Bug #32617
openUser (LDAP) jump out of User group on every login
Description
Hi,
today after upgrading from 2.3.2 -> 2.4.0 I started experiencing strage behavior.
I'm using LDAP auth and external group mapping.
When I log in, my user have no assigned Group, gets Permission denied, so I manualy refresh external Groups and my user appear as member of the group.
User refresh the page and everything works OK until he login again.
After next login user jumps out of group and gets Permission denied again.
OS: Debian Buster
Installed: from Foreman deb packages
Version: 2.4.0-1
Updated by Robert Vojcik about 3 years ago
- Subject changed from User (LDAP) jump out of User group when login to User (LDAP) jump out of User group on every login
Updated by Robert Vojcik almost 3 years ago
- Found in Releases 2.4.1, 2.5.0, 2.5.1 added
Updated by Robert Vojcik almost 3 years ago
Robert Vojcik wrote:
Hi,
today after upgrading from 2.3.2 -> 2.4.0 I started experiencing strage behavior.
I'm using LDAP auth and external group mapping.
When I log in, my user have no assigned Group, gets Permission denied, so I manualy refresh external Groups and my user appear as member of the group.
User refresh the page and everything works OK until he login again.After next login user jumps out of group and gets Permission denied again.
OS: Debian Buster
Installed: from Foreman deb packages
Version: 2.4.0-1
Today i upgraded to 2.5.1-1 and problem is the same. Sad that this functionality is not interesting enought to fix especialy when is presented as one of the core functionality on the project main page.
Updated by Rossen G over 2 years ago
- Found in Releases 2.5.4 added
I've encountered this same issue after upgrading to Katello 4.1 (foreman 2.5.4). From the debug log, I think the issue is the ldap filter. It differs from the one when manually refreshing the groups. As a workaround I've disabled sync on login, and that seems to work.
# manual refresh
2022-01-11T14:18:28 [I|app|10ca67b6] Started PUT "/external_usergroups/my-ldap-group/refresh" for 10.8.160.119 at 2022-01-11 14:18:28 +0000
...
2022-01-11T14:18:28 [D|lda|10ca67b6] op bind (41.5ms) [ result=success ]
2022-01-11T14:18:28 [D|lda|10ca67b6] op search (13.2ms) [ filter=, base= ]
2022-01-11T14:18:28 [D|lda|10ca67b6] op search (14.2ms) [ filter=(cn=my-ldap-group), base=ou=Group,dc=example,dc=com ]
2022-01-11T14:18:28 [D|lda|10ca67b6] op search (50.4ms) [ filter=(cn=my-ldap-group), base=ou=Group,dc=example,dc=com ]
2022-01-11T14:18:28 [D|lda|10ca67b6] op search (50.5ms) [ filter=(|(|(|(objectClass=posixGroup)(objectClass=organizationalunit))(objectClass=groupOfUniqueNames))(objectClass=groupOfNames)), base=cn=my-ldap-group,ou=foreman,ou=G
roup,dc=example,dc=com ]
2022-01-11T14:18:28 [D|lda|10ca67b6] user_list (172.1ms) [ group=my-ldap-group ]
2022-01-11T14:18:28 [D|lda|10ca67b6] op bind (11.8ms) [ result=success ]
2022-01-11T14:18:28 [D|lda|10ca67b6] op search (14.1ms) [ filter=, base= ]
2022-01-11T14:18:28 [D|lda|10ca67b6] op search (48.8ms) [ filter=(cn=my-ldap-group), base=ou=Group,dc=example,dc=com ]
2022-01-11T14:18:28 [D|lda|10ca67b6] valid_group? (75.7ms) [ group=my-ldap-group ]
2022-01-11T14:18:28 [I|aud|10ca67b6] Usergroup (2) update event on user_ids 15, 15, 13
# user login
2022-01-11T14:15:22 [D|app|7bae0c9b] Updating user groups for user johnsmith
2022-01-11T14:15:22 [D|lda|7bae0c9b] op bind (39.4ms) [ result=success ]
2022-01-11T14:15:22 [D|lda|7bae0c9b] op search (11.6ms) [ filter=, base= ]
2022-01-11T14:15:22 [D|lda|7bae0c9b] op search (13.1ms) [ filter=(memberuid=johnsmith), base=ou=Group,dc=example,dc=com ]
2022-01-11T14:15:22 [D|lda|7bae0c9b] group_list (64.5ms) [ user=johnsmith ]
2022-01-11T14:15:22 [I|aud|7bae0c9b] User (13) update event on usergroup_ids 3, 2,
2022-01-11T14:15:22 [D|app|7bae0c9b] Post-login processing for johnsmith
Looks like at login the filter `(memberuid=johnsmith)` is used, which will only find `posixGroup`, and not `groupOfUniqueNames`, which what I use.