-
Notifications
You must be signed in to change notification settings - Fork 274
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authentication sources: matching rules for admin and sponsored access #3631
Comments
My workaround is not perfect. If you put It means that when PF can authenticate a user on an authentication source, it will use only that authentication source to get:
for all access. In my opinion, this is not really a first win match algorithm and we should change that behavior. |
I not sure this is a bug but a limitation of authentication rule matching. |
Can be partially addressed by #4061 |
I can confirm that this bug is partially addressed by #4061. Now when you used "Associated sources" on a sponsor source, sources will be used to find sponsor on captive portal. It will be really nice if we can limit sponsor authentication to "Associated sources" to be consistent with what have been done on captive portal. |
I did several deployments recently and this bug is very annoying. You have to create different rules to deal with several use cases like:
If you have to handle case of CLI login, it's a nightmare. I changed priority of this issue in order to have this one fixed for v11. |
@nqb Make sure this is still relevant and if you still have a problem, please provide an example. |
This bug is still present on DescriptionIf a user has two roles:
which are provided through two different rules in one authentication source, only one rule can match when:
Steps to reproduce
=> PacketFence will use second rule of AD source to find sponsor: that's what we expect
=> You got: "does not have permission to sponsor a user". If you looks at logs, you match first rule of AD source => If you switch order of rules in AD source, sponsor permission will work but you will break web admin access because PacketFence will match first rule of AD source when user log on web admin. Configuration to replicate:
Let me know if you need some clarification. |
Found the origin of the issue: This needs to filter not only on the rule_class but also on the rule action it wants so that the appropriate rule is matched. I'll work on a fix and post back here when it's done |
Thanks @julsemaan. Just to make sure you have the big picture: this is also an issue on web admin if sponsor rule is the first in the AD source. In that specific case, user lost its admin access in favor of sponsor access which mean he is not able to authenticate on web admin. |
I've pushed a fix for each (sponsor login and admin login) and tested the appropriate additional actions are sent back (SET_ACCESS_DURATIONS for sponsor login and SET_TENANT_ID for admin login) so there should be no regressions at all @nqb, please retest and close |
Works as expected. Thanks a lot, it will really simplify rules. |
If you use administration rules in sources to give sponsored and/or admin access, you will notice following results:
Admin access
Sponsored access
Expected results
Depending on context (
admin
orportal
) andrule_class
, PF should try to use only relevant sources:Mark as sponsor
actions for sponsored accessAccess level
actions for admin accessSome work has been already done see #1858.
In these contexts, PF should try to use other sources if administration rule(s) for a maching source return no results.
I didn't test CLI access but I assume same behavior.
Workaround if you have Sponsored and Admin access on your setup
Notes:
rules.
Example with AD sources:
The text was updated successfully, but these errors were encountered: