[OBS-1684] Normal users cant see anything they have access to - Observium

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: None
Affects Version/s: Professional Edition
Component/s: Web Interface
Labels:
None
Environment:
Debian with LDAP authentication
All members in observium_user
to grant more acces added to observium_admin or observium_global_read

Description

i added a couple normal users and added them to have access to a whole group. when i did that they logged in and saw no devices. so i tried giving them permissions to individual devices and they still couldn't see anything.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

HowISetNormalUsersLDAPpermissions.png
69 kB
2016/02/03 11:54 PM
LDAPconfig
1 kB
2016/02/03 11:45 PM
NormalUserViewOnSignIn.png
237 kB
2016/02/03 11:54 PM

Issue Links

is mentioned by

OBS-4097 LDAP user don't see assigned devices

In Review

Activity

[OBS-1684] Normal users cant see anything they have access to

Mike Stupalov added a comment - 2016/02/05 04:04 AM

I tested my own LDAP config and normal user groups and permissions.
All worked fine, I not found any issues. But I not use AD and not tested with it.

Also as I see, you use lowercase 'cn=', 'ou=', 'dc='.. I not sure but AD can be case-sensitive and you should use uppercase 'OU='.

Anyway, this is just troubles with your config, ask in maillist for people who used AD integration.

Mike Stupalov added a comment - 2016/02/05 04:04 AM I tested my own LDAP config and normal user groups and permissions. All worked fine, I not found any issues. But I not use AD and not tested with it. Also as I see, you use lowercase 'cn=', 'ou=', 'dc='.. I not sure but AD can be case-sensitive and you should use uppercase 'OU='. Anyway, this is just troubles with your config, ask in maillist for people who used AD integration.

Spencer Schrader added a comment - 2016/02/05 03:19 AM

I didnt think it was relevant to give the full screenshot since i cant get a screenshot that shows the dashboard AND who is signed in since this information is not displayed. I will post in this mailing list and hope they are more trusting that i am correctly authenticating since i am in fact logged in.

Spencer Schrader added a comment - 2016/02/05 03:19 AM I didnt think it was relevant to give the full screenshot since i cant get a screenshot that shows the dashboard AND who is signed in since this information is not displayed. I will post in this mailing list and hope they are more trusting that i am correctly authenticating since i am in fact logged in.

Adam Armstrong added a comment - 2016/02/05 03:11 AM

The person you need to ask can't see any of these replies. You need to go to the mailing list :>

When providing screenshots you need to provide the entire screen. We can't verify that the usernames match, so for all we know, you're just being incredibly careless

Adam Armstrong added a comment - 2016/02/05 03:11 AM The person you need to ask can't see any of these replies. You need to go to the mailing list :> When providing screenshots you need to provide the entire screen. We can't verify that the usernames match, so for all we know, you're just being incredibly careless

Spencer Schrader added a comment - 2016/02/05 03:10 AM

You are correct i miss read #534. There is no way for these normal users to see any devices

Spencer Schrader added a comment - 2016/02/05 03:10 AM You are correct i miss read #534. There is no way for these normal users to see any devices

Spencer Schrader added a comment - 2016/02/05 03:09 AM

Yes, i believe it is an issue with observium not attaching the permissions at login. The part of the screenshot that was not included is that the user is listed as a "Normal User". so the LDAP authentication is working fine. They are able to log in just not getting the permissions that they were given(cant see devices admin allowed), which is why i think it is a bug. The authentication is working properly. I just didnt know if there is a different way permissions were assigned to ldap users compared to mysql users.

Spencer Schrader added a comment - 2016/02/05 03:09 AM Yes, i believe it is an issue with observium not attaching the permissions at login. The part of the screenshot that was not included is that the user is listed as a "Normal User". so the LDAP authentication is working fine. They are able to log in just not getting the permissions that they were given(cant see devices admin allowed), which is why i think it is a bug. The authentication is working properly. I just didnt know if there is a different way permissions were assigned to ldap users compared to mysql users.

Adam Armstrong added a comment - 2016/02/05 03:03 AM

Also, this has absolutely nothing to do with #534.

Adam Armstrong added a comment - 2016/02/05 03:03 AM Also, this has absolutely nothing to do with #534.

Adam Armstrong added a comment - 2016/02/05 03:02 AM

Though, I'm not sure this is actually related to LDAP at all. If the user is able to log in, and Observium allows you to edit settings for the user (which we can't actually verify since you thought it useful to only post 1/3rd of screenshots), it's probably more related to Observium not attaching to permissions to the user at login time, which would be... odd.

Adam Armstrong added a comment - 2016/02/05 03:02 AM Though, I'm not sure this is actually related to LDAP at all. If the user is able to log in, and Observium allows you to edit settings for the user (which we can't actually verify since you thought it useful to only post 1/3rd of screenshots), it's probably more related to Observium not attaching to permissions to the user at login time, which would be... odd.

Adam Armstrong added a comment - 2016/02/05 03:00 AM

This should better be directed to the mailing list where might find someone who has made LDAP work properly.

Neither Mike nor myself use LDAP.

Adam Armstrong added a comment - 2016/02/05 03:00 AM This should better be directed to the mailing list where might find someone who has made LDAP work properly. Neither Mike nor myself use LDAP.

Spencer Schrader added a comment - 2016/02/05 02:58 AM

This is identical to issue #534 that was "already fixed"

Spencer Schrader added a comment - 2016/02/05 02:58 AM This is identical to issue #534 that was "already fixed"

Spencer Schrader added a comment - 2016/02/05 02:16 AM

with active directory it has to have the full path to the group

Spencer Schrader added a comment - 2016/02/05 02:16 AM with active directory it has to have the full path to the group

Spencer Schrader added a comment - 2016/02/05 02:13 AM

I set it up EXACTLY how documentation states. http://www.observium.org/docs/authentication/ these are the examples that are on that page
$config['auth_ldap_groups']['CN=Observium Admins,OU=Groups,DC=example,DC=COM']['level'] = 10;
$config['auth_ldap_groups']['CN=Observium Users,OU=Groups,DC=example,DC=COM']['level'] = 1;
Mine is exactly like this...

Spencer Schrader added a comment - 2016/02/05 02:13 AM I set it up EXACTLY how documentation states. http://www.observium.org/docs/authentication/ these are the examples that are on that page $config ['auth_ldap_groups'] ['CN=Observium Admins,OU=Groups,DC=example,DC=COM'] ['level'] = 10; $config ['auth_ldap_groups'] ['CN=Observium Users,OU=Groups,DC=example,DC=COM'] ['level'] = 1; Mine is exactly like this...

People

Assignee:: Mike Stupalov

Reporter:: Spencer Schrader

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2016/02/03 02:36 AM

Updated:: 2022/04/28 02:23 PM

Resolved:: 2016/05/26 01:40 AM