
+FOREACH( iFile ${ESP_LDAP_FILES} )
+    Install( FILES ${iFile} DESTINATION componentfiles/applications/common/ldap COMPONENT Runtime )
+ENDFOREACH ( iFile )

esp/applications/common/ldap/azure_ldap.yaml

@@ -0,0 +1,26 @@
+ldap:
+  objname: ldapserver
+  serverType: AzureActiveDirectory
+  description: LDAP server process
+  ldapProtocol: ldap
+  authMethod: kerberos
+  localDomain: localdomain
+  ldapPort: 389
+  ldapSecurePort: 636
+  systemCommonName: hpcc_admin2
+  systemPassword: ""
+  systemUser: hpcc_admin2
+  adminGroupName:
+  maxConnections: 10
+  passwordExpirationWarningDays: 10
+  cacheTimeout: 5
+  ldapTimeoutSecs: 131
+  sharedCache: true
+  checkViewPermissions: ''
+  filesBasedn: ou=files,ou=ecl
+  groupsBasedn: ou=AADDC Users
+  sudoersBasedn: ou=SUDOers
+  systemBasedn: ou=AADDC Users
+  usersBasedn: ou=AADDC Users
+  resourcesBasedn: ou=WsEcl,ou=EspServices,ou=ecl
+  workunitsBasedn: ou=workunits,ou=ecl

esp/platform/application_config.cpp

@@ -29,6 +29,8 @@
 #include "espcontext.hpp"
 #include "build-config.h"
 
+enum class LdapType { LegacyAD, AzureAD };
+
 static void appendPTreeFromYamlFile(IPropertyTree *tree, const char *file)
 {
     Owned<IPropertyTree> appendTree = createPTreeFromYAMLFile(file);
@@ -88,11 +90,21 @@ static void copyDirectories(IPropertyTree *target, IPropertyTree *src)
     }
 }
 
-bool addLdapSecurity(IPropertyTree *legacyEsp, IPropertyTree *appEsp, StringBuffer &bindAuth)
+bool addLdapSecurity(IPropertyTree *legacyEsp, IPropertyTree *appEsp, StringBuffer &bindAuth, LdapType ldapType)
 {
     const char *ldapAddress = appEsp->queryProp("@ldapAddress");
     if (isEmptyString(ldapAddress))
         throw MakeStringException(-1, "LDAP not configured.  To run without security set auth=none");
+
+    StringBuffer path(COMPONENTFILES_DIR);
+    char sepchar = getPathSepChar(COMPONENTFILES_DIR);
+    addPathSepChar(path, sepchar).append("applications").append(sepchar).append("common").append(sepchar).append("ldap").append(sepchar);
+    if (ldapType == LdapType::LegacyAD)
+        path.append("ldap.yaml");
+    else
+        path.append("azure_ldap.yaml");
+    if (checkFileExists(path))
+        appendPTreeFromYamlFile(appEsp, path.str());
     IPropertyTree *appLdap = appEsp->queryPropTree("ldap");
     if (!appLdap)
         throw MakeStringException(-1, "Can't find application LDAP settings.  To run without security set auth=none");
@@ -155,14 +167,16 @@ bool addSecurity(IPropertyTree *legacyEsp, IPropertyTree *appEsp, StringBuffer &
     if (streq(auth, "none"))
         return false;
     if (streq(auth, "ldap"))
-        return addLdapSecurity(legacyEsp, appEsp, bindAuth);
+        return addLdapSecurity(legacyEsp, appEsp, bindAuth, LdapType::LegacyAD);
+    if (streq(auth, "azure_ldap"))
+        return addLdapSecurity(legacyEsp, appEsp, bindAuth, LdapType::AzureAD);
     return addAuthNZSecurity(auth, legacyEsp, appEsp, bindAuth);
 }
 
 void bindAuthResources(IPropertyTree *legacyAuthenticate, IPropertyTree *app, const char *service, const char *auth)
 {
     IPropertyTree *appAuth = nullptr;
-    if (isEmptyString(auth) || streq(auth, "ldap"))
+    if (isEmptyString(auth) || streq(auth, "ldap") || streq(auth, "azure_ldap"))
         appAuth = app->queryPropTree("ldap");
     else if (streq(auth, "none"))
         return;

esp/platform/espp.cpp

@@ -331,7 +331,7 @@ static void usage()
     puts("  -?/-h: show this help page");
     puts("  --daliServers=<address>: set DALI address (defaults to dali)");
     puts("  --tls=<on/off>: enable using TLS secure communication (defaults to on)");
-    puts("  --auth=<ldap/none>: select authorization protocol (defaults to ldap)");
+    puts("  --auth=<ldap/azure_ldap/none>: select authorization protocol (defaults to ldap)");
     puts("  --ldapAddress=<address>: set LDAP server address");
     puts("  --config=<file.yaml>: specify a YAML config file, use to override default config values");
     puts("  --logDir=<file>: specify a file to write trace file information to, default is stderr");

system/security/LdapSecurity/ldapconnection.cpp

@@ -297,6 +297,7 @@ public:
         m_cfgServerType.set(cfg->queryProp(".//@serverType"));
         if (m_cfgServerType.length())
         {
+            PROGLOG("LDAP Server Type from config: %s", m_cfgServerType.str());
             if (0 == stricmp(m_cfgServerType, "ActiveDirectory"))
                 m_serverType = ACTIVE_DIRECTORY;
             else if (strieq(m_cfgServerType, "AzureActiveDirectory"))

system/security/LdapSecurity/ldaputils.cpp

@@ -309,10 +309,7 @@ int LdapUtils::getServerInfo(const char* ldapserver, const char* userDN, const c
                     }
                 }
                 else if(*curdn != '\0' && strcmp(curdn, "o=NetscapeRoot") == 0)
-                {
-                    PROGLOG("Deduced LDAP Server Type 'iPlanet'");
                     deducedSType = IPLANET;
-                }
                 i++;
             }
 
@@ -322,26 +319,29 @@ int LdapUtils::getServerInfo(const char* ldapserver, const char* userDN, const c
             if (deducedSType == LDAPSERVER_UNKNOWN)
             {
                 if(i <= 1)
-                {
-                    PROGLOG("Deduced LDAP Server Type 'OpenLDAP'");
                     deducedSType = OPEN_LDAP;
-                }
                 else
-                {
-                    PROGLOG("Deduced LDAP Server Type 'Active Directory'");
                     deducedSType = ACTIVE_DIRECTORY;
-                }
             }
         }
     }
     ldap_msgfree(msg);
     LDAP_UNBIND(ld);
 
-    if (stype == LDAPSERVER_UNKNOWN)
-        stype = deducedSType;
-    else if (deducedSType != stype)
-        WARNLOG("Ignoring deduced LDAP Server Type, does not match config LDAPServerType");
-
+    if (stype == LDAPSERVER_UNKNOWN || deducedSType != stype)
+    {
+        if (deducedSType == ACTIVE_DIRECTORY)
+            PROGLOG("Deduced LDAP Server Type 'Active Directory'");
+        else if (deducedSType == OPEN_LDAP)
+            PROGLOG("Deduced LDAP Server Type 'OpenLDAP'");
+        else if (deducedSType == IPLANET)
+            PROGLOG("Deduced LDAP Server Type 'iPlanet'");
+
+        if (stype == LDAPSERVER_UNKNOWN)
+            stype = deducedSType;
+        else
+            WARNLOG("Ignoring deduced LDAP Server Type, does not match config");
+    }
     return err;
 }