Details
-
Improvement
-
Resolution: Fixed
-
Trivial
-
None
-
Professional Edition
-
Observium r9631
Description
When signing in to Observium, the current LDAP authentication module first binds the LDAP server with the configured bind credentials (or the passed credentials by the user, if not), executes a lookup to determine the user DN followed by re-binding as the user itself to verify the credentials.
After the user credentials have been successfully verified, Observium tries to resolve the group memberships of that specific user by using a forward group membership lookup or in LDAP slang:
COMPARE entry=<GroupDN> attrName=<config[auth_ldap_groupmemberattr]> attrValue=<UserDN>
|
While this works great for most LDAP server implementations, Novell eDirectory offers a mode where special permissions apply for accessing group membership information:
- A normal user is unable to query the members of a group for security purposes (forward lookup, as done by Observium)
- A normal user is unable to query the members of another user than himself (reverse lookup, not currently done by Observium)
- A normal user is able to query his own groups on his own object, e.g. with the "memberOf" attribute
This patch adds a configuration boolean auth_ldap_groupreverse, which when enabled makes Observium use reverse lookups instead of forward lookups for resolving group membership information. The new configuration option is set to FALSE by default, so existing installations are completely unaffected. If the option is set to TRUE, the LDAP query now looks like:
COMPARE entry=<UserDN> attrName=<config[auth_ldap_attr][memberOf]> attrValue=<GroupDN>
|
Some discussion happened already at the Observium IRC with @sid3windr and this is a first proposal on how this feature could get implemented. Please note that this patch does not work in stable as it relies on OBS-2825, which is only present in trunk.
Attachments
Issue Links
- mentions
-
OBS-2825 LDAP: Support custom memberOf attribute
- Closed