Project

General

Profile

Actions

Bug #3829

closed

Missing/incomplete LDAP group support

Added by Matthew Hall over 9 years ago. Updated over 9 years ago.

Status:
Released
Priority:
2
Category:
Web - Maintenance
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Regression:

Description

Using LDAP authentication (configuration included below), LDAP users are authenticated but immediately logged out - due to Rudder being unable to read the group membership.

This was discussed on #rudder (see attached conversation).

NB: It was also mentioned during the IRC conversation that the documentation references the wrong version of an LDAP library required for functionality. The corrected version was used in revealing this bug.

    <authentication-manager>
        <authentication-provider ref="ldapAuthenticationProvider"/>
    </authentication-manager>

    <beans:bean id="contextSource" 
     class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://XX.YY.ZZ.AA:389/dc=BBBB"/>
        <beans:property name="anonymousReadOnly" value="true"/>
    </beans:bean>

    <beans:bean id="ldapAuthenticationProvider" 
     class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:property name="userDnPatterns">
                    <beans:list><beans:value>cn={0},ou=Users</beans:value></beans:list>
                </beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean
             class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="ou=Groups"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
            </beans:bean>
        </beans:constructor-arg>
    </beans:bean>

Files

rudder_irc.txt (10.9 KB) rudder_irc.txt IRC convo on the subject Matthew Hall, 2013-08-12 18:05

Subtasks 1 (0 open1 closed)

Bug #3949: Update documentation for LDAP integrationReleasedJonathan CLARKE2013-09-20Actions
Actions #1

Updated by Vincent MEMBRÉ over 9 years ago

  • Category set to 13
  • Assignee set to François ARMAND
  • Target version changed from 2.6.4 to 2.4.8

Actually we haven't handle the LDAP mapping of authorization in Rudder.

Authorization are determined by parsing the Rudder-users.xml file. Each user has a role attribute, explaining what authorization he has access to.

User created using LDAP are not created with that role attribute, so the authorisation cannot be determined.

We need to create a specific mapper to Rudder, and change the documentation according to the change.

Without the fix, a workaround might be to export the LDAP users to rudder-users.xml.

We need to correct this as soon as possible.

This bug is happening in 2.4 too.

Actions #2

Updated by Nicolas PERRON over 9 years ago

  • Target version changed from 2.4.8 to 2.4.9
Actions #3

Updated by Jonathan CLARKE over 9 years ago

  • Category changed from 13 to Web - Maintenance
  • Status changed from New to 8

A useful approach would be to be able to specify roles to give users in rudder-users.xml - this way we delegate auth*entication* to LDAP, but keep auth*orizations* in rudder-users.xml. Something like:

<user name="bob.foo" auth="LDAP" role="user,validator"/>
Actions #4

Updated by François ARMAND over 9 years ago

In fact, it's quite easy to provide an LDAP "rudderXMLUserDetails : UserDetailsContextMapper" that get rights from the XML file after authentication from LDAP.

That's not a real LDAP full user management, because we are still forced to define user in the Rudder XML file.

It's also hard to have a per-user authentication method (LDAP or XML).

So, I can propose a solution (right now) where we are able to get Rights from XML and authentication from LDAP.

Actions #5

Updated by François ARMAND over 9 years ago

  • Pull Request set to https://github.com/Normation/rudder/pull/318

Pull request available that allows the Authentication to be delegated to LDAP, and (but ?) the authorization MUST still be defined in rudder-users.xml: https://github.com/Normation/rudder/pull/318

Actions #6

Updated by François ARMAND over 9 years ago

  • Status changed from 8 to Pending technical review
  • Assignee changed from François ARMAND to Nicolas CHARLES
Actions #7

Updated by François ARMAND over 9 years ago

  • Status changed from Pending technical review to Pending release
Actions #9

Updated by François ARMAND over 9 years ago

  • Status changed from Pending release to Pending technical review

Reverting, since some documentation were not accurate.

Actions #10

Updated by François ARMAND over 9 years ago

  • Status changed from Pending technical review to In progress
  • Assignee changed from Nicolas CHARLES to François ARMAND
Actions #11

Updated by François ARMAND over 9 years ago

I mean, reverting since the modification broke the build.

Actions #12

Updated by François ARMAND over 9 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Nicolas CHARLES
  • Pull Request changed from https://github.com/Normation/rudder/pull/318 to https://github.com/Normation/rudder/pull/320

Updated version of the pull request with the correct dependency added: https://github.com/Normation/rudder/pull/320

Actions #13

Updated by François ARMAND over 9 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100
Actions #15

Updated by Jonathan CLARKE over 9 years ago

  • Status changed from Pending release to 8
  • Assignee changed from Nicolas CHARLES to François ARMAND

This has been fixed by making sure that Rudder only does authentication in LDAP, then refers to local rudder-users.xml to get authorizations (roles).

You can already test this using the latest nightly builds on the 2.4 branch. This will be merged into 2.6 and 2.7 branches in the next few days, when it will be available in those nightly builds too. As always, please be careful when using nightly builds!

This will be released in the next minor release of all Rudder branches: 2.4.9, 2.6.6 and 2.7.3.

Actions #16

Updated by François ARMAND over 9 years ago

  • Status changed from 8 to Pending technical review

Merge done, the feature should be available in tomorrow nightly.

Actions #17

Updated by François ARMAND over 9 years ago

  • Status changed from Pending technical review to Pending release
Actions #18

Updated by Nicolas PERRON over 9 years ago

This bug has been fixed in Rudder 2.4.9, which was released today.
Check out:

Actions #19

Updated by Nicolas PERRON over 9 years ago

  • Status changed from Pending release to Released
Actions

Also available in: Atom PDF