You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm running GL 4.3 open, with enterprise plugins and a trial license. I wanted to be able to use LDAP groups in this proof of concept build. I'm not sure if this is a bug, but struck out on the community support boards.
Expected Behavior
When my user logs in to GL using LDAP credentials, the roles assigned to the teams user is a member of should apply to the user.
Current Behavior
I have user sync working correctly and am able to log in with the correct credentials. However, that user gets the default role applied despite being a member of groups with other roles applied to the group(s).
I’m connecting to an OpenLDAP backend.
Steps to Reproduce (for bugs)
Config as seen from the LDAP service overview page:
User Synchronization
Search Base DN: ou=People,dc=example,dc=net
Search Pattern: (&(uid={0})(objectClass=inetOrgPerson)) ## (have also tested just (uid={0}) which works for login but no change for issue)
Name Attribute: uid
Full Name Attribute: displayName
ID Attribute: uidNumber
Default Roles: Reader
Group Synchronization
Group Search Base DN: ou=Group,dc=example,dc=net
Group Search Pattern: (&(objectClass=posixGroup)(cn=somegroups*))
Team Name Attribute: cn
Team Id Attribute: gidNumber
Team Default Roles: -
Selection Type: Include selected groups
Selected Groups: 4 group(s)
The four groups in the edit screen when I click on “reload matching groups” shows usernames under the members column, but when I save the service and trigger synchronization, it never shows any users for synchronized teams, and when I log in with a user in one of the groups, the user is allowed in but only receives the default role regardless of group membership.
other thoughts
I assume the issue is around the search pattern, I just can’t find the right combination. Or possibly the issue is that the user in ldap doesn’t list anything like memberOf, users are listed as memberUid of the groups.
I’ve tried several different Group Search Patterns:
(objectClass=posixGroup)
(&(objectClass=posixGroup)(cn=somegroup*))
(&(objectClass=posixGroup)(cn=somegroup*)(memberUid={0}))
Thanks for the detailed report @brantleyp1. I can reproduce this with a local test setup.
It's an issue with the handling of posixGroup objects. On the config screen, group members are detected correctly based on the memberUid attribute.
However, during the provisioning of users (when they are logging in), group matching is only working for attributes that contain a dn, not a uid. So for a posixGroup, membership is not correctly detected.
I'm running GL 4.3 open, with enterprise plugins and a trial license. I wanted to be able to use LDAP groups in this proof of concept build. I'm not sure if this is a bug, but struck out on the community support boards.
Expected Behavior
When my user logs in to GL using LDAP credentials, the roles assigned to the teams user is a member of should apply to the user.
Current Behavior
I have user sync working correctly and am able to log in with the correct credentials. However, that user gets the default role applied despite being a member of groups with other roles applied to the group(s).
I’m connecting to an OpenLDAP backend.
Steps to Reproduce (for bugs)
Config as seen from the LDAP service overview page:
User Synchronization
Search Base DN: ou=People,dc=example,dc=net
Search Pattern: (&(uid={0})(objectClass=inetOrgPerson)) ## (have also tested just (uid={0}) which works for login but no change for issue)
Name Attribute: uid
Full Name Attribute: displayName
ID Attribute: uidNumber
Default Roles: Reader
Group Synchronization
Group Search Base DN: ou=Group,dc=example,dc=net
Group Search Pattern: (&(objectClass=posixGroup)(cn=somegroups*))
Team Name Attribute: cn
Team Id Attribute: gidNumber
Team Default Roles: -
Selection Type: Include selected groups
Selected Groups: 4 group(s)
The four groups in the edit screen when I click on “reload matching groups” shows usernames under the members column, but when I save the service and trigger synchronization, it never shows any users for synchronized teams, and when I log in with a user in one of the groups, the user is allowed in but only receives the default role regardless of group membership.
other thoughts
I assume the issue is around the search pattern, I just can’t find the right combination. Or possibly the issue is that the user in ldap doesn’t list anything like memberOf, users are listed as memberUid of the groups.
I’ve tried several different Group Search Patterns:
(objectClass=posixGroup)
(&(objectClass=posixGroup)(cn=somegroup*))
(&(objectClass=posixGroup)(cn=somegroup*)(memberUid={0}))
example ldap output
an example group output:
Your Environment
The text was updated successfully, but these errors were encountered: