New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Active Directory: filter disabled users, allow nested group membership for AD auth #8222

Merged
merged 1 commit into from Mar 17, 2018

Conversation

Projects
None yet
4 participants
@network-guy
Contributor

network-guy commented Feb 7, 2018

Active Directory auth. Filter disabled users and allow nested groups.

DO NOT DELETE THIS TEXT

Please note

Please read this information carefully. You can run ./scripts/pre-commit.php to check your code before submitting.

Testers

If you would like to test this pull request then please run: ./scripts/github-apply <pr_id>, i.e ./scripts/github-apply 5926

@scrutinizer-notifier

This comment has been minimized.

scrutinizer-notifier commented Feb 7, 2018

The inspection completed: No new issues

@murrant

This comment has been minimized.

Member

murrant commented Feb 7, 2018

Should we be using: get_auth_ad_user_filter() and get_auth_ad_group_filter() functions there?

@network-guy

This comment has been minimized.

Contributor

network-guy commented Feb 7, 2018

I don't believe so. get_auth_ad_group_filter() is already employed to get the ldap groups used in this filter. It doesn't pull in user membership information. get_auth_ad_user_filter() queries for a specific user, whereas the filter here checks for membership within a group.

There is a config option for an auth_ad_user_filter, which defaults to "(objectclass=user)". We could potentially just update that to filter disabled users, but i'm not sure that gains us anything.

@murrant

This comment has been minimized.

Member

murrant commented Feb 8, 2018

I know we filter disabled users elsewhere, I was just wondering if we could consolidate them.

@network-guy

This comment has been minimized.

Contributor

network-guy commented Feb 8, 2018

Short of setting a global LDAP filter string, I'm not sure where we could reuse the code. If you can identify something I would be happy to make the changes.

@network-guy

This comment has been minimized.

Contributor

network-guy commented Feb 26, 2018

@murrant @laf Any other input on this, or can we look at getting it merged?

@laf

This comment has been minimized.

Member

laf commented Feb 27, 2018

@network-guy I don't use AD so I can't test (or comment really). Hopefully @murrant can spare some time to do a final review.

@laf laf requested a review from murrant Feb 27, 2018

@murrant murrant merged commit 3619f28 into librenms:master Mar 17, 2018

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
license/cla Contributor License Agreement is signed.
Details

@murrant murrant changed the title from Filter disabled users, allow nested group membership for AD auth to Active Directory: filter disabled users, allow nested group membership for AD auth Mar 17, 2018

inetAnt added a commit to criteo-forks/librenms that referenced this pull request Mar 19, 2018

@lock

This comment has been minimized.

lock bot commented May 16, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed.

@lock lock bot locked as resolved and limited conversation to collaborators May 16, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.