Feature #16112

Netgroup LDAP Authentication in ldap_fluff

Added by Marek Hulán about 1 year ago. Updated 3 months ago.

Status:Closed
Priority:Normal
Assigned To:Tomáš Strachota
Category:Authentication
Target version:Team Marek Iteration 17
Difficulty: Bugzilla link:1293538
Found in release: Pull request:https://github.com/theforeman/foreman/pull/4581, https://github.com/theforeman/ldap_fluff/pull/57
Story points-
Velocity based estimate-
Release1.16.0Release relationshipAuto

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1293538

Description of problem:

Netgroup LDAP Authentication

A RHEL 7.1 installation configured to use external LDAP authentication (created using hammer)

# hammer auth-source ldap create --name LDAP1 --host ldap.example.org --server-type posix --tls yes --port 636 \
--base-dn ou=People,ou=example,o=org,c=au --groups-base ou=netgroup,ou=example,o=org,c=au --attr-login uid

The User Group can then be created and an External Group linked to it (also using hammer)...

# hammer user-group create --name Test 
# hammer user-group external create --auth-source-id 3 --name test-netgroup --user-group Test

Actual results:

This returns a "500 Internal Server Error" - but checking in the Web UI the external group is displayed as linked correctly.
Trying to then refresh the display to show the users in the LDAP netgroup does nothing - no users are found within the group.
(Creating the user group and external linking via the Web UI returns NO errors - only via hammer do we get a clue something is wrong)

In the foreman production.log we see the 500 error:

2015-12-09 09:30:19 [I] Processing by Api::V2::ExternalUsergroupsController#create as JSON
2015-12-09 09:30:19 [I]    Parameters: {"external_usergroup"=>{"name"=>"test-netgroup", "auth_source_id"=>"3"}, "apiv"=>"2", "usergroup-id"=>"5"}
2015-12-09 09:30:20 [W] Creating scope :completer_scope. Overwriting existing method Organization.completer_scope.
2015-12-09 09:30:20 [I] Authorized user ggatward(Geoff Gatward)
2015-12-09 09:30:20 [I]   Rendered api/v2/external_usergroups/create.json.rabl (2.3ms)
2015-12-09 09:30:20 [E] Group does not have any members (RuntimeError)
/opt/rh/ruby193/root/usr/share/gems/gems/ldap_fluff-0.3.2/lib/ldap_fluff/generic.rb:47:in 'users_for_gid'
/opt/rh/ruby193/root/usr/share/gems/gems/ldap_fluff-0.3.2/lib/ldap_fluff/ldap_fluff.rb:35:in 'user_list'
/usr/share/foreman/app/models/auth_sources/auth_source_ldap.rb:107:in 'users_in_group'
/usr/share/foreman/app/models/external_usergroup.rb:33:in 'users'
...
...
2015-12-09 09:30:20 [I] Completed 500 Internal Server Error in 441ms
2015-12-09 09:30:20 [F]

If we do the same setup but use a posix group from LDAP instead, everything works as expected (no 500 error and users are resolved)

Expected results:

everything works as expected (no 500 error)

Additional info:

Netgroup grouping is alternative to posix usergroups. It works differently, they are to be found at ou=Netgroup,dc=example,dc=com tree with cn as their name. For association with user, attribute nisNetgroupTriple is defined in this object. Attribute is defined multiple times for each user in a given netgroup. The structure is triple ($server, $user, $domain).

While users can set group base DN today, we hardcode "memberuid" that we use for searching posix groups. We could make this also configurable per LDAP auth source and let ldap_fluff search in this triple.


Related issues

Related to Foreman - Bug #21167: ldap_fluff 0.4.7 needed in repos for netgroups Closed 10/02/2017

Associated revisions

Revision 88e295d5
Added by Tomas Strachota 3 months ago

Fixes #16112 - support for netgroups in LDAP auth source

Revision 435839b9
Added by Tomas Strachota 3 months ago

Refs #16112 - docs for using LDAP netgroups

History

#1 Updated by Marek Hulán about 1 year ago

  • Subject changed from Netgroup LDAP Authentication with Satellite 6. to Netgroup LDAP Authentication in ldap_fluff
  • Category set to Authentication
  • Priority changed from High to Normal

#2 Updated by Marek Hulán about 1 year ago

  • Description updated (diff)

#3 Updated by Marek Hulán about 1 year ago

  • Description updated (diff)

#4 Updated by Marek Hulán about 1 year ago

  • Target version set to Team Marek backlog

#5 Updated by Marek Hulán about 1 year ago

  • Assigned To set to Tomáš Strachota
  • Target version changed from Team Marek backlog to Team Marek Iteration 5

#6 Updated by Marek Hulán 11 months ago

  • Target version changed from Team Marek Iteration 5 to Team Marek Iteration 6

#7 Updated by Tomáš Strachota 11 months ago

  • Status changed from New to Assigned

#8 Updated by Marek Hulán 11 months ago

  • Target version changed from Team Marek Iteration 6 to Team Marek Iteration 7

#9 Updated by Marek Hulán 10 months ago

  • Status changed from Assigned to New
  • Target version changed from Team Marek Iteration 7 to Team Marek backlog

#10 Updated by Tomáš Strachota 7 months ago

  • Status changed from New to Assigned

#11 Updated by Marek Hulán 5 months ago

  • Target version changed from Team Marek backlog to Team Marek Iteration 15

#12 Updated by The Foreman Bot 4 months ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4581 added

#13 Updated by Marek Hulán 4 months ago

  • Target version changed from Team Marek Iteration 15 to Team Marek Iteration 16

#14 Updated by Marek Hulán 4 months ago

  • Pull request https://github.com/theforeman/ldap_fluff/pull/57 added

#15 Updated by Marek Hulán 4 months ago

  • Target version changed from Team Marek Iteration 16 to Team Marek Iteration 17

#16 Updated by Marek Hulán 3 months ago

  • Release set to 1.16.0

#17 Updated by Anonymous 3 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#18 Updated by Ivan Necas 16 days ago

  • Related to Bug #21167: ldap_fluff 0.4.7 needed in repos for netgroups added

Also available in: Atom PDF