Bug #3829
closedMissing/incomplete LDAP group support
Description
Using LDAP authentication (configuration included below), LDAP users are authenticated but immediately logged out - due to Rudder being unable to read the group membership.
This was discussed on #rudder (see attached conversation).
NB: It was also mentioned during the IRC conversation that the documentation references the wrong version of an LDAP library required for functionality. The corrected version was used in revealing this bug.
<authentication-manager> <authentication-provider ref="ldapAuthenticationProvider"/> </authentication-manager> <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <beans:constructor-arg value="ldap://XX.YY.ZZ.AA:389/dc=BBBB"/> <beans:property name="anonymousReadOnly" value="true"/> </beans:bean> <beans:bean id="ldapAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> <beans:constructor-arg> <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> <beans:constructor-arg ref="contextSource"/> <beans:property name="userDnPatterns"> <beans:list><beans:value>cn={0},ou=Users</beans:value></beans:list> </beans:property> </beans:bean> </beans:constructor-arg> <beans:constructor-arg> <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> <beans:constructor-arg ref="contextSource"/> <beans:constructor-arg value="ou=Groups"/> <beans:property name="groupRoleAttribute" value="cn"/> </beans:bean> </beans:constructor-arg> </beans:bean>
Files
Updated by Vincent MEMBRÉ over 11 years ago
- Category set to 13
- Assignee set to François ARMAND
- Target version changed from 2.6.4 to 2.4.8
Actually we haven't handle the LDAP mapping of authorization in Rudder.
Authorization are determined by parsing the Rudder-users.xml file. Each user has a role attribute, explaining what authorization he has access to.
User created using LDAP are not created with that role attribute, so the authorisation cannot be determined.
We need to create a specific mapper to Rudder, and change the documentation according to the change.
Without the fix, a workaround might be to export the LDAP users to rudder-users.xml.
We need to correct this as soon as possible.
This bug is happening in 2.4 too.
Updated by Nicolas PERRON over 11 years ago
- Target version changed from 2.4.8 to 2.4.9
Updated by Jonathan CLARKE over 11 years ago
- Category changed from 13 to Web - Maintenance
- Status changed from New to 8
A useful approach would be to be able to specify roles to give users in rudder-users.xml - this way we delegate auth*entication* to LDAP, but keep auth*orizations* in rudder-users.xml. Something like:
<user name="bob.foo" auth="LDAP" role="user,validator"/>
Updated by François ARMAND over 11 years ago
In fact, it's quite easy to provide an LDAP "rudderXMLUserDetails : UserDetailsContextMapper" that get rights from the XML file after authentication from LDAP.
That's not a real LDAP full user management, because we are still forced to define user in the Rudder XML file.
It's also hard to have a per-user authentication method (LDAP or XML).
So, I can propose a solution (right now) where we are able to get Rights from XML and authentication from LDAP.
Updated by François ARMAND over 11 years ago
- Pull Request set to https://github.com/Normation/rudder/pull/318
Pull request available that allows the Authentication to be delegated to LDAP, and (but ?) the authorization MUST still be defined in rudder-users.xml: https://github.com/Normation/rudder/pull/318
Updated by François ARMAND over 11 years ago
- Status changed from 8 to Pending technical review
- Assignee changed from François ARMAND to Nicolas CHARLES
Updated by François ARMAND over 11 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset efbf99c8e30fdfc9cf215ccf230ca0a3676cb4bf.
Updated by Nicolas CHARLES over 11 years ago
Applied in changeset 152eefa4c416c9a71b7b41c3b6bcb9e16971a9f5.
Updated by François ARMAND over 11 years ago
- Status changed from Pending release to Pending technical review
Reverting, since some documentation were not accurate.
Updated by François ARMAND over 11 years ago
- Status changed from Pending technical review to In progress
- Assignee changed from Nicolas CHARLES to François ARMAND
Updated by François ARMAND over 11 years ago
I mean, reverting since the modification broke the build.
Updated by François ARMAND over 11 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Nicolas CHARLES
- Pull Request changed from https://github.com/Normation/rudder/pull/318 to https://github.com/Normation/rudder/pull/320
Updated version of the pull request with the correct dependency added: https://github.com/Normation/rudder/pull/320
Updated by François ARMAND over 11 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset 07120d89d5efba8ca647063c1c93aeb3d56c9256.
Updated by Nicolas CHARLES over 11 years ago
Applied in changeset 1632d9d4d42c4d1da5522b96c3bf774f38b6e05c.
Updated by Jonathan CLARKE over 11 years ago
- Status changed from Pending release to 8
- Assignee changed from Nicolas CHARLES to François ARMAND
This has been fixed by making sure that Rudder only does authentication in LDAP, then refers to local rudder-users.xml to get authorizations (roles).
You can already test this using the latest nightly builds on the 2.4 branch. This will be merged into 2.6 and 2.7 branches in the next few days, when it will be available in those nightly builds too. As always, please be careful when using nightly builds!
This will be released in the next minor release of all Rudder branches: 2.4.9, 2.6.6 and 2.7.3.
Updated by François ARMAND over 11 years ago
- Status changed from 8 to Pending technical review
Merge done, the feature should be available in tomorrow nightly.
Updated by François ARMAND over 11 years ago
- Status changed from Pending technical review to Pending release
Updated by Nicolas PERRON about 11 years ago
This bug has been fixed in Rudder 2.4.9, which was released today.
Check out:
- The release announcement: http://www.rudder-project.org/pipermail/rudder-announce/2013-October/000049.html
- The full ChangeLog: http://www.rudder-project.org/foswiki/bin/view/System/Documentation:ChangeLog24
- Download information: http://www.rudder-project.org/foswiki/Download/
Updated by Nicolas PERRON about 11 years ago
- Status changed from Pending release to Released