Details
-
Improvement
-
Resolution: Fixed
-
Minor
-
None
-
Professional Edition
-
None
Description
Problem description
When integrating Observium with LDAP that has strong requirement of group nesting and usage of "groupOfNames", ran into following issues:
- When groups are recursively fetched from LDAP (i.e. uid=admin is member of cn=system_admins, and cn=system_admins is member of cn=observium_admins which is used to get privileges in Observium interface), upon 2nd iteration I received not "cn=system_admins", but just "c" this is due to a fact that ldap_search_user function referenced "$element[$config['auth_ldap_attr']['dn']][0]" instead of just "$element[$config['auth_ldap_attr']['dn']]";
- When group search is performed ldap_filter_create function uses fixed value of "group" for objectClass, but the LDAP I integrated with uses "groupOfNames".
Proposed solution
Use not "$element[$config['auth_ldap_attr']['dn']]" and not "$element[$config['auth_ldap_attr']['dn']][0]" to fix recursive group search.
Introduce "$config['auth_ldap_attr']['group']" variable in config to fix different names of group attribute in LDAP. Use default value of "group" for this variable to avoid breaking existing installations.
Attached patch fixes both of them.
Attachments
Issue Links
- relates to
-
OBS-3310 LDAP Recursion broken
-
- Closed
-
Activity
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Reopened [ 4 ] | New: Resolved [ 5 ] |
| Resolution | Original: Fixed [ 1 ] | |
| Status | Original: Closed [ 6 ] | New: Reopened [ 4 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: In Progress [ 3 ] | New: Resolved [ 5 ] |
Thanks, fixed in r10291.
Seems as $element[$config['auth_ldap_attr']['dn']][0] leaved by mistake after refactoring 
| Status | Original: In Review [ 10101 ] | New: In Progress [ 3 ] |
Hi Mike,
Everything is fine for authentication against OpenLDAP in r10400.