Details
-
Improvement
-
Resolution: Fixed
-
Trivial
-
None
-
Professional Edition
-
Observium r9631
Description
When signing in to Observium, the current LDAP authentication module first binds the LDAP server with the configured bind credentials (or the passed credentials by the user, if not), executes a lookup to determine the user DN followed by re-binding as the user itself to verify the credentials.
After the user credentials have been successfully verified, Observium tries to resolve the group memberships of that specific user by using a forward group membership lookup or in LDAP slang:
COMPARE entry=<GroupDN> attrName=<config[auth_ldap_groupmemberattr]> attrValue=<UserDN>
|
While this works great for most LDAP server implementations, Novell eDirectory offers a mode where special permissions apply for accessing group membership information:
- A normal user is unable to query the members of a group for security purposes (forward lookup, as done by Observium)
- A normal user is unable to query the members of another user than himself (reverse lookup, not currently done by Observium)
- A normal user is able to query his own groups on his own object, e.g. with the "memberOf" attribute
This patch adds a configuration boolean auth_ldap_groupreverse, which when enabled makes Observium use reverse lookups instead of forward lookups for resolving group membership information. The new configuration option is set to FALSE by default, so existing installations are completely unaffected. If the option is set to TRUE, the LDAP query now looks like:
COMPARE entry=<UserDN> attrName=<config[auth_ldap_attr][memberOf]> attrValue=<GroupDN>
|
Some discussion happened already at the Observium IRC with @sid3windr and this is a first proposal on how this feature could get implemented. Please note that this patch does not work in stable as it relies on OBS-2825, which is only present in trunk.
Attachments
Issue Links
- mentions
-
-
- Closed
-
Activity
Is there any update on this? We would like to continue on the official Observium branch instead of having a monkey-patched release running 
@landy Sure, I agree with your opinion and we are using bind credentials as well. This however is not related to this issue, as Observium will still bind as the user to verify his credentials after binding with the bind/technical user, which leads to Observium being unable to read the group memberships due to the specific permissions implemented in LDAP servers like Novell eDirectory.
I have already discussed this with @sid3windr in IRC - it would have been nice to avoid re-binding completely, but this would require a complete refactor of the whole LDAP authentication module as it was only designed for one connection due to the use of globals. This patch merely adds support for reading the groups directly from the user object, which might benefit other users as well, as there are unfortunately a thousand ways to represent things in LDAP... 
I think always need to use bind user..
Using self user as bind is poor way and just compatability with first implementations of this auth module.
Committed in r9700. Thanks - once the module gets rewritten config options will likely be restructured but I'll try to not forget to keep this possibility in