Bug #3829
closed
Missing/incomplete LDAP group support
Added by Matthew Hall over 11 years ago.
Updated about 11 years ago.
Category:
Web - Maintenance
Description
Using LDAP authentication (configuration included below), LDAP users are authenticated but immediately logged out - due to Rudder being unable to read the group membership.
This was discussed on #rudder (see attached conversation).
NB: It was also mentioned during the IRC conversation that the documentation references the wrong version of an LDAP library required for functionality. The corrected version was used in revealing this bug.
<authentication-manager>
<authentication-provider ref="ldapAuthenticationProvider"/>
</authentication-manager>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://XX.YY.ZZ.AA:389/dc=BBBB"/>
<beans:property name="anonymousReadOnly" value="true"/>
</beans:bean>
<beans:bean id="ldapAuthenticationProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userDnPatterns">
<beans:list><beans:value>cn={0},ou=Users</beans:value></beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="ou=Groups"/>
<beans:property name="groupRoleAttribute" value="cn"/>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
Files
- Category set to 13
- Assignee set to François ARMAND
- Target version changed from 2.6.4 to 2.4.8
Actually we haven't handle the LDAP mapping of authorization in Rudder.
Authorization are determined by parsing the Rudder-users.xml file. Each user has a role attribute, explaining what authorization he has access to.
User created using LDAP are not created with that role attribute, so the authorisation cannot be determined.
We need to create a specific mapper to Rudder, and change the documentation according to the change.
Without the fix, a workaround might be to export the LDAP users to rudder-users.xml.
We need to correct this as soon as possible.
This bug is happening in 2.4 too.
- Target version changed from 2.4.8 to 2.4.9
- Category changed from 13 to Web - Maintenance
- Status changed from New to 8
A useful approach would be to be able to specify roles to give users in rudder-users.xml - this way we delegate auth*entication* to LDAP, but keep auth*orizations* in rudder-users.xml. Something like:
<user name="bob.foo" auth="LDAP" role="user,validator"/>
In fact, it's quite easy to provide an LDAP "rudderXMLUserDetails : UserDetailsContextMapper" that get rights from the XML file after authentication from LDAP.
That's not a real LDAP full user management, because we are still forced to define user in the Rudder XML file.
It's also hard to have a per-user authentication method (LDAP or XML).
So, I can propose a solution (right now) where we are able to get Rights from XML and authentication from LDAP.
- Pull Request set to https://github.com/Normation/rudder/pull/318
- Status changed from 8 to Pending technical review
- Assignee changed from François ARMAND to Nicolas CHARLES
- Status changed from Pending technical review to Pending release
- Status changed from Pending release to Pending technical review
Reverting, since some documentation were not accurate.
- Status changed from Pending technical review to In progress
- Assignee changed from Nicolas CHARLES to François ARMAND
I mean, reverting since the modification broke the build.
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Nicolas CHARLES
- Pull Request changed from https://github.com/Normation/rudder/pull/318 to https://github.com/Normation/rudder/pull/320
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
- Status changed from Pending release to 8
- Assignee changed from Nicolas CHARLES to François ARMAND
This has been fixed by making sure that Rudder only does authentication in LDAP, then refers to local rudder-users.xml to get authorizations (roles).
You can already test this using the latest nightly builds on the 2.4 branch. This will be merged into 2.6 and 2.7 branches in the next few days, when it will be available in those nightly builds too. As always, please be careful when using nightly builds!
This will be released in the next minor release of all Rudder branches: 2.4.9, 2.6.6 and 2.7.3.
- Status changed from 8 to Pending technical review
Merge done, the feature should be available in tomorrow nightly.
- Status changed from Pending technical review to Pending release
This bug has been fixed in Rudder 2.4.9, which was released today.
Check out:
- Status changed from Pending release to Released
Also available in: Atom
PDF
Updated by 
Updated by Nicolas PERRON 
Updated by Jonathan CLARKE 
Updated by 
Updated by