Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Group listing always returns empty string #25

Closed
aakarshg opened this issue Jun 11, 2021 · 4 comments
Closed

Group listing always returns empty string #25

aakarshg opened this issue Jun 11, 2021 · 4 comments

Comments

@aakarshg
Copy link

aakarshg commented Jun 11, 2021
edited
Loading

I have freeipa ldap server and authentication happens fine however listing groups for some reason always returns empty...

This is how i have configured the relevant parts of deployment

- name: LDAP_MANAGER_DN_USERNAME
  value: "uid=searchldap,cn=sysaccounts,cn=etc,dc=blah,dc=net"
- name: LDAP_BIND_DN
  value: "uid={username},cn=users,cn=accounts,dc=blah,dc=net"
- name: LDAP_SEARCH_BASE
  value: "cn=users,dc=blah,dc=net"
- name: LDAP_SEARCH_FILTER
  value: "(uid={username})"

Now this is how my user looks like:

dn: uid=stew,cn=users,cn=accounts,dc=blah,dc=net         
memberOf: cn=grafana-viewers,cn=groups,cn=accounts,dc=blah,dc=net

Here's my ingress annotations:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: http://another-ldap-auth.ingress-nginx.svc.cluster.local:9000
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header Ldap-Allowed-Groups "grafana-viewers";
      proxy_set_header Ldap-Allowed-Groups-Conditional "and";

Here's the logs:

{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Cache", "ip": "10.226.64.3", "referrer": null, "message": "User not found in the cache for authentication.", "username": "aakarsh"}
{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Authenticating user.", "username": "aakarsh", "finalUsername": "uid=aakarsh,cn=users,cn=accounts,dc=blah,dc=net"}
{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Authentication successful.", "username": "aakarsh", "elapsedTime": "0.06220197677612305"}
{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Cache", "ip": "10.226.64.3", "referrer": null, "message": "Adding user to the cache.", "username": "aakarsh"}
{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Cache", "ip": "10.226.64.3", "referrer": null, "message": "Validating groups via cache.", "username": "aakarsh", "cacheGroups": ""}
{"date": "2021-06-11 19:29:44", "level": "WARNING", "objectName": "Cache", "ip": "10.226.64.3", "referrer": null, "message": "Invalid groups from cache.", "username": "aakarsh", "conditional": "and"}
{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Search by filter.", "filter": "(uid=aakarsh)", "elapsedTime": "0.002645730972290039"}
{"date": "2021-06-11 19:29:44", "level": "INFO", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Validating groups.", "username": "aakarsh", "groups": "grafana-viewers", "conditional": "and"}
{"date": "2021-06-11 19:29:44", "level": "ERROR", "objectName": "Aldap", "ip": "10.226.64.3", "referrer": null, "message": "Invalid groups for the user.", "username": "aakarsh", "matchedGroups": "", "groups": "grafana-viewers", "conditional": "and"}

What is interesting is that if I try to use the nginx-ldap-auth image instead wiht following config itt works fine:

auth:
  bindDN: uid=searchldap,cn=sysaccounts,cn=etc,dc=blah,dc=net
  bindPW: blahpw
user:
  baseDN: cn=accounts,dc=blah,dc=net
  filter: "(uid={0})"
  requiredGroups:
  - grafana-viewers
group:
  baseDN: cn=accounts,dc=blah,dc=net
  groupAttr: cn
  filter: "(member={0})"

Can anyone please help me figure out the LDAP_SEARCH_BASE and LDAP_SEARCH_FILTER vars that i need to be rather using?

I;ve a tried a multitude of variations for LDAP_SEARCH_BASE and LDAP_SEARCH_FILTER but never succeeded..
@dignajar
Copy link
Owner

the memberof is in lowercases ? cn=grafana-viewers,cn=groups,cn=accounts,dc=blah,dc=net ?

because I'm checking and the regex to get the groups is 'CN=((\w*\s?_?-?)*)'

@dignajar
Copy link
Owner

probably I need to add ignore case sensitive in the regex here: https://github.com/dignajar/another-ldap-auth/blob/master/files/aldap.py#L74

adGroup = re.match('CN=((\w*\s?_?-?)*)', adGroup, re.IGNORECASE).group(1)

dignajar added a commit that referenced this issue Jun 14, 2021
@dignajar
bugfix for #25
1665011
@dignajar dignajar mentioned this issue Jun 14, 2021
Merged
dignajar added a commit that referenced this issue Jun 14, 2021
@dignajar
Merge pull request #26 from dignajar/bugfix/case-insensitive-for-groups
e1eff60 
bugfix for #25
@dignajar
Copy link
Owner

Fixed in version 2.1.
https://github.com/dignajar/another-ldap-auth/releases/tag/2.1

@aakarshg
Copy link
Author

Thanks @dignajar ! I'll give it a shot later today.. and let you know how it goes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dignajar @aakarshg