Bug #17992

500 when external usergroup users don't match filter

Added by Daniel Lobato Garcia 11 months ago. Updated 7 days ago.

Status:Closed
Priority:Normal
Assigned To:Daniel Lobato Garcia
Category:Authentication
Target version:Team Daniel - Iteration 9
Difficulty:medium Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/foreman/pull/4902, https://github.com/theforeman/foreman/pull/4199
Story points-
Velocity based estimate-
Release1.17.0Release relationshipAuto

Description

Given an Auth source LDAP with a filter like:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=Red Hat Foreman Users,OU=Groups,OU=Unix,DC=example,DC=net))

with a base DN of 'DC=example, DC=net'

and a LDAP tree like:

- OU = Groups (OU=Unix, DC=example, DC=net..)
- CN = Red Hat Foreman Users
- CN = Foreman Admins

If one tries to add 'Foreman Admins' as an external user group, it will fail with a 500 LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException, as Foreman does not know how to handle this exception. The failure is fine as Foreman Admins doesn't match the LDAP Filter, however we should give better hints to the admin as to what's going on.

1. Foreman looks for the group Foreman Admins within it's base DN. Success
2. ldap_fluff lists all users for the group. Fail: it uses the LDAP filter to do this operation, and users in Foreman Admins will not satisfy "memberOf:1.2.840.113556.1.4.1941:=CN=Red Hat Foreman Users" (member of the Red Hat Foreman Users hierarchy), as it's a different hierarchy tree. It throws UIDNotFoundException, and Foreman doesn't know what to do at this point so it 500s.

Possible solutions:

1. Make sure we apply the filter also on group lookup on LDAP fluff.
2. Handle LdapFluff::Exception on the user group page in Foreman, and try to figure out the cause (say, lookup for the user list without the filter, if that works, explain what's going on)


Related issues

Related to Foreman - Bug #18103: Errors when submitting external user groups not displayed Closed 01/17/2017

Associated revisions

Revision 36f8e9c0
Added by Daniel Lobato Garcia about 1 month ago

Fixes #17992, #18103 - Improve external usergroup errors

When one submit an user group with external user groups, and this
doesn't work for whatever reason, like:

Net::LDAP::Error - No route to host - connect(2)
LdapFluff::Generic::UnauthenticatedException
LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException,

it should show these errors in the UI and ideally some text explaining
how to solve the issue.

Currently the errors are merely logged to production.log, which leaves
users unable to understand what happened.

This commit makes those errors show up in the UI with a suggestion on
how to fix those we know

History

#1 Updated by Daniel Lobato Garcia 11 months ago

  • Bugzilla link set to 1408135

#2 Updated by Daniel Lobato Garcia 11 months ago

Seems like the tree didn't display properly:

  • OU = groups
    • CN = Red Hat Foreman Users
    • CN = Foreman Admins

A proper tree to match the filter would look like:

  • OU = groups
    • CN = Red Hat Foreman Users
      • CN = Foreman Admins

#3 Updated by Daniel Lobato Garcia 11 months ago

  • Related to Bug #18103: Errors when submitting external user groups not displayed added

#4 Updated by The Foreman Bot 11 months ago

  • Status changed from New to Ready For Testing
  • Assigned To set to Daniel Lobato Garcia
  • Pull request https://github.com/theforeman/foreman/pull/4199 added

#5 Updated by Daniel Lobato Garcia 11 months ago

  • Target version set to Team Brad - Iteration 11

#6 Updated by Brad Buckingham 10 months ago

  • Target version deleted (Team Brad - Iteration 11)

#7 Updated by Daniel Lobato Garcia 10 months ago

  • Bugzilla link deleted (1408135)
  • Pull request deleted (https://github.com/theforeman/foreman/pull/4199)

Unlinking from BZ as the issue was not the one described there.

#8 Updated by Dominic Cleal 10 months ago

  • Pull request https://github.com/theforeman/foreman/pull/4199 added

#9 Updated by Daniel Lobato Garcia 10 months ago

  • Target version set to Team Daniel - Iteration 9

#10 Updated by Robert Heinzmann 9 months ago

This problem also occures when I try to specify an ldap filter that limits the valid users to certain accounts (e.g. selected users).

(|(sAMAccountName=admin1)(sAMAccountName=operator1)(sAMAccountName=user1))
<pre>

When an external group is created I get the Error 500, as SOME members of the external group are excluded by this filter intensionally.

Then ldap_fluff generates queries like: 

<pre>
[ filter=(&(CN=Joe Admin)(|(|(sAMAccountName=admin1)(sAMAccountName=operator1))(sAMAccountName=user1))), base=OU=User,DC=example,DC=com ]
<pre>

As soon as a group member of the externl group is excluded by the filter (e.g. user99), I get:

<pre>
LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException: LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
</pre>

So this does not only look like a "documentation issue", but also a logical error about how to use the ldap filters.

#11 Updated by Tomer Brisker about 1 month ago

  • Release set to 1.17.0

#12 Updated by Anonymous about 1 month ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed

#13 Updated by The Foreman Bot 7 days ago

  • Pull request https://github.com/theforeman/foreman/pull/4902 added

Also available in: Atom PDF