Bug 784162
Summary: | LDAP - PosixGroup lookup performed doesn't allow for uid versus DN check | |||
---|---|---|---|---|
Product: | [Other] RHQ Project | Reporter: | Elias Ross <genman> | |
Component: | Core Server | Assignee: | RHQ Project Maintainer <rhq-maint> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Mike Foley <mfoley> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | high | |||
Version: | unspecified | CC: | hrupp, loleary, spinder | |
Target Milestone: | --- | |||
Target Release: | RHQ 4.5.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 872019 (view as bug list) | Environment: | ||
Last Closed: | 2013-09-01 10:04:12 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 782579, 872019 |
Description
Elias Ross
2012-01-24 03:26:40 UTC
This allows support for 'posixGroup' type groups for authentication. This object class is described here: http://ldap.akbkhome.com/index.php/objectclass/posixGroup.html If you have a tough time prioritizing this for 4.3 release, let me know. I think the changes are quite straightforward, I believe. 12/30/2012 BZ triage meeting mfoley, ccrouch, loleary, asantos Hi Elias Ross, Can you give me some more details about your configuration? I'm not sure that we need to make this change to be able to support the PosixGroup groups as you've described them. We shouldn't require the Dn component when looking up groups. A typical group membership query would look something like: (&(objectclass=groupOfUniqueNames)(uniqueMember=uid=anotherUser,cn=groups,dc=xxx,dc=com) I was not able to use the following to browse the relevant attributes(fails for me) http://ldap.akbkhome.com/index.php/objectclass/posixGroup.html but instead used http://www.andrew.cmu.edu/user/dd26/ldap.akbkhome.com/objectclass/posixGroup.html and it looks like the posixGroup extends the objectClass entry. If this is the case, then I think your settings should look something like: Url: ldap://(server):(port) Search Filter:(leave empty) Search Base: dc=xxx,dc=com Login Property: cn User Name: cn=iAdRHQAdmin,cn=groups,dc=xxx,dc=com Password: (yadda yadda) Group Search Filter: objectclass=posixGroup Group Member Filter: memberUid Can you reply with what your current configuration looks like? Also, are you aware of this graphical debug tool for testing arbitrary configurations against ldap servers? It's an executable jar at the very bottom of the following page: http://www.rhq-project.org/display/RHQ/Testing+the+RHQ+LDAP+Integration If you turn up debug and logging you'll see the ldap queries being generated and the responses from the target server. You can also paste in the debug log generated if necessary. Group Member Filter is what queries the membership of groups. This is not going to fix the problem. I know this from both running the program and looking at the code that RHQ cannot query memberUid by _just the username_ NOT the full DN of the user. What I need to change is the group member attribute. What I have: dn: cn=iAdRHQAdmin,cn=groups,dc=xxx,dc=com ... memberUid: elias_ross But RHQ only supports groups that appear like this: dn: cn=iAdRHQAdmin,cn=groups,dc=xxx,dc=com ... member: cn=Elias Ross,ou=people,dc=xxx,dc=com The changes included in the issue should fix this...Please see what is in the patch. I do need the UI components for this to change the configuration and need direction on this. See also this message on the same problem: https://forums.oracle.com/forums/thread.jspa?threadID=895872 Yes. This should not be hard to do. Should take a couple of hours to do and test through a couple of the scenarios. We'll need to add support for the new flag in the backend and update the UI as you mention. And a few more tasks to update the documentation to describe the new functionality in such a way so that it does not add confusion to the majority of LDAP users to which this new flag is not relevant. It's really just an alternative form of LDAP group authorization that is supported by a small subset of LDAP servers. Thanks so much looking into this. I don't know about "small subset". RFC 2307 describes using posixGroup for NIS authentication. Most services supporting LDAP authentication do support posixGroup from what I have seen. Setting this to urgent for a ruling of whether to commit changes when they're done to master for 4.4. Re-targeting this to RHQ4.5. We simply don't have the bandwidth to complete and verify this change (including upgrade procedures) at this time. For the moment the development will be go into a branch. We should be able to make this one of the first things that hits master post RHQ4.4 These will be pushed to master as soon as 4.4 is released. This is available for testing in master with commit: 9431e3b720 Moving this to ON_QA. Bulk closing of items that are on_qa and in old RHQ releases, which are out for a long time and where the issue has not been re-opened since. |