Details

    • New Feature
    • Resolution: Unresolved
    • Major
    • None
    • Professional Edition
    • Web Interface
    • centos8, php 7.2, Observium 22.4.11952

    Description

      As in ticket OBS-1684 described before: I assign users authenticated via LDAP read-only devices. But when them logging in their page is empty. (No device listed)

       

      I tried to assign users to a role, which contains a set of devices, try to assign directly some devices, logged out and logged in again - nothing helps. 

       

      we're using a standard ldap, all users are listed so I have no idea anymore and it looks like a bug.

      Attachments

        Issue Links

          Activity

            [OBS-4097] LDAP user don't see assigned devices

            yes, in config.php

             

            sorry for late answers, I was away.

            albrecht Rajko Albrecht added a comment - yes, in config.php   sorry for late answers, I was away.

            Just for sure, where you set this configs..
            In config.php file?

            landy Mike Stupalov added a comment - Just for sure, where you set this configs.. In config.php file?
            albrecht Rajko Albrecht added a comment - - edited

            $config['auth_ldap_binddn'] = "uid=ldapservice,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com";
            $config['auth_ldap_bindpw'] = "<topsecret>";
            $config['auth_ldap_bindanonymous'] = FALSE;
            $config['auth_ldap_server'] = "ldap.jumpcloud.com";
            $config['auth_ldap_port'] = 389;
            $config['auth_ldap_starttls'] = TRUE;
            $config['auth_ldap_version'] = 3; # v2 or v3$config['auth_ldap_suffix'] = ",ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com";
            $config['auth_ldap_prefix'] = "uid=";
            $config['auth_ldap_attr']['uidNumber'] = "uidNumber";
            $config['auth_ldap_attr']['mail'] = "email";#$config['auth_ldap_objectclass'] = "posixAccount";
            $config['auth_ldap_attr']['group']="posixgroup";#$config['auth_ldap_group']  = array("cn=itadmin,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com");
            #$config['auth_ldap_group']  = array("cn=itadmin,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com","cn=github,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com");
            $config['auth_ldap_groupbase'] = "ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com";
            $config['auth_ldap_groups']['itadmin']['level'] = 10;
            $config['auth_ldap_groups']['github']['level'] = 1;

            Here we go.

             

            Some interesting fact: when using group filters (like in commented lines) than I get absolut no uidNumber assigned, but I think, this is something different for a future debug. But this isn't that easy for me because I'm not a php-expert and don't know how to debug php in realtime like I would do with python.

            albrecht Rajko Albrecht added a comment - - edited $config[ 'auth_ldap_binddn' ] = "uid=ldapservice,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com" ; $config[ 'auth_ldap_bindpw' ] = "<topsecret>" ; $config[ 'auth_ldap_bindanonymous' ] = FALSE; $config[ 'auth_ldap_server' ] = "ldap.jumpcloud.com" ; $config[ 'auth_ldap_port' ] = 389 ; $config[ 'auth_ldap_starttls' ] = TRUE; $config[ 'auth_ldap_version' ] = 3 ; # v2 or v3$config[ 'auth_ldap_suffix' ] = ",ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com" ; $config[ 'auth_ldap_prefix' ] = "uid=" ; $config[ 'auth_ldap_attr' ][ 'uidNumber' ] = "uidNumber" ; $config[ 'auth_ldap_attr' ][ 'mail' ] = "email" ;#$config[ 'auth_ldap_objectclass' ] = "posixAccount" ; $config[ 'auth_ldap_attr' ][ 'group' ]= "posixgroup" ;#$config[ 'auth_ldap_group' ]  = array( "cn=itadmin,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com" ); #$config[ 'auth_ldap_group' ]  = array( "cn=itadmin,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com" , "cn=github,ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com" ); $config[ 'auth_ldap_groupbase' ] = "ou=Users,o=<identifiercode>,dc=jumpcloud,dc=com" ; $config[ 'auth_ldap_groups' ][ 'itadmin' ][ 'level' ] = 10 ; $config[ 'auth_ldap_groups' ][ 'github' ][ 'level' ] = 1 ; Here we go.   Some interesting fact: when using group filters (like in commented lines) than I get absolut no uidNumber assigned, but I think, this is something different for a future debug. But this isn't that easy for me because I'm not a php-expert and don't know how to debug php in realtime like I would do with python.

            Hi, can you show ldap related config entries (hide passwords)?

            I will try tests on dev server with same params.

            Strange why same function not always return correct user_id.

            landy Mike Stupalov added a comment - Hi, can you show ldap related config entries (hide passwords)? I will try tests on dev server with same params. Strange why same function not always return correct user_id.

            failure user_id should be NULL maybe?

            i'm not sure of the purpose of even allowing auth with an unavailable user_id

            adama Adam Armstrong added a comment - failure user_id should be NULL maybe? i'm not sure of the purpose of even allowing auth with an unavailable user_id

            found the reason (or a workaround?)

             

             

            // code placeholder
            Index: authenticate.inc.php
            ===================================================================
            --- authenticate.inc.php    (revision 11987)
            +++ authenticate.inc.php    (working copy)
            @@ -284,7 +284,7 @@
               if ($_SESSION['authenticated'])
               {
                 @session_start();
            -    if (!is_numeric($_SESSION['userlevel']) || !is_numeric($_SESSION['user_id']))
            +    if (!is_numeric($_SESSION['userlevel']) || !is_numeric($_SESSION['user_id'] || $_SESSION['user_id']<1))
                 {
                   $_SESSION['userlevel'] = auth_user_level($_SESSION['username']);
                   $_SESSION['user_id']   = auth_user_id($_SESSION['username']); 

            -1 is a numeric, too. So even what might going wrong before: now the session numeric user id is set. So your ldap functions are right, I think.

            albrecht Rajko Albrecht added a comment - found the reason (or a workaround?)     // code placeholder Index: authenticate.inc.php =================================================================== --- authenticate.inc.php    (revision 11987 ) +++ authenticate.inc.php    (working copy) @@ - 284 , 7 + 284 , 7 @@     if ($_SESSION[ 'authenticated' ])    {       @session_start (); -     if (!is_numeric($_SESSION[ 'userlevel' ]) || !is_numeric($_SESSION[ 'user_id' ])) +     if (!is_numeric($_SESSION[ 'userlevel' ]) || !is_numeric($_SESSION[ 'user_id' ] || $_SESSION[ 'user_id' ]< 1 ))      {        $_SESSION[ 'userlevel' ] = auth_user_level($_SESSION[ 'username' ]);        $_SESSION[ 'user_id' ]   = auth_user_id($_SESSION[ 'username' ]); -1 is a numeric, too. So even what might going wrong before: now the session numeric user id is set. So your ldap functions are right, I think.

            People

              adama Adam Armstrong
              albrecht Rajko Albrecht
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: