/graylog2-server

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow forcing "group object class" / "memberAttribute" for LDAP auth #1433

Open
RustyDust opened this Issue Sep 20, 2015 · 4 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
No milestone
5 participants
@RustyDust @andham @tr31z @bernd @jalogisch
@RustyDust

RustyDust commented Sep 20, 2015

I'm trying to run the LDAP authentication against a Univention Corporate Server. While this basically works I'm unable to successfully use the LDAP group to role mapping. Looking at the logs I see a couple lines saying:

2015-09-20T12:55:13.523+02:00 WARN [LdapConnector] Unable to auto-detect the LDAP group object class, assuming 'member' is the correct attribute.

The reason for this is that UCS doesn't use the objectClass "groupOfUniqueNames" as expected by the LDAP connector (/org/graylog2/security/ldap/LdapConnector.java:236) and while the LDAP entry actually has the uniqueMember attribute Graylog makes the wrong choice here. Here's what I get when querying the LDAP directory for a group (shortened for brevity):

uniqueMember: cn=user-01,cn=users,dc=example,dc=muc
uniqueMember: cn=user-02,cn=users,dc= example,dc=com
uniqueMember: cn=user-03,cn=users,dc= example,dc=com
uniqueMember: cn=user-04,cn=users,dc= example,dc=com
uniqueMember: cn=team-01,cn=groups,dc= example,dc=com
uniqueMember: cn=team-02,cn=groups,dc= example,dc=com
uniqueMember: cn=team-02,cn=groups,dc= example,dc=com
(...)
objectClass: top
objectClass: posixGroup
objectClass: univentionGroup
objectClass: sambaGroupMapping
objectClass: univentionObject

Now if I could tell Graylog what objectClass filter to use (univentionGroup) or what the memberAttribute is (uniqueMember) the problem would be easily solved I guess. An alternative would be to add another check for "univentionGroup" to the LdapConnector.java. But I think in the long run a user definable option would make more sense than possibly adding tons of different and maybe conflicting tests there.
@andham

This comment has been minimized.

Sign in to view

andham commented Sep 21, 2015

Having memberAttribute configurable would also solve #1436.

@bernd bernd added the ldap label Oct 14, 2015

@tr31z

This comment has been minimized.

Sign in to view

tr31z commented Oct 15, 2015

I'm running into the same issue as my ldap groups are configured like this :

dn: cn=Domain Users,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
(....)
memberUid: user1
memberUid: user2
...

So it would be nice if there was a way to specify the memberUid attribute :)

bernd added a commit that referenced this issue Oct 19, 2015

@bernd
Improve auto detection of the LDAP member attribute 
Check the entry object for "uniqueMember" and "member" attributes if we
cannot determine the correct member attribute from the object class.

The member attribute should be configurable eventually. Until that can
be done, this fix should improve the situation.

Refs #1433
Loading status checks…
a9a0206

bernd added a commit that referenced this issue Oct 19, 2015

@bernd
Add support for posixGroup groups with memberUid attributes 
The memberUid attribute of a posixGroup does not contain the DN of the
LDAP object but the UID. Check against the ldap entry UID if the DN
match didn't work.

Refs #1433
Loading status checks…
6c2ae58

@bernd bernd referenced this issue Oct 19, 2015

Merged

Improve compatibility with different LDAP schemas #1494

@bernd bernd added the feature label Oct 20, 2015

@bernd bernd added this to the 2.x milestone Oct 20, 2015

@bernd

This comment has been minimized.

Sign in to view
Member

bernd commented Oct 20, 2015

Thank you for the reports! We improved the detection of the member attribute in #1494 which should help with the reported cases.

These changes will be in the upcoming 1.2.2 release.

I will leave this ticket open and mark it as feature request for the next major release. The member attribute should be configurable, we just cannot do that for the stable release right now.

I hope this works for you. 😃

joschi added a commit that referenced this issue Oct 21, 2015

@joschi
Merge pull request #1494 from Graylog2/issue-1433 
Improve compatibility with different LDAP schemas
(cherry picked from commit c9f2ebf, refs #1433)
Loading status checks…
fe86411

joschi added a commit that referenced this issue Oct 21, 2015

@joschi
Merge pull request #1494 from Graylog2/issue-1433 
Improve compatibility with different LDAP schemas
(cherry picked from commit c9f2ebf, refs #1433)
Loading status checks…
e6ee5b3
@tr31z

This comment has been minimized.

Sign in to view

tr31z commented Oct 22, 2015

Many thanks to you for fixing that !

@jalogisch jalogisch added the triaged label Jan 12, 2017

@bernd bernd modified the milestone: 2.x Jun 23, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment