Bug #25795 » [satellite-tech] External ldap usergroups - change proposal.eml

Change proposal comunication - Ondřej Ezr, 02/18/2019 01:28 PM

Received: by 2002:a5d:8243:0:0:0:0:0 with SMTP id n3csp1931889ioo;
Fri, 8 Feb 2019 07:46:52 -0800 (PST)
X-Google-Smtp-Source: AHgI3IYZGuZeDVV24GG5nrIKsaWmFjlWmLcZtSdtqXWi4yWqOwUmmpduVPGUJsTvJL4QRKCXe5a7
X-Received: by 2002:ac8:7412:: with SMTP id p18mr16556130qtq.176.1549640812620;
Fri, 08 Feb 2019 07:46:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1549640812; cv=none;; s=arc-20160816;
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arc-20160816;
ARC-Authentication-Results: i=1;;
spf=pass ( domain of designates as permitted sender)
Return-Path: <>
Received: from ( [])
by with ESMTPS id m186si1786215qkf.144.2019.
for <>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 08 Feb 2019 07:46:52 -0800 (PST)
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
spf=pass ( domain of designates as permitted sender)
Received: from ( [])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by (Postfix) with ESMTPS id 93AC287628
for <>; Fri, 8 Feb 2019 15:46:51 +0000 (UTC)
Received: by (Postfix)
id 8ABC95C269; Fri, 8 Feb 2019 15:46:51 +0000 (UTC)
Received: from ( [])
by (Postfix) with ESMTPS id 83B555C22E
for <>; Fri, 8 Feb 2019 15:46:51 +0000 (UTC)
Received: from ( [])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by (Postfix) with ESMTPS id 333B12D7E8
for <>; Fri, 8 Feb 2019 15:46:51 +0000 (UTC)
Received: by with SMTP id e2so1440906wrv.16
for <>; Fri, 08 Feb 2019 07:46:51 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025;
X-Gm-Message-State: AHQUAuYphTsbmfe/Wpysz0Jw/QUACY6MZxMa5sj4n3gHWM53+sZxMa8j
X-Received: by 2002:adf:e3cb:: with SMTP id k11mr2236153wrm.263.1549640809274;
Fri, 08 Feb 2019 07:46:49 -0800 (PST)
X-Received: by 2002:adf:e3cb:: with SMTP id k11mr2236123wrm.263.1549640808889;
Fri, 08 Feb 2019 07:46:48 -0800 (PST)
Received: from tony.localnet ( [])
by with ESMTPSA id v6sm4786697wrd.88.2019.
(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
Fri, 08 Feb 2019 07:46:47 -0800 (PST)
From: Marek =?ISO-8859-1?Q?Hul=E1n?= <>
Cc: Bryan Kearney <>, Ondrej Ezr <>
Subject: Re: [satellite-tech] External ldap usergroups - change proposal
Date: Fri, 08 Feb 2019 16:46:46 +0100
Message-ID: <3724194.YL3Voepitn@tony>
In-Reply-To: <>
References: <> <>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
X-Scanned-By: MIMEDefang 2.79 on
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 ( []); Fri, 08 Feb 2019 15:46:51 +0000 (UTC)

Having two ldap records in different server each with different login is no=
t a=20
problem. The problem arises when two ldaps are linked and both contain same=
ldap login but in fact these are two different people.

Well it could be acquisition of two companies, both employing John Connor,=
both Johns have login jconnor. After acquisition, before single LDAP is use=
it can be added as second auth source in order to grant access to shared=20
Satellite instance. While second John couldn't login, the first would gain=
second John's permissions. This feels as bug.

The valid use case I see is this. There's one LDAP managed by my company=20
sysadmin departments, it's very hard to convince them, I need a new account=
for new employee or that existing colleague needs more permissions. So for=
colleagues in my group, I install separate LDAP. While users authenticate=20
against comapny LDAP and have some basic permissions granted in it, I can d=
more granular and faster permissions modifications there. This use case wou=
be dropped.

Both seems as quite edge cases and I'd be all from dropping this. I think=20
99.9% of users will not notice. That means, we'd only sync usergroups from=
auth source, that was used for user authentication (auth source is linked o=
user object). That does not affect ability to have two or more auth sources=
In fact customers today define multiple authsource using the same ldap=20
instance in order to have different default default taxonomies for users in=
different user groups. This would still work, unless they combine permissio=
from multiple taxonomies.

It would be great to have ack from PM and/or people from the field. If ther=
no strong opinion, we'll proceed with the change.



On pond=C4=9Bl=C3=AD 4. =C3=BAnora 2019 16:37:02 CET Bryan Kearney wrote:
> Why would you have 2 different ldaps with different unique user names?
> -- bk
> On 2/4/19 3:16 AM, Ondrej Ezr wrote:
> > Hi all,
> >=20
> > I am working on speed up synchronization of LDAP groups at user login.
> >=20
> > I have stumbled upon a problem:
> > Currently we are supposing, that if there is a login matching the user's
> > login in any LDAP (not just the one user is authenticated by), the user
> > is supposed to be a member of that group.
> >=20
> > So let's have two LDAPs A and B. We have G1 ldap B, and user User1
> > authenticated by ldap A. Ldap B is saying G2 has a member called User2.
> >=20
> > Currently if we got external group connected to the G2 LDAP group, user
> > is a member of that external group.
> >=20
> > I see a problem in there, because user User1, can be a totally different
> > user and thus it can present a security issue of adding permissions to
> > the user he shouldn't have.
> >=20
> > On the other hand some users can already use it like that and they can
> > have this handled on the LDAP side.
> >=20
> > But as we can't assure this on the Satellite side, I would like to say
> > this behaviour is a *BUG*.
> >=20
> > I would like to hear your thoughts on this, before I will say it's a bug
> > and repair it.
> >=20
> > Thanks for your time and considerations,
> > Ond=C5=99ej Ezr