Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP group members not found #3650

Closed
ferbar opened this issue Dec 12, 2018 · 1 comment

Comments

@ferbar
Copy link

commented Dec 12, 2018

Configuration -> Authentication -> User groups the groups are listed, but no members are found. It seems that an uppercase objectClass is not handled properly.

groups.ini:

[icingaweb2]
resource = "icingaweb_ldap"
user_backend = "icingaweb2"
user_filter = ""
group_class = "GROUP"
group_filter = ""
base_dn = "DC=dev,DC=example,DC=com"
backend = "msldap"

Expected Behavior

Users are found when clicking on user groups. Admin roles work.

Current Behavior

No users are found. Admin roles don't work

Possible Solution

2018-12-12T15:48:19+01:00 - DEBUG - Issueing LDAP search. Use 'ldapsearch -P 3 -H "ldaps://ldap.dev.example.com:636" -D "cn=icinga service account,dc=dev,dc=example,dc=com" -W -b "DC=dev,DC=example,DC=com" -s "sub" -z 0 -l 0 -a "never" "(objectClass=group)" "sAMAccountName"' to reproduce.

even if I write
group_class = GROUP
upper case in groups.ini the sample ldapsearch has a filter for objectClass=group in lowercase. Since ldap isn't case sensitive in general this ldapsearch is working and returning all the results. However in

if ($query->getFilter()->matches($row)) {

there is a case sensitive check.
The dumped filter:

2018-12-12T15:48:18+01:00 - DEBUG - fetchRow foreach rows filter: object(Icinga\Data\Filter\FilterAnd)#143 (5) {
  ["operatorName":protected]=>
  string(3) "AND"
  ["operatorSymbol":protected]=>
  string(1) "&"
  ["filters":protected]=>
  array(2) {
    [0]=>
    object(Icinga\Data\Filter\FilterMatch)#144 (5) {
      ["column":protected]=>
      string(11) "objectClass"
      ["sign":protected]=>
      string(1) "="
      ["expression":protected]=>
      string(5) "group"
      ["caseSensitive":protected]=>
      bool(true)
      ["id":protected]=>
      string(3) "1-1"
    }
    [1]=>
    object(Icinga\Data\Filter\FilterMatch)#145 (5) {
      ["column":protected]=>
      string(6) "member"
      ["sign":protected]=>
      string(1) "="
      ["expression":protected]=>
      string(1) "*"
      ["caseSensitive":protected]=>
      bool(true)
      ["id":protected]=>
      string(3) "1-2"
    }
  }
  ["allowedColumns":protected]=>
  NULL
  ["id":protected]=>
  string(1) "1"
}

a dumped $row:

2018-12-12T15:48:18+01:00 - DEBUG - fetchRow foreach rows no match stdClass Object
(
    [objectClass] => Array
        (
            [0] => top
            [1] => GROUP
        )

    [member] => cn=some one,ou=Users,ou=Accounts,dc=dev,dc=example,dc=com
)

is_array won't find 'group' in ['top', 'GROUP'] ...

Steps to Reproduce (for bugs)

maybe you would need an LDAP server which is returning objectClass-es in wrong case...

Context

Somewhere GROUP is converted to lowercase. I don't find out where and if there is a way to prevent this.

Your Environment

  • Icinga Web 2 version and modules (System - About):
    2.6.2-1
  • Version used (icinga2 --version):
    r2.10.2-1
  • Operating System and version:
    Centos 7.5.1804
  • Enabled features (icinga2 feature list):
    Enabled features: api checker command ido-mysql livestatus mainlog notification
  • Config validation (icinga2 daemon -C):
    done/no icinga2 issue
  • LDAP server:
    slapd proxy for active directory
@ferbar

This comment has been minimized.

Copy link
Author

commented Dec 12, 2018

same in #3075:
"groupofnames" in the ldapsearch result, objectClass=groupOfNames in the suggested query

@nilmerg nilmerg self-assigned this Apr 9, 2019

@nilmerg nilmerg changed the title LdapUserGroupBackend: ldap groups don't work / objectClass case sensitive? LDAP group members not found Apr 23, 2019

nilmerg added a commit that referenced this issue Apr 23, 2019

LdapQuery: Make all applied filters case-insensitive
LDAP peforms case-insensitive checks by default so do we now.

fixes #3650

@nilmerg nilmerg added this to the 2.6.3 milestone Apr 23, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.