[OBS-1684] Normal users cant see anything they have access to - Observium

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: None
Affects Version/s: Professional Edition
Component/s: Web Interface
Labels:
None
Environment:
Debian with LDAP authentication
All members in observium_user
to grant more acces added to observium_admin or observium_global_read

Description

i added a couple normal users and added them to have access to a whole group. when i did that they logged in and saw no devices. so i tried giving them permissions to individual devices and they still couldn't see anything.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

HowISetNormalUsersLDAPpermissions.png
69 kB
2016/02/03 11:54 PM
LDAPconfig
1 kB
2016/02/03 11:45 PM
NormalUserViewOnSignIn.png
237 kB
2016/02/03 11:54 PM

Issue Links

is mentioned by

OBS-4097 LDAP user don't see assigned devices

In Review

Activity

[OBS-1684] Normal users cant see anything they have access to

Spencer Schrader added a comment - 2016/02/05 03:10 AM

You are correct i miss read #534. There is no way for these normal users to see any devices

Spencer Schrader added a comment - 2016/02/05 03:10 AM You are correct i miss read #534. There is no way for these normal users to see any devices

Spencer Schrader added a comment - 2016/02/05 03:09 AM

Yes, i believe it is an issue with observium not attaching the permissions at login. The part of the screenshot that was not included is that the user is listed as a "Normal User". so the LDAP authentication is working fine. They are able to log in just not getting the permissions that they were given(cant see devices admin allowed), which is why i think it is a bug. The authentication is working properly. I just didnt know if there is a different way permissions were assigned to ldap users compared to mysql users.

Spencer Schrader added a comment - 2016/02/05 03:09 AM Yes, i believe it is an issue with observium not attaching the permissions at login. The part of the screenshot that was not included is that the user is listed as a "Normal User". so the LDAP authentication is working fine. They are able to log in just not getting the permissions that they were given(cant see devices admin allowed), which is why i think it is a bug. The authentication is working properly. I just didnt know if there is a different way permissions were assigned to ldap users compared to mysql users.

Adam Armstrong added a comment - 2016/02/05 03:03 AM

Also, this has absolutely nothing to do with #534.

Adam Armstrong added a comment - 2016/02/05 03:03 AM Also, this has absolutely nothing to do with #534.

Adam Armstrong added a comment - 2016/02/05 03:02 AM

Though, I'm not sure this is actually related to LDAP at all. If the user is able to log in, and Observium allows you to edit settings for the user (which we can't actually verify since you thought it useful to only post 1/3rd of screenshots), it's probably more related to Observium not attaching to permissions to the user at login time, which would be... odd.

Adam Armstrong added a comment - 2016/02/05 03:02 AM Though, I'm not sure this is actually related to LDAP at all. If the user is able to log in, and Observium allows you to edit settings for the user (which we can't actually verify since you thought it useful to only post 1/3rd of screenshots), it's probably more related to Observium not attaching to permissions to the user at login time, which would be... odd.

Adam Armstrong added a comment - 2016/02/05 03:00 AM

This should better be directed to the mailing list where might find someone who has made LDAP work properly.

Neither Mike nor myself use LDAP.

Adam Armstrong added a comment - 2016/02/05 03:00 AM This should better be directed to the mailing list where might find someone who has made LDAP work properly. Neither Mike nor myself use LDAP.

Spencer Schrader added a comment - 2016/02/05 02:58 AM

This is identical to issue #534 that was "already fixed"

Spencer Schrader added a comment - 2016/02/05 02:58 AM This is identical to issue #534 that was "already fixed"

Spencer Schrader added a comment - 2016/02/05 02:16 AM

with active directory it has to have the full path to the group

Spencer Schrader added a comment - 2016/02/05 02:16 AM with active directory it has to have the full path to the group

Spencer Schrader added a comment - 2016/02/05 02:13 AM

I set it up EXACTLY how documentation states. http://www.observium.org/docs/authentication/ these are the examples that are on that page
$config['auth_ldap_groups']['CN=Observium Admins,OU=Groups,DC=example,DC=COM']['level'] = 10;
$config['auth_ldap_groups']['CN=Observium Users,OU=Groups,DC=example,DC=COM']['level'] = 1;
Mine is exactly like this...

Spencer Schrader added a comment - 2016/02/05 02:13 AM I set it up EXACTLY how documentation states. http://www.observium.org/docs/authentication/ these are the examples that are on that page $config ['auth_ldap_groups'] ['CN=Observium Admins,OU=Groups,DC=example,DC=COM'] ['level'] = 10; $config ['auth_ldap_groups'] ['CN=Observium Users,OU=Groups,DC=example,DC=COM'] ['level'] = 1; Mine is exactly like this...

Mike Stupalov added a comment - 2016/02/04 11:58 PM

you use incorrect group names, as I see.

group name should be simple name ie "Observium_Admins":

 $config['auth_ldap_groups']['Observium_Admins']['level'] = 10;

 $config['auth_ldap_groups']['Observium_Global_Read']['level'] = 7;

 $config['auth_ldap_groups']['Observium_Users']['level'] = 1;

Mike Stupalov added a comment - 2016/02/04 11:58 PM you use incorrect group names, as I see. group name should be simple name ie "Observium_Admins": $config['auth_ldap_groups']['Observium_Admins']['level'] = 10; $config['auth_ldap_groups']['Observium_Global_Read']['level'] = 7; $config['auth_ldap_groups']['Observium_Users']['level'] = 1;

Spencer Schrader added a comment - 2016/02/03 11:55 PM

I also included a screenshot of what i set for permissions and then sent a screenshot of what that user sees

Spencer Schrader added a comment - 2016/02/03 11:55 PM I also included a screenshot of what i set for permissions and then sent a screenshot of what that user sees

Spencer Schrader added a comment - 2016/02/03 11:46 PM

for the ldap group access is set to 1. then i go to edit user and have tried allowing them access to a "group of servers" using "group permissions" and to individual "device permissions" and they cant see anything that i gave their ldap account permissions to view.
Here is my config file for ldap settings LDAPconfig

Spencer Schrader added a comment - 2016/02/03 11:46 PM for the ldap group access is set to 1. then i go to edit user and have tried allowing them access to a "group of servers" using "group permissions" and to individual "device permissions" and they cant see anything that i gave their ldap account permissions to view. Here is my config file for ldap settings LDAPconfig

People

Assignee:: Mike Stupalov

Reporter:: Spencer Schrader

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2016/02/03 02:36 AM

Updated:: 2022/04/28 02:23 PM

Resolved:: 2016/05/26 01:40 AM