Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-4097

LDAP user don't see assigned devices

Details

    • New Feature
    • Resolution: Unresolved
    • Major
    • None
    • Professional Edition
    • Web Interface
    • centos8, php 7.2, Observium 22.4.11952

    Description

      As in ticket OBS-1684 described before: I assign users authenticated via LDAP read-only devices. But when them logging in their page is empty. (No device listed)

       

      I tried to assign users to a role, which contains a set of devices, try to assign directly some devices, logged out and logged in again - nothing helps. 

       

      we're using a standard ldap, all users are listed so I have no idea anymore and it looks like a bug.

      Attachments

        1. image-2022-04-29-15-27-35-965.png
          324 kB
          Adam Armstrong
        2. image-2022-04-29-15-28-01-258.png
          396 kB
          Adam Armstrong
        3. image-2022-04-29-15-28-32-069.png
          284 kB
          Adam Armstrong
        4. image-2022-04-29-15-29-14-952.png
          343 kB
          Adam Armstrong
        5. Screenshot 2022-04-28 at 15.13.00.png
          282 kB
          Rajko Albrecht
        6. Screenshot 2022-04-29 at 13.17.15.png
          14 kB
          Rajko Albrecht
        7. Screenshot 2022-04-29 at 13.22.08.png
          171 kB
          Rajko Albrecht
        8. Screenshot 2022-04-29 at 14.00.19.png
          467 kB
          Rajko Albrecht
        9. Screenshot 2022-04-29 at 18.20.56.png
          323 kB
          Rajko Albrecht
        10. Screenshot 2022-04-29 at 18.52.15.png
          116 kB
          Rajko Albrecht
        11. Screenshot 2022-04-29 at 19.00.31.png
          121 kB
          Rajko Albrecht

        Issue Links

          mentions

          Bug - A problem which impairs or prevents the functions of the product. OBS-1684 Normal users cant see anything they have access to

          • Major - Major loss of function.
          • Closed

          Activity

            [OBS-4097] LDAP user don't see assigned devices
            albrecht Rajko Albrecht added a comment -

            yes, in config.php

             

            sorry for late answers, I was away.

            albrecht Rajko Albrecht added a comment - yes, in config.php   sorry for late answers, I was away.
            landy Mike Stupalov added a comment -

            Just for sure, where you set this configs..
            In config.php file?

            landy Mike Stupalov added a comment - Just for sure, where you set this configs.. In config.php file?
            albrecht Rajko Albrecht added a comment - - edited 

            $config['auth_ldap_binddn'] = "uid=ldapservice,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com";
            		 
            $config['auth_ldap_bindpw'] = "<topsecret>";
            		 
            $config['auth_ldap_bindanonymous'] = FALSE;
            		 
            $config['auth_ldap_server'] = "ldap.jumpcloud.com";
            		 
            $config['auth_ldap_port'] = 389;
            		 
            $config['auth_ldap_starttls'] = TRUE;
            		 
            $config['auth_ldap_version'] = 3; # v2 or v3$config['auth_ldap_suffix'] = ",ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com";
            		 
            $config['auth_ldap_prefix'] = "uid=";
            		 
            $config['auth_ldap_attr']['uidNumber'] = "uidNumber";
            		 
            $config['auth_ldap_attr']['mail'] = "email";#$config['auth_ldap_objectclass'] = "posixAccount";
            		 
            $config['auth_ldap_attr']['group']="posixgroup";#$config['auth_ldap_group']  = array("cn=itadmin,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com");
            		 
            #$config['auth_ldap_group']  = array("cn=itadmin,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com","cn=github,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com");
            		 
            $config['auth_ldap_groupbase'] = "ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com";
            		 
            $config['auth_ldap_groups']['itadmin']['level'] = 10;
            		 
            $config['auth_ldap_groups']['github']['level'] = 1;

            Here we go.

             

            Some interesting fact: when using group filters (like in commented lines) than I get absolut no uidNumber assigned, but I think, this is something different for a future debug. But this isn't that easy for me because I'm not a php-expert and don't know how to debug php in realtime like I would do with python.

            albrecht Rajko Albrecht added a comment - - edited $config[ 'auth_ldap_binddn' ] = "uid=ldapservice,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com" ; $config[ 'auth_ldap_bindpw' ] = "<topsecret>" ; $config[ 'auth_ldap_bindanonymous' ] = FALSE; $config[ 'auth_ldap_server' ] = "ldap.jumpcloud.com" ; $config[ 'auth_ldap_port' ] = 389 ; $config[ 'auth_ldap_starttls' ] = TRUE; $config[ 'auth_ldap_version' ] = 3 ; # v2 or v3$config[ 'auth_ldap_suffix' ] = ",ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com" ; $config[ 'auth_ldap_prefix' ] = "uid=" ; $config[ 'auth_ldap_attr' ][ 'uidNumber' ] = "uidNumber" ; $config[ 'auth_ldap_attr' ][ 'mail' ] = "email" ;#$config[ 'auth_ldap_objectclass' ] = "posixAccount" ; $config[ 'auth_ldap_attr' ][ 'group' ]= "posixgroup" ;#$config[ 'auth_ldap_group' ]  = array( "cn=itadmin,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com" ); #$config[ 'auth_ldap_group' ]  = array( "cn=itadmin,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com" , "cn=github,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com" ); $config[ 'auth_ldap_groupbase' ] = "ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com" ; $config[ 'auth_ldap_groups' ][ 'itadmin' ][ 'level' ] = 10 ; $config[ 'auth_ldap_groups' ][ 'github' ][ 'level' ] = 1 ; Here we go.   Some interesting fact: when using group filters (like in commented lines) than I get absolut no uidNumber assigned, but I think, this is something different for a future debug. But this isn't that easy for me because I'm not a php-expert and don't know how to debug php in realtime like I would do with python.
            landy Mike Stupalov added a comment -

            Hi, can you show ldap related config entries (hide passwords)?

            I will try tests on dev server with same params.

            Strange why same function not always return correct user_id.

            landy Mike Stupalov added a comment - Hi, can you show ldap related config entries (hide passwords)? I will try tests on dev server with same params. Strange why same function not always return correct user_id.
            adama Adam Armstrong added a comment -

            failure user_id should be NULL maybe?

            i'm not sure of the purpose of even allowing auth with an unavailable user_id

            adama Adam Armstrong added a comment - failure user_id should be NULL maybe? i'm not sure of the purpose of even allowing auth with an unavailable user_id
            albrecht Rajko Albrecht added a comment -

            found the reason (or a workaround?)

             

             

            // code placeholder
            		 
            Index: authenticate.inc.php
            		 
            ===================================================================
            		 
            --- authenticate.inc.php    (revision 11987)
            		 
            +++ authenticate.inc.php    (working copy)
            		 
            @@ -284,7 +284,7 @@
            		 
               if ($_SESSION['authenticated'])
            		 
               {
            		 
                 @session_start();
            		 
            -    if (!is_numeric($_SESSION['userlevel']) || !is_numeric($_SESSION['user_id']))
            		 
            +    if (!is_numeric($_SESSION['userlevel']) || !is_numeric($_SESSION['user_id'] || $_SESSION['user_id']<1))
            		 
                 {
            		 
                   $_SESSION['userlevel'] = auth_user_level($_SESSION['username']);
            		 
                   $_SESSION['user_id']   = auth_user_id($_SESSION['username']);

            -1 is a numeric, too. So even what might going wrong before: now the session numeric user id is set. So your ldap functions are right, I think.

            albrecht Rajko Albrecht added a comment - found the reason (or a workaround?)     // code placeholder Index: authenticate.inc.php =================================================================== --- authenticate.inc.php    (revision 11987 ) +++ authenticate.inc.php    (working copy) @@ - 284 , 7 + 284 , 7 @@     if ($_SESSION[ 'authenticated' ])    {       @session_start (); -     if (!is_numeric($_SESSION[ 'userlevel' ]) || !is_numeric($_SESSION[ 'user_id' ])) +     if (!is_numeric($_SESSION[ 'userlevel' ]) || !is_numeric($_SESSION[ 'user_id' ] || $_SESSION[ 'user_id' ]< 1 ))      {        $_SESSION[ 'userlevel' ] = auth_user_level($_SESSION[ 'username' ]);        $_SESSION[ 'user_id' ]   = auth_user_id($_SESSION[ 'username' ]); -1 is a numeric, too. So even what might going wrong before: now the session numeric user id is set. So your ldap functions are right, I think.
            adama Adam Armstrong added a comment -

            it's set in includes/authenticate.inc.php, which calls the ldap_* functions, but i couldn't work out which bit of all that horrific mess was doing something different to the other bit.

            285: $_SESSION['user_id'] = auth_user_id($_SESSION['username']);

            authenticate-functions.inc.php : 

            179: return call_user_func($config['auth_mechanism'] . '_auth_user_id', $username);

            Which is 371 in includes/authentication/ldap.inc.php

            I suspect that the return of ldap_auth_user_list() used in ldap_auth_user_info() to get $userdata2 doesn't populate user_id properly. Perhaps it's just as simple as calling ldap_auth_user_id i the ldap_auth_user_info() function? 

            This stuff is such a nightmare to test because we aren't LDAP users.

            adama Adam Armstrong added a comment - it's set in includes/authenticate.inc.php, which calls the ldap_* functions, but i couldn't work out which bit of all that horrific mess was doing something different to the other bit. 285: $_SESSION ['user_id'] = auth_user_id($_SESSION ['username'] ); authenticate-functions.inc.php :  179: return call_user_func($config ['auth_mechanism'] . '_auth_user_id', $username); Which is 371 in includes/authentication/ldap.inc.php I suspect that the return of ldap_auth_user_list() used in ldap_auth_user_info() to get $userdata2 doesn't populate user_id properly. Perhaps it's just as simple as calling ldap_auth_user_id i the ldap_auth_user_info() function?  This stuff is such a nightmare to test because we aren't LDAP users.
            albrecht Rajko Albrecht added a comment -

            yeah - ldap in php is a mess, understand this (and how frustrating it is). I search for the assignment of "$_SESSION['user_id]" and try to track down why the value isn't set correct.

            albrecht Rajko Albrecht added a comment - yeah - ldap in php is a mess, understand this (and how frustrating it is). I search for the assignment of "$_SESSION ['user_id] " and try to track down why the value isn't set correct.
            albrecht Rajko Albrecht added a comment -

            Got it - with _  

             

            l

            albrecht Rajko Albrecht added a comment - Got it - with _     l
            adama Adam Armstrong added a comment -

            The code is pretty complicated, but there's a function which is supposed to find the user_id from LDAP, it sets -1 to start, and then tries to replace it with a valid ID. I think this function is failing and never replacing the -1, though i don't know why.

            LDAP is a horrible mess to interact with, and we have no real way to test it.

            The user_id inserted into _SESSION should come from the same place, so i'm not sure why it isn't working.

            adama Adam Armstrong added a comment - The code is pretty complicated, but there's a function which is supposed to find the user_id from LDAP, it sets -1 to start, and then tries to replace it with a valid ID. I think this function is failing and never replacing the -1, though i don't know why. LDAP is a horrible mess to interact with, and we have no real way to test it. The user_id inserted into _SESSION should come from the same place, so i'm not sure why it isn't working.

            People

              adama Adam Armstrong
              albrecht Rajko Albrecht
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: