Problem:
We are using LDAP auth and external groups sync. Everything works normal in 2.3.4 but after upgrading to 2.4.1 user jump out from his User Group on every login.
I tested this on 2.5.1 and behavior is the same. After downgrading to 2.3.4 it works normal.
When user loggs in, it gets permission denied. I manualy trigger external group sync and user apper in group, refresh the foreman and it works until user loggs in again.
Immidiatelly after login user jump out of the usergroup and get permission denied again. Expected outcome:
Interesting, there was no change in the code since 1.22 that I could found. Do you see any additional information in the production.log? Can you enable debug log level, ldap and sql loggers and upload the log then?
Log starts almost exatly in moment when user robert.vojcik trying to logg in. Auth is successful but then is user removed from UserGroup and gets permission denied page.
Sorry it took me a while, I went through the logs and dont see anything wrong. The only things that’s weird is the following SQL queries
2021-07-27T08:44:02 [D|sql|0c135b27] (44.6ms) SELECT "external_usergroups"."usergroup_id" FROM "external_usergroups" WHERE "external_usergroups"."auth_source_id" = $1 AND 1=0 [["auth_source_id", 4]]
2021-07-27T08:44:02 [D|sql|0c135b27] Usergroup Load (15.7ms) SELECT "usergroups".* FROM "usergroups" WHERE 1=0 ORDER BY usergroups.name
these are the queries we use to load existing user groups to find out if some should be added or removed. The SQL contains 1=0 condition which is typically added if some permission check or taxonomy (org/loc) check does not grant access.
Can you check you have correctly defined external usergroup mappings for the user’s usergroup? Can you double check user’s org/loc assignment and whether the AuthSource is also linked to the correct org/loc?
2021-07-27T08:44:01 [D|sql|0c135b27] Usergroup Load (23.2ms) SELECT "usergroups".* FROM "usergroups" WHERE "usergroups"."name" = $1 ORDER BY usergroups.name [["name", "robert.vojcik"]]
Acording to table and SQL query it trying to lookg for Group name, but instead of group name Egineers it puts there my login.
2021-07-27T08:44:02 [D|sql|0c135b27] (74.3ms) SELECT "usergroups"."id" FROM "usergroups" INNER JOIN "usergroup_members" ON "usergroups"."id" = "usergroup_members"."usergroup_id" WHERE "usergroup_members"."member_id" = $1 AND "usergroup_members"."member_type" = $2 AND "usergroups"."id" IN (SELECT "external_usergroups"."usergroup_id" FROM "external_usergroups" WHERE "external_usergroups"."auth_source_id" = $3) ORDER BY usergroups.name [["member_id", 34], ["member_type", "User"], ["auth_source_id", 4]]
# Here I get correct usergroup id 3
# On the next log line there is 1=0
2021-07-27T08:44:02 [D|sql|0c135b27] (44.6ms) SELECT "external_usergroups"."usergroup_id" FROM "external_usergroups" WHERE "external_usergroups"."auth_source_id" = $1 AND 1=0 [["auth_source_id", 4]]
It would be interesting to see what you’d get from LDAP when you perform the same ldap search you see in the logs. Sadly, we don’t have logging of the response in there to tell, what Foreman got as a list of user groups.
I look at this little bit deeper, found partial workaround with disabling Usergroup Sync in LDAP Auth source.
Propably something changed between version on Usergroup Sync on login.
This partial workaround allow me to upgrade production to latest version.
We try to locate the problematic code in the source
OK, we debugged the queries and filter and problem was at the begening. We had wrond objectClass in LDAP.
We used groupOfNames instead of PosixGroup which lead to partial function of the LDAP auth. Syncing groups works (from cron or refresh button) but dynamic refresh on login didn’t (because there is different LDAP query using memberUid which is possix attribute).
We changed LDAP group to posixGroup (which is in fact also in Foreman documentation) and it looks like everything works now.
For others with simmiliard problem, check LDAP group, it has to be posixGroup with memberUid attributes containing only login (uid) part of the user.
@Marek_Hulan thanks a lot for your time and consult
Well, I guess that depends on the server type you have configured. We have a freeipa server and the freeipa server uses groupofnames just fine… It should probably be clarified in the documentation…