LDAP user levels not working? #5090

Closed
jallakim opened this Issue Nov 29, 2016 · 9 comments

Projects

None yet

2 participants

@jallakim
Contributor
jallakim commented Nov 29, 2016 edited

Hi,

Trying to get user levels via LDAP to work.

Current configuration;

$config['auth_mechanism'] = "ldap";
unset($config['auth_ldap_group']);
unset($config['auth_ldap_groups']);
$config['auth_ldap_version'] = 3;
$config['auth_ldap_starttls'] = 'require';
$config['auth_ldap_server'] = "ldap.foo.bar";
$config['auth_ldap_port']   = 389;
$config['auth_ldap_prefix'] = "uid=";
$config['auth_ldap_suffix'] = ",ou=people,dc=foo,dc=bar";
$config['auth_ldap_group']  = "cn=usergroup,ou=groups,dc=foo,dc=bar";
$config['auth_ldap_groupbase'] = "ou=groups,dc=foo,dc=bar";
$config['auth_ldap_groups']['usergroup']['level'] = 5;
$config['auth_ldap_groups']['admingroup']['level'] = 10;
$config['auth_ldap_groupmemberattr'] = "memberUid";

However, all users gets the highest user level. Even if I try the following;

(...)
$config['auth_ldap_group']  = "cn=usergroup,ou=groups,dc=foo,dc=bar";
$config['auth_ldap_groupbase'] = "ou=groups,dc=foo,dc=bar";
$config['auth_ldap_groups']['usergroup']['level'] = 1;
#$config['auth_ldap_groups']['admingroup']['level'] = 10;
$config['auth_ldap_groupmemberattr'] = "memberUid";

... I still have full admin access (can delete devices, add, etc). level = 1 should mean only access to whatever being given rights to? Trying level = 5 also gives full access (should only give global read?).

Not sure what causes this? The user I'm testing as, is member of both usergroup and admingroup.

@jallakim
Contributor
Component | Version
--------- | -------
LibreNMS  | 3390be5107955e61d74f93a94eca8787911294ac
DB Schema | 151
PHP       | 7.0.13-1~dotdeb+8.1
MySQL     | 5.7.13-6
RRDTool   | 1.4.8
SNMP      | NET-SNMP 5.7.2.1
@jallakim
Contributor

$entries in get_userlevel() has the entire content of both groups.

@jallakim
Contributor

So, printing $config['auth_ldap_groups'][$groupname]['level'] for each $entry in the foreach loop in get_userlevel() reveals the following;

Userlevel: 
Userlevel: 10 
Userlevel: 5 
Final userlevel: 

Where the last line is the content of $userlevel['level'] after the foreach loop. Something is not set properly.

@jallakim
Contributor

This boils down to two questions;

  1. What is the intended behavior if $userlevel is not set? It seems to default to "full admin", but that doesn't sound like something we'd want?

  2. $userlevel needs to be set properly.

@jallakim
Contributor
jallakim commented Nov 29, 2016 edited

Regarding 2); $userlevel is compared wrong, and the entire foreach logic is broken (the value of $userlevel is reset on each run).

    // Loop the list and find the highest level
    foreach ($entries as $entry) {
        $groupname = $entry['cn'][0];
        $userlevel = array();
        $userlevel['level'] = -1;
        if ($config['auth_ldap_groups'][$groupname]['level'] > $userlevel['level']) {
            echo("Old: {$userlevel['level']}, new: {$config['auth_ldap_groups'][$groupname]['level']}<br/>");
            $userlevel['level'] = $config['auth_ldap_groups'][$groupname]['level'];
        }
    }

We get;

Old: -1, new: 10
Old: -1, new: 5
Final userlevel: 5 

Fixing it like this;

    // Loop the list and find the highest level
    $userlevel = array();
    $userlevel['level'] = -1;

    foreach ($entries as $entry) {
        $groupname = $entry['cn'][0];
        if ($config['auth_ldap_groups'][$groupname]['level'] > $userlevel['level']) {
            echo("Old: {$userlevel['level']}, new: {$config['auth_ldap_groups'][$groupname]['level']}<br/>");
            $userlevel['level'] = $config['auth_ldap_groups'][$groupname]['level'];
        }
    }

We now get a proper value;

Old: -1, new: 10
Final userlevel: 10 
@jallakim
Contributor

Before making a PR, I kinda need to know two things;

  1. Should the "falls back to giving full admin privileges if $userlevel is blank" be it's own issue?
  2. Is the above fix correct regarding what the rest of the system expects regarding the value of $userlevel?
@jallakim
Contributor

Okay, I think I can answer 2) myself. get_userlevel() is only used by authenticate.inc.php, and sets $_SESSION['userlevel']. It therefore expects an integer from get_userlevel().

I'll make a PR fixing that. Issue in 1) should be addressed, though.

@jallakim jallakim referenced this issue Nov 30, 2016
Merged

Populate $userlevel from LDAP properly #5092

2 of 2 tasks complete
@laf
Member
laf commented Nov 30, 2016

I don't think we can change the behaviour of 1 otherwise people expecting it to work as it does will have a shock.

Best to have a config option which can be set to define the level if userlevel is blank and have it default to the admin level 10.

@VimCommando VimCommando added a commit to VimCommando/librenms that referenced this issue Jan 4, 2017
@jallakim @VimCommando jallakim + VimCommando fix: Fixed setting userlevel for LDAP auth #5090 17a1b57
@laf
Member
laf commented Jan 28, 2017

PR merged in to fix this.

@laf laf closed this Jan 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment