Feature #16112

Netgroup LDAP Authentication in ldap_fluff

Added by Marek Hulán 8 months ago. Updated about 1 month ago.

Status:Assigned
Priority:Normal
Assigned To:Tomáš Strachota
Category:Authentication
Target version:Team Marek backlog
Difficulty: Bugzilla link:1293538
Found in release: Pull request:
Story points-
Velocity based estimate-

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1293538

Description of problem:

Netgroup LDAP Authentication

A RHEL 7.1 installation configured to use external LDAP authentication (created using hammer)

# hammer auth-source ldap create --name LDAP1 --host ldap.example.org --server-type posix --tls yes --port 636 \
--base-dn ou=People,ou=example,o=org,c=au --groups-base ou=netgroup,ou=example,o=org,c=au --attr-login uid

The User Group can then be created and an External Group linked to it (also using hammer)...

# hammer user-group create --name Test 
# hammer user-group external create --auth-source-id 3 --name test-netgroup --user-group Test

Actual results:

This returns a "500 Internal Server Error" - but checking in the Web UI the external group is displayed as linked correctly.
Trying to then refresh the display to show the users in the LDAP netgroup does nothing - no users are found within the group.
(Creating the user group and external linking via the Web UI returns NO errors - only via hammer do we get a clue something is wrong)

In the foreman production.log we see the 500 error:

2015-12-09 09:30:19 [I] Processing by Api::V2::ExternalUsergroupsController#create as JSON
2015-12-09 09:30:19 [I]    Parameters: {"external_usergroup"=>{"name"=>"test-netgroup", "auth_source_id"=>"3"}, "apiv"=>"2", "usergroup-id"=>"5"}
2015-12-09 09:30:20 [W] Creating scope :completer_scope. Overwriting existing method Organization.completer_scope.
2015-12-09 09:30:20 [I] Authorized user ggatward(Geoff Gatward)
2015-12-09 09:30:20 [I]   Rendered api/v2/external_usergroups/create.json.rabl (2.3ms)
2015-12-09 09:30:20 [E] Group does not have any members (RuntimeError)
/opt/rh/ruby193/root/usr/share/gems/gems/ldap_fluff-0.3.2/lib/ldap_fluff/generic.rb:47:in 'users_for_gid'
/opt/rh/ruby193/root/usr/share/gems/gems/ldap_fluff-0.3.2/lib/ldap_fluff/ldap_fluff.rb:35:in 'user_list'
/usr/share/foreman/app/models/auth_sources/auth_source_ldap.rb:107:in 'users_in_group'
/usr/share/foreman/app/models/external_usergroup.rb:33:in 'users'
...
...
2015-12-09 09:30:20 [I] Completed 500 Internal Server Error in 441ms
2015-12-09 09:30:20 [F]

If we do the same setup but use a posix group from LDAP instead, everything works as expected (no 500 error and users are resolved)

Expected results:

everything works as expected (no 500 error)

Additional info:

Netgroup grouping is alternative to posix usergroups. It works differently, they are to be found at ou=Netgroup,dc=example,dc=com tree with cn as their name. For association with user, attribute nisNetgroupTriple is defined in this object. Attribute is defined multiple times for each user in a given netgroup. The structure is triple ($server, $user, $domain).

While users can set group base DN today, we hardcode "memberuid" that we use for searching posix groups. We could make this also configurable per LDAP auth source and let ldap_fluff search in this triple.

History

#1 Updated by Marek Hulán 8 months ago

  • Subject changed from Netgroup LDAP Authentication with Satellite 6. to Netgroup LDAP Authentication in ldap_fluff
  • Category set to Authentication
  • Priority changed from High to Normal

#2 Updated by Marek Hulán 8 months ago

  • Description updated (diff)

#3 Updated by Marek Hulán 8 months ago

  • Description updated (diff)

#4 Updated by Marek Hulán 7 months ago

  • Target version set to Team Marek backlog

#5 Updated by Marek Hulán 6 months ago

  • Assigned To set to Tomáš Strachota
  • Target version changed from Team Marek backlog to Team Marek Iteration 5

#6 Updated by Marek Hulán 6 months ago

  • Target version changed from Team Marek Iteration 5 to Team Marek Iteration 6

#7 Updated by Tomáš Strachota 5 months ago

  • Status changed from New to Assigned

#8 Updated by Marek Hulán 5 months ago

  • Target version changed from Team Marek Iteration 6 to Team Marek Iteration 7

#9 Updated by Marek Hulán 4 months ago

  • Status changed from Assigned to New
  • Target version changed from Team Marek Iteration 7 to Team Marek backlog

#10 Updated by Tomáš Strachota about 1 month ago

  • Status changed from New to Assigned

Also available in: Atom PDF