Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Allow partial group name matches #104

Open
guo3561101 opened this issue May 13, 2022 · 1 comment
Open

Feature Request: Allow partial group name matches #104

guo3561101 opened this issue May 13, 2022 · 1 comment
Labels
enhancement

Comments

@guo3561101
Copy link

guo3561101 commented May 13, 2022
edited by cognifloyd
Loading

The log tells me that I can log in to LDAP only when required_groups equals actual_groups

required_groups= {'cn=st2users,cn=people,ou=people,dc=example,dc=cn'} 
actual_groups=  {'cn=st2users,cn=people,ou=people,dc=example,dc=cn'}

The following configuration does not allow login

backend_kwargs = {
"bind_dn": "cn=admin,dc=example,dc=cn",
 "bind_password": "123", 
"base_ou": "ou=People,dc=example,dc=cn",
"id_attr":"cn" ,
"group_dns": ["ou=People,dc=example,dc=cn"],
"group_pattern": "(&(objectClass=person)(&(cn={username})))",
"group_dns_check":"or", 
"host": "ldap.example.cn", 
"port": 389}

2022-05-13 07:34:54,293 ERROR [-] Unable to verify membership for user "st2users (
required_groups={'ou=people,dc=example,dc=cn'},
actual_groups={'cn=st2users,ou=people,dc=example,dc=cn'},
check_behavior=or)".

I have to change group_dns to "cn=st2users,ou=people,dc=example,dc=cn",so that I can log in successfully

Currently I can only add my LDAP authentication by adding group_dns

example: [
"cn=user1,ou=ops,ou=people,dc=example,dc=cn",
"cn=user2,ou=ops,ou=people,dc=example,dc=cn"
]

I can't find my user information without changing group-pattern

my ldap user dn = cn=user1,ou=ops,ou=People,dc=example,dc=cn

I can log in successfully only when group_dns equals my user DN
@cognifloyd cognifloyd changed the title You can log in through LDAP only when required_groups equals actual_groups Feature Request: Allow partial group name matches Aug 28, 2024
@cognifloyd
Copy link
Member

Right now, we do a full match of group names, include CN,OU,DC:

st2-auth-ldap/st2auth_ldap/ldap_backend.py

Lines 178 to 185 in 9d8b42d

# Assume group entries are not case sensitive.
user_groups = set([entry.lower() for entry in user_groups])
required_groups = set([entry.lower() for entry in self._group_dns])
result = self._verify_user_group_membership(username=username,
required_groups=required_groups,
user_groups=user_groups,
check_behavior=self._group_dns_check)

st2-auth-ldap/st2auth_ldap/ldap_backend.py

Lines 392 to 397 in 9d8b42d

if check_behavior == 'and':
if required_groups.issubset(user_groups):
return True
elif check_behavior == 'or':
if required_groups.intersection(user_groups):
return True

This logic needs to be modified to allow for:

  • groups within an OU (as described in this issue with example: ou=people,dc=example,dc=cn),
  • or CN only matches (eg for AD where CN is globally unique).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cognifloyd @guo3561101