LDAP Bridge inside User Group?

nnhubbard · March 28, 2011, 7:08pm

I think that I have talked about this before here, but I am needing to figure it out again.

I have a few LDAP Bridge assets with LDAP users underneath. I need to give read access to all the LDAP users under those bridges, so I linked all the bridges under a normal User Group, then gave that group the read permissions. Well, this didn't seem to work when trying to view that page as an LDAP user.

Any ideas for how to make this work?

gsherwood · March 28, 2011, 9:24pm

The LDAP Bridge asset is not a user group and so permissions ignore it. So you can't do what you are after. You need those LDAP users to be directly inside an LDAP Group or a User Group asset.

nnhubbard · March 28, 2011, 9:52pm

[quote]
The LDAP Bridge asset is not a user group and so permissions ignore it. So you can't do what you are after. You need those LDAP users to be directly inside an LDAP Group or a User Group asset.

[/quote]

Ok, that is fine. I do have LDAP groups that I just added permissions for, but I seem to remember that those need to be set up in a certain way as well (currently the groups are under a LDAP Bridge). Currently it seems like I am still not getting permissions to the page even when using LDAP groups.

gsherwood · March 29, 2011, 2:18am

If you've assigned permissions to an LDAP group and the users in it are not getting permissions, then it might be an LDAP Bridge configuration problem. Possibly something to do with the Group Membership attribute not containing the full DN of the groups a user is in.

nnhubbard · March 29, 2011, 3:06pm

[quote]
If you've assigned permissions to an LDAP group and the users in it are not getting permissions, then it might be an LDAP Bridge configuration problem. Possibly something to do with the Group Membership attribute not containing the full DN of the groups a user is in.

[/quote]

Do you mean on the Attribute Setup screen? I just have the group membership attribute set as "ou", but it used to be set as "memberof", but neither seem to work.

Any other ideas?

gsherwood · March 29, 2011, 9:21pm

[quote]
Any other ideas?

[/quote]

Not from me, sorry. Would need to debug and find out what groups the user thinks they are in.

nnhubbard · March 29, 2011, 9:47pm

[quote]
Would need to debug and find out what groups the user thinks they are in.

[/quote]

I am fine debugging it, but where would I start?

Thanks Greg.

Edison_Wang · March 30, 2011, 1:18am

This is what happens:

Matrix checks permission on the user asset
User asset will grab its parents(user groups) to be checked too. (core/assets/users/user/user.inc getGroups())
Shadow asset like ldap user will forward the getParent() call to bridge asset. ( asset_manager.inc getParents() line 3895)
Ldap bridge getParents() is called to return the parents of the ldap user.

So the ldap bridge asset getParents() is where you should start your debugging.

packages/ldap/ldap_bridge/ldap_bridge.inc line 640

It is supposed to search ldap entry and return you the correct ldap group id.

note that, user.inc getGroups() will only get the group once, and then it caches the parents info to the SESSION, so probably you need to comment out some code to make sure it grabs parents every time when checking permission.

p.s

a backtrace for calling ldap bridge getParents()

0 => "function getParents(line=3895 class=asset_manager object=LDAP_Bridge)",

1 => "function getParents(line=797 class=user object=Asset_Manager)",

2 => "function getGroups(line=2539 class=mysource object=User)",

3 => "function getUserPrefs(line=1243 class=mysource object=MySource)",

4 => "function setupUser(line=402 class=mysource object=MySource)",

5 => "function init(line=263 class=init object=MySource)",

6 => "function require_once(line=28 file=index.php)"

nnhubbard · March 30, 2011, 3:59pm

[quote]
This is what happens:

Matrix checks permission on the user asset
User asset will grab its parents(user groups) to be checked too. (core/assets/users/user/user.inc getGroups())
Shadow asset like ldap user will forward the getParent() call to bridge asset. ( asset_manager.inc getParents() line 3895)
Ldap bridge getParents() is called to return the parents of the ldap user.

So the ldap bridge asset getParents() is where you should start your debugging.

packages/ldap/ldap_bridge/ldap_bridge.inc line 640

It is supposed to search ldap entry and return you the correct ldap group id.

note that, user.inc getGroups() will only get the group once, and then it caches the parents info to the SESSION, so probably you need to comment out some code to make sure it grabs parents every time when checking permission.

p.s

a backtrace for calling ldap bridge getParents()

0 => "function getParents(line=3895 class=asset_manager object=LDAP_Bridge)",

1 => "function getParents(line=797 class=user object=Asset_Manager)",

2 => "function getGroups(line=2539 class=mysource object=User)",

3 => "function getUserPrefs(line=1243 class=mysource object=MySource)",

4 => "function setupUser(line=402 class=mysource object=MySource)",

5 => "function init(line=263 class=init object=MySource)",

6 => "function require_once(line=28 file=index.php)"

[/quote]

Ok, so I am looking through the code. What kind of information am I needing to get from my debugging? If it has a parent?

nnhubbard · April 6, 2011, 8:33pm

Does someone have an example of their LDAP Bridge configuration which is working with LDAP groups and giving them permissions? I really need to figure this out.

Benjamin_Pearson · April 6, 2011, 10:13pm

[quote]
Ok, so I am looking through the code. What kind of information am I needing to get from my debugging? If it has a parent?

[/quote]

Yes, you should be able to log dump all the groups returned from getGroups() (which should return all) or the getParents() under LDAP bridge (for the parents the bridge should return) and the group that has permission should be in those results.

nnhubbard · April 6, 2011, 11:43pm

[quote]
Yes, you should be able to log dump all the groups returned from getGroups() (which should return all) or the getParents() under LDAP bridge (for the parents the bridge should return) and the group that has permission should be in those results.

[/quote]

Ok, so I logged the getParents() groups as I tried to login with my LDAP user, from which the LDAP user group has been given permissions to the page I am trying to login to see. Here is the log:

    (
    Raw Entry:	)
    Raw Entry:	[06-Apr-2011 16:42:09] Array
    Raw Entry:	(
    Raw Entry:	)
    Raw Entry:	[06-Apr-2011 16:42:09] Array
    Raw Entry:	(
    Raw Entry:	 [19909:CN=Staff,OU=Groups,DC=puc,DC=edu] => ldap_user_group
    Raw Entry:	 [19909:OU=Staff,DC=puc,DC=edu] => ldap_user_group
    Raw Entry:	 [214] => user_group
    Raw Entry:	 [27404] => user_group
    Raw Entry:	 [33460] => user_group
    Raw Entry:	 [53308] => user_group
    Raw Entry:	 [59301] => user_group
    Raw Entry:	 [75118] => user_group
    Raw Entry:	 [75586] => user_group
    Raw Entry:	 [75933] => user_group
    Raw Entry:	 [76953] => user_group
    Raw Entry:	 [80703] => user_group
    Raw Entry:	)
    Raw Entry:	[06-Apr-2011 16:42:10] Array
    Raw Entry:	(
    Raw Entry:	)
    Raw Entry:	[06-Apr-2011 16:42:11] Array
    Raw Entry:	(
    Raw Entry:	)
    Raw Entry:	[06-Apr-2011 16:42:12] Array
    Raw Entry:	(
    Raw Entry:	)
    Raw Entry:	[06-Apr-2011 16:42:14] Array
    Raw Entry:	(
    Raw Entry:	)
    Raw Entry:	[06-Apr-2011 16:42:15] Array
    Raw Entry:	(
    Raw Entry:	 [72070] => user_group
    Raw Entry:	 [11] => system_user_group
    Raw Entry:	)
    Raw Entry:	[06-Apr-2011 16:42:15] Array
    Raw Entry:	(
    Raw Entry:	)
    Raw Entry:	[06-Apr-2011 16:42:17] Array
    Raw Entry:	(
    Raw Entry:	 [72070] => user_group
    Raw Entry:	 [11] => system_user_group
    Raw Entry:	)
    Raw Entry:	[06-Apr-2011 16:42:19] Array
    Raw Entry:	(
    Raw Entry:	 [72070] => user_group
    Raw Entry:	 [11] => system_user_group
    Raw Entry:	)

Any idea what this is telling me?

I don't see my LDAP Usergroup ID in this list.

Benjamin_Pearson · April 7, 2011, 2:46am

    
    Raw Entry:	[06-Apr-2011 16:42:09] Array
    Raw Entry:	(
    Raw Entry:	)

No groups found

    
    Raw Entry:	[06-Apr-2011 16:42:09] Array
    Raw Entry:	(
    Raw Entry:	 [19909:CN=Staff,OU=Groups,DC=puc,DC=edu] => ldap_user_group
    Raw Entry:	 [19909:OU=Staff,DC=puc,DC=edu] => ldap_user_group
    Raw Entry:	 [214] => user_group
    Raw Entry:	 [27404] => user_group
    Raw Entry:	 [33460] => user_group
    Raw Entry:	 [53308] => user_group
    Raw Entry:	 [59301] => user_group
    Raw Entry:	 [75118] => user_group
    Raw Entry:	 [75586] => user_group
    Raw Entry:	 [75933] => user_group
    Raw Entry:	 [76953] => user_group
    Raw Entry:	 [80703] => user_group
    Raw Entry:	)

The user here belongs to: 2 ldap groups (from the same bridge #19909) and the normal user groups: 214,27404, 33460, 53308, 59301 etc.

    
    Raw Entry:	[06-Apr-2011 16:42:15] Array
    Raw Entry:	(
    Raw Entry:	 [72070] => user_group
    Raw Entry:	 [11] => system_user_group
    Raw Entry:	)

This user is a System Administrator or Root user.

From the snippet, I cannot tell which LDAP bridge is returning what.

From the code, it looks like it can return empty arrays when it cannot make a connection to the ldap bridge or it finds no matches. You could possibly try, in the LDAP bridge, to log dump the results of:

$result = $ldap->search($assetid,'(objectClass=*)', NULL, TRUE, TRUE, array_merge(array_values($attrs), Array('objectclass')));[*]$data = $ldap->getEntries($result);

And it might tell give you some points on if it is returning valid groups OR if it is getting to this point (then you might have connection problems). Also you could try getting the information from above and try querying the ldap server directly using ldapsearch (ldapsearch guide) on the command line of your matrix server.

Hope that helps!

nnhubbard · April 7, 2011, 7:06pm

Ok, here is what I got from running those:

[quote]

$result = $ldap->search($assetid,'(objectClass=*)', NULL, TRUE, TRUE, array_merge(array_values($attrs), Array('objectclass')));

[/quote]

    [07-Apr-2011 12:02:52] Resource id #80

[quote]
$ldap->getEntries($result);
[/quote]

Ashish_Karelia · April 8, 2011, 12:46am

Hi Nic,
Is it anything like whats is described on bug #5050 LDAP users not getting correct permissions if the user is under sub group ?

Ash

nnhubbard · April 8, 2011, 1:35am

[quote]
Hi Nic,

Is it anything like whats is described on bug #5050 LDAP users not getting correct permissions if the user is under sub group ?

Ash

[/quote]

Well, similar I think. My setup is like:

LDAP Bridge

|-- LDAP User Group #1

|-- LDAP User Group #2

|-- LDAP User Group #3

|----LDAP User <— This is the user that I need to get permissions to.

So, I have given LDAP User Group #3 read permissions to a page, and I still am not able to view that page after trying to login, it says I don’t have permissions. Do you think this is the same bug?

Ashish_Karelia · April 8, 2011, 1:41am

[quote]
Well, similar I think. My setup is like:

LDAP Bridge

|-- LDAP User Group #1

|-- LDAP User Group #2

|-- LDAP User Group #3

|----LDAP User <— This is the user that I need to get permissions to.

So, I have given LDAP User Group #3 read permissions to a page, and I still am not able to view that page after trying to login, it says I don't have permissions. Do you think this is the same bug?

[/quote]

Yes this is something i have come across too. Not too sure if it is the same piece of code that is affecting it but will be looking into too…

Will keep this Post updated. Thanks for all your input.

Regards,

Ash

Mohamed_Haidar · April 13, 2011, 11:55pm

[quote]
Well, similar I think. My setup is like:

LDAP Bridge

|-- LDAP User Group #1

|-- LDAP User Group #2

|-- LDAP User Group #3

|----LDAP User <— This is the user that I need to get permissions to.

So, I have given LDAP User Group #3 read permissions to a page, and I still am not able to view that page after trying to login, it says I don't have permissions. Do you think this is the same bug?

[/quote]

Testing on Matrix version 4.0.5 and greater, the above scenario works correctly.

My attribute setup is:

Group Membership ou

Group Members o

Group Name ou

In fact I fixed bug 5050 where the LDAP User under a sub LDAP group can get access when giving read access to the top level LDAP group!!

nnhubbard · April 14, 2011, 12:07am

[quote]
Testing on Matrix version 4.0.5 and greater, the above scenario works correctly.

My attribute setup is:

Group Membership ou

Group Members o

Group Name ou

In fact I fixed bug 5050 where the LDAP User under a sub LDAP group can get access when giving read access to the top level LDAP group!!

[/quote]

Here is my attribute setup, is it wrong?

    User Attributes
    User Id	 samaccountname
    Common Name	 cn
    First Name	 givenname
    Last Name	 sn
    Email Address	 mail
    Group Attributes
    Group Membership	 memberof
    Group Members	 member
    Group Name	 ou

Mohamed_Haidar · April 14, 2011, 12:37am

[quote]
Here is my attribute setup, is it wrong?

    User Attributes
    User Id	 samaccountname
    Common Name	 cn
    First Name	 givenname
    Last Name	 sn
    Email Address	 mail
    Group Attributes
    Group Membership	 memberof
    Group Members	 member
    Group Name	 ou

[/quote]

Looks like you are using Active Directory. Currently Labs have been testing and debugging on an Open LDAP. Hang in there while we get access and debug a system using Active Directory.

Thanks