New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP user levels not working? #5090

Closed
jallakim opened this Issue Nov 29, 2016 · 10 comments

Comments

Projects
None yet
2 participants
@jallakim
Contributor

jallakim commented Nov 29, 2016

Hi,

Trying to get user levels via LDAP to work.

Current configuration;

$config['auth_mechanism'] = "ldap";
unset($config['auth_ldap_group']);
unset($config['auth_ldap_groups']);
$config['auth_ldap_version'] = 3;
$config['auth_ldap_starttls'] = 'require';
$config['auth_ldap_server'] = "ldap.foo.bar";
$config['auth_ldap_port']   = 389;
$config['auth_ldap_prefix'] = "uid=";
$config['auth_ldap_suffix'] = ",ou=people,dc=foo,dc=bar";
$config['auth_ldap_group']  = "cn=usergroup,ou=groups,dc=foo,dc=bar";
$config['auth_ldap_groupbase'] = "ou=groups,dc=foo,dc=bar";
$config['auth_ldap_groups']['usergroup']['level'] = 5;
$config['auth_ldap_groups']['admingroup']['level'] = 10;
$config['auth_ldap_groupmemberattr'] = "memberUid";

However, all users gets the highest user level. Even if I try the following;

(...)
$config['auth_ldap_group']  = "cn=usergroup,ou=groups,dc=foo,dc=bar";
$config['auth_ldap_groupbase'] = "ou=groups,dc=foo,dc=bar";
$config['auth_ldap_groups']['usergroup']['level'] = 1;
#$config['auth_ldap_groups']['admingroup']['level'] = 10;
$config['auth_ldap_groupmemberattr'] = "memberUid";

... I still have full admin access (can delete devices, add, etc). level = 1 should mean only access to whatever being given rights to? Trying level = 5 also gives full access (should only give global read?).

Not sure what causes this? The user I'm testing as, is member of both usergroup and admingroup.

@jallakim

This comment has been minimized.

Contributor

jallakim commented Nov 29, 2016

Component | Version
--------- | -------
LibreNMS  | 3390be5107955e61d74f93a94eca8787911294ac
DB Schema | 151
PHP       | 7.0.13-1~dotdeb+8.1
MySQL     | 5.7.13-6
RRDTool   | 1.4.8
SNMP      | NET-SNMP 5.7.2.1
@jallakim

This comment has been minimized.

Contributor

jallakim commented Nov 29, 2016

$entries in get_userlevel() has the entire content of both groups.

@jallakim

This comment has been minimized.

Contributor

jallakim commented Nov 29, 2016

So, printing $config['auth_ldap_groups'][$groupname]['level'] for each $entry in the foreach loop in get_userlevel() reveals the following;

Userlevel: 
Userlevel: 10 
Userlevel: 5 
Final userlevel: 

Where the last line is the content of $userlevel['level'] after the foreach loop. Something is not set properly.

@jallakim

This comment has been minimized.

Contributor

jallakim commented Nov 29, 2016

This boils down to two questions;

  1. What is the intended behavior if $userlevel is not set? It seems to default to "full admin", but that doesn't sound like something we'd want?

  2. $userlevel needs to be set properly.

@jallakim

This comment has been minimized.

Contributor

jallakim commented Nov 29, 2016

Regarding 2); $userlevel is compared wrong, and the entire foreach logic is broken (the value of $userlevel is reset on each run).

    // Loop the list and find the highest level
    foreach ($entries as $entry) {
        $groupname = $entry['cn'][0];
        $userlevel = array();
        $userlevel['level'] = -1;
        if ($config['auth_ldap_groups'][$groupname]['level'] > $userlevel['level']) {
            echo("Old: {$userlevel['level']}, new: {$config['auth_ldap_groups'][$groupname]['level']}<br/>");
            $userlevel['level'] = $config['auth_ldap_groups'][$groupname]['level'];
        }
    }

We get;

Old: -1, new: 10
Old: -1, new: 5
Final userlevel: 5 

Fixing it like this;

    // Loop the list and find the highest level
    $userlevel = array();
    $userlevel['level'] = -1;

    foreach ($entries as $entry) {
        $groupname = $entry['cn'][0];
        if ($config['auth_ldap_groups'][$groupname]['level'] > $userlevel['level']) {
            echo("Old: {$userlevel['level']}, new: {$config['auth_ldap_groups'][$groupname]['level']}<br/>");
            $userlevel['level'] = $config['auth_ldap_groups'][$groupname]['level'];
        }
    }

We now get a proper value;

Old: -1, new: 10
Final userlevel: 10 
@jallakim

This comment has been minimized.

Contributor

jallakim commented Nov 29, 2016

Before making a PR, I kinda need to know two things;

  1. Should the "falls back to giving full admin privileges if $userlevel is blank" be it's own issue?
  2. Is the above fix correct regarding what the rest of the system expects regarding the value of $userlevel?
@jallakim

This comment has been minimized.

Contributor

jallakim commented Nov 29, 2016

Okay, I think I can answer 2) myself. get_userlevel() is only used by authenticate.inc.php, and sets $_SESSION['userlevel']. It therefore expects an integer from get_userlevel().

I'll make a PR fixing that. Issue in 1) should be addressed, though.

@jallakim jallakim referenced this issue Nov 30, 2016

Merged

Populate $userlevel from LDAP properly #5092

2 of 2 tasks complete
@laf

This comment has been minimized.

Member

laf commented Nov 30, 2016

I don't think we can change the behaviour of 1 otherwise people expecting it to work as it does will have a shock.

Best to have a config option which can be set to define the level if userlevel is blank and have it default to the admin level 10.

VimCommando added a commit to VimCommando/librenms that referenced this issue Jan 4, 2017

@laf

This comment has been minimized.

Member

laf commented Jan 28, 2017

PR merged in to fix this.

@laf laf closed this Jan 28, 2017

@lock

This comment has been minimized.

lock bot commented May 18, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed.

@lock lock bot locked as resolved and limited conversation to collaborators May 18, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.