Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP groups/teams are syncing, but memberUid/users are not #13811

Closed
brantleyp1 opened this issue Oct 27, 2022 · 3 comments
Closed

LDAP groups/teams are syncing, but memberUid/users are not #13811

brantleyp1 opened this issue Oct 27, 2022 · 3 comments
Assignees
@thll
Labels
bug triaged

Comments

@brantleyp1
Copy link

brantleyp1 commented Oct 27, 2022
edited

I'm running GL 4.3 open, with enterprise plugins and a trial license. I wanted to be able to use LDAP groups in this proof of concept build. I'm not sure if this is a bug, but struck out on the community support boards.

Expected Behavior

When my user logs in to GL using LDAP credentials, the roles assigned to the teams user is a member of should apply to the user.

Current Behavior

I have user sync working correctly and am able to log in with the correct credentials. However, that user gets the default role applied despite being a member of groups with other roles applied to the group(s).

I’m connecting to an OpenLDAP backend.

Steps to Reproduce (for bugs)

Config as seen from the LDAP service overview page:

User Synchronization
Search Base DN: ou=People,dc=example,dc=net
Search Pattern: (&(uid={0})(objectClass=inetOrgPerson)) ## (have also tested just (uid={0}) which works for login but no change for issue)
Name Attribute: uid
Full Name Attribute: displayName
ID Attribute: uidNumber
Default Roles: Reader

Group Synchronization
Group Search Base DN: ou=Group,dc=example,dc=net
Group Search Pattern: (&(objectClass=posixGroup)(cn=somegroups*))
Team Name Attribute: cn
Team Id Attribute: gidNumber
Team Default Roles: -
Selection Type: Include selected groups
Selected Groups: 4 group(s)

The four groups in the edit screen when I click on “reload matching groups” shows usernames under the members column, but when I save the service and trigger synchronization, it never shows any users for synchronized teams, and when I log in with a user in one of the groups, the user is allowed in but only receives the default role regardless of group membership.

other thoughts

I assume the issue is around the search pattern, I just can’t find the right combination. Or possibly the issue is that the user in ldap doesn’t list anything like memberOf, users are listed as memberUid of the groups.

I’ve tried several different Group Search Patterns:
(objectClass=posixGroup)
(&(objectClass=posixGroup)(cn=somegroup*))
(&(objectClass=posixGroup)(cn=somegroup*)(memberUid={0}))

example ldap output

an example group output:

# somegroupname, Group, example.net
dn: cn=somegroupname,ou=Group,dc=example,dc=net
objectClass: posixGroup
cn: somegroupname
gidNumber: [...]
description: [...]
memberUid: bpadgett
[...]

# bpadgett, People, example.net
dn: uid=bpadgett,ou=People,dc=example,dc=net
sambaDomainName: [...]
sambaAcctFlags: [...]
displayName: Brantley Padgett
sambaSID: [...]
homeDirectory: /home/bpadgett
loginShell: /bin/bash
gidNumber: [...]
uid: bpadgett
cn: Brantley Padgett
uidNumber: [...]
title: [...]
mail: [...]
sn: Padgett
givenName: Brantley
objectClass: sambaSamAccount
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: extensibleObject
info: [...]
sambaNTPassword: [...]
sambaPwdLastSet: [...]
shadowLastChange: [...]
userPassword:: [...]

Your Environment

  • Graylog Version: graylog-server/stable,now 4.3.8-1
  • Java Version: openjdk-11-jre-headless/focal-updates,focal-security,now 11.0.16+8-0ubuntu1~20.04
  • Elasticsearch Version: elasticsearch-oss/stable,now 7.10.
  • MongoDB Version: mongodb-server/focal-updates,focal-security,now 1:3.6.9+really3.6.8+90
  • Operating System: Ubuntu 20.04.5 freshly installed
  • Browser version: Version 1.42.97 Chromium: 104.0.5112.102 (https://brave.com/latest/)
  • OpenLDAP: slapd/now 2.4.49+dfsg-2ubuntu1.8
  • Schema: rfc2307.schema
@brantleyp1 brantleyp1 added the bug label Oct 27, 2022
@bernd bernd added triaged blocker If not finished by release date, the release will be postponed. to-verify labels Nov 2, 2022
@thll thll self-assigned this Nov 3, 2022
@thll
Copy link
Contributor

thll commented Nov 4, 2022

Thanks for the detailed report @brantleyp1. I can reproduce this with a local test setup.

It's an issue with the handling of posixGroup objects. On the config screen, group members are detected correctly based on the memberUid attribute.
However, during the provisioning of users (when they are logging in), group matching is only working for attributes that contain a dn, not a uid. So for a posixGroup, membership is not correctly detected.

This is a bug and we are looking into a fix.

@thll thll removed to-verify blocker If not finished by release date, the release will be postponed. labels Nov 4, 2022
@thll thll closed this as completed Nov 10, 2022
@brantleyp1
Copy link
Author

Was the fix merged? I just updated to 4.3.9-1 but when I went to test it turns out my trial expired 20 hours ago. Sigh.

@thll
Copy link
Contributor

thll commented Nov 10, 2022

The fix will be part of 5.0.0-beta.4 which we plan on releasing today.

We aim to backport this for the next stable release, but this hasn't been done yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thll thll

Labels
bug triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bernd @thll @brantleyp1