Skip to content

/ graylog2-server

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow forcing "group object class" / "memberAttribute" for LDAP auth #1433

Closed
RustyDust opened this issue Sep 20, 2015 · 5 comments
Closed

Allow forcing "group object class" / "memberAttribute" for LDAP auth #1433

RustyDust opened this issue Sep 20, 2015 · 5 comments
Labels
feature ldap triaged

Comments

@RustyDust
Copy link

@RustyDust RustyDust commented Sep 20, 2015

I'm trying to run the LDAP authentication against a Univention Corporate Server. While this basically works I'm unable to successfully use the LDAP group to role mapping. Looking at the logs I see a couple lines saying:

2015-09-20T12:55:13.523+02:00 WARN [LdapConnector] Unable to auto-detect the LDAP group object class, assuming 'member' is the correct attribute.

The reason for this is that UCS doesn't use the objectClass "groupOfUniqueNames" as expected by the LDAP connector (/org/graylog2/security/ldap/LdapConnector.java:236) and while the LDAP entry actually has the uniqueMember attribute Graylog makes the wrong choice here. Here's what I get when querying the LDAP directory for a group (shortened for brevity):

uniqueMember: cn=user-01,cn=users,dc=example,dc=muc
uniqueMember: cn=user-02,cn=users,dc= example,dc=com
uniqueMember: cn=user-03,cn=users,dc= example,dc=com
uniqueMember: cn=user-04,cn=users,dc= example,dc=com
uniqueMember: cn=team-01,cn=groups,dc= example,dc=com
uniqueMember: cn=team-02,cn=groups,dc= example,dc=com
uniqueMember: cn=team-02,cn=groups,dc= example,dc=com
(...)
objectClass: top
objectClass: posixGroup
objectClass: univentionGroup
objectClass: sambaGroupMapping
objectClass: univentionObject

Now if I could tell Graylog what objectClass filter to use (univentionGroup) or what the memberAttribute is (uniqueMember) the problem would be easily solved I guess. An alternative would be to add another check for "univentionGroup" to the LdapConnector.java. But I think in the long run a user definable option would make more sense than possibly adding tons of different and maybe conflicting tests there.
@andham
Copy link

@andham andham commented Sep 21, 2015

Having memberAttribute configurable would also solve #1436.
@bernd bernd added the ldap label Oct 14, 2015
@tr31z
Copy link

@tr31z tr31z commented Oct 15, 2015

I'm running into the same issue as my ldap groups are configured like this :

dn: cn=Domain Users,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
(....)
memberUid: user1
memberUid: user2
...

So it would be nice if there was a way to specify the memberUid attribute :)
bernd added a commit that referenced this issue Oct 19, 2015
@bernd
Improve auto detection of the LDAP member attribute
Loading status checks…
a9a0206 
Check the entry object for "uniqueMember" and "member" attributes if we
cannot determine the correct member attribute from the object class.

The member attribute should be configurable eventually. Until that can
be done, this fix should improve the situation.

Refs #1433
bernd added a commit that referenced this issue Oct 19, 2015
@bernd
Add support for posixGroup groups with memberUid attributes
Loading status checks…
6c2ae58 
The memberUid attribute of a posixGroup does not contain the DN of the
LDAP object but the UID. Check against the ldap entry UID if the DN
match didn't work.

Refs #1433
@bernd bernd mentioned this issue Oct 19, 2015
Merged
@bernd bernd added the feature label Oct 20, 2015
@bernd bernd added this to the 2.x milestone Oct 20, 2015
@bernd
Copy link
Member

@bernd bernd commented Oct 20, 2015

Thank you for the reports! We improved the detection of the member attribute in #1494 which should help with the reported cases.

These changes will be in the upcoming 1.2.2 release.

I will leave this ticket open and mark it as feature request for the next major release. The member attribute should be configurable, we just cannot do that for the stable release right now.

I hope this works for you. 😃
joschi added a commit that referenced this issue Oct 21, 2015
@joschi Jochen Schalanda
Merge pull request #1494 from Graylog2/issue-1433
Loading status checks…
fe86411 
Improve compatibility with different LDAP schemas
(cherry picked from commit c9f2ebf, refs #1433)
joschi added a commit that referenced this issue Oct 21, 2015
@joschi Jochen Schalanda
Merge pull request #1494 from Graylog2/issue-1433
Loading status checks…
e6ee5b3 
Improve compatibility with different LDAP schemas
(cherry picked from commit c9f2ebf, refs #1433)
@tr31z
Copy link

@tr31z tr31z commented Oct 22, 2015

Many thanks to you for fixing that !
@jalogisch jalogisch added the triaged label Jan 12, 2017
@bernd bernd modified the milestone: 2.x Jun 23, 2017
@bernd
Copy link
Member

@bernd bernd commented Oct 7, 2020

This has been fixed a long time ago. 😄
@bernd bernd closed this Oct 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature ldap triaged
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
@bernd @andham @jalogisch @RustyDust @tr31z