Project

General

Profile

Actions
Copy link

Bug #32617

open

User (LDAP) jump out of User group on every login

Added by Robert Vojcik about 3 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.4
Red Hat JIRA:

Description

Hi,

today after upgrading from 2.3.2 -> 2.4.0 I started experiencing strage behavior.

I'm using LDAP auth and external group mapping.

When I log in, my user have no assigned Group, gets Permission denied, so I manualy refresh external Groups and my user appear as member of the group.
User refresh the page and everything works OK until he login again.

After next login user jumps out of group and gets Permission denied again.

OS: Debian Buster
Installed: from Foreman deb packages
Version: 2.4.0-1

Actions
Copy link
 #1

Updated by Robert Vojcik about 3 years ago

  • Subject changed from User (LDAP) jump out of User group when login to User (LDAP) jump out of User group on every login
Actions
Copy link
 #2

Updated by Robert Vojcik almost 3 years ago

  • Found in Releases 2.4.1, 2.5.0, 2.5.1 added
Actions
Copy link
 #3

Updated by Robert Vojcik almost 3 years ago

Robert Vojcik wrote:

Hi,

today after upgrading from 2.3.2 -> 2.4.0 I started experiencing strage behavior.

I'm using LDAP auth and external group mapping.

When I log in, my user have no assigned Group, gets Permission denied, so I manualy refresh external Groups and my user appear as member of the group.
User refresh the page and everything works OK until he login again.

After next login user jumps out of group and gets Permission denied again.

OS: Debian Buster
Installed: from Foreman deb packages
Version: 2.4.0-1

Today i upgraded to 2.5.1-1 and problem is the same. Sad that this functionality is not interesting enought to fix especialy when is presented as one of the core functionality on the project main page.

Actions
Copy link
 #4

Updated by Rossen G over 2 years ago

  • Found in Releases 2.5.4 added

I've encountered this same issue after upgrading to Katello 4.1 (foreman 2.5.4). From the debug log, I think the issue is the ldap filter. It differs from the one when manually refreshing the groups. As a workaround I've disabled sync on login, and that seems to work.

# manual refresh

2022-01-11T14:18:28 [I|app|10ca67b6] Started PUT "/external_usergroups/my-ldap-group/refresh" for 10.8.160.119 at 2022-01-11 14:18:28 +0000
...
2022-01-11T14:18:28 [D|lda|10ca67b6]   op bind (41.5ms)  [ result=success ]
2022-01-11T14:18:28 [D|lda|10ca67b6]   op search (13.2ms)  [ filter=, base= ]
2022-01-11T14:18:28 [D|lda|10ca67b6]   op search (14.2ms)  [ filter=(cn=my-ldap-group), base=ou=Group,dc=example,dc=com ]
2022-01-11T14:18:28 [D|lda|10ca67b6]   op search (50.4ms)  [ filter=(cn=my-ldap-group), base=ou=Group,dc=example,dc=com ]
2022-01-11T14:18:28 [D|lda|10ca67b6]   op search (50.5ms)  [ filter=(|(|(|(objectClass=posixGroup)(objectClass=organizationalunit))(objectClass=groupOfUniqueNames))(objectClass=groupOfNames)), base=cn=my-ldap-group,ou=foreman,ou=G
roup,dc=example,dc=com ]
2022-01-11T14:18:28 [D|lda|10ca67b6]   user_list (172.1ms)  [ group=my-ldap-group ]
2022-01-11T14:18:28 [D|lda|10ca67b6]   op bind (11.8ms)  [ result=success ]
2022-01-11T14:18:28 [D|lda|10ca67b6]   op search (14.1ms)  [ filter=, base= ]
2022-01-11T14:18:28 [D|lda|10ca67b6]   op search (48.8ms)  [ filter=(cn=my-ldap-group), base=ou=Group,dc=example,dc=com ]
2022-01-11T14:18:28 [D|lda|10ca67b6]   valid_group? (75.7ms)  [ group=my-ldap-group ]
2022-01-11T14:18:28 [I|aud|10ca67b6] Usergroup (2) update event on user_ids 15, 15, 13

# user login

2022-01-11T14:15:22 [D|app|7bae0c9b] Updating user groups for user johnsmith
2022-01-11T14:15:22 [D|lda|7bae0c9b]   op bind (39.4ms)  [ result=success ]
2022-01-11T14:15:22 [D|lda|7bae0c9b]   op search (11.6ms)  [ filter=, base= ]
2022-01-11T14:15:22 [D|lda|7bae0c9b]   op search (13.1ms)  [ filter=(memberuid=johnsmith), base=ou=Group,dc=example,dc=com ]
2022-01-11T14:15:22 [D|lda|7bae0c9b]   group_list (64.5ms)  [ user=johnsmith ]
2022-01-11T14:15:22 [I|aud|7bae0c9b] User (13) update event on usergroup_ids 3, 2,
2022-01-11T14:15:22 [D|app|7bae0c9b] Post-login processing for johnsmith

Looks like at login the filter `(memberuid=johnsmith)` is used, which will only find `posixGroup`, and not `groupOfUniqueNames`, which what I use.

Actions
Copy link

Also available in: Atom PDF