Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix #522: Ldap bind-dn and bind-pwd are required even for non group authentication. #523

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

bhataprameya
Copy link

@bhataprameya bhataprameya commented Jul 16, 2021

      - AUTH_TYPE=ldap
      - LDAP_METHOD=simple
      - LDAP_URL=ldap://ldap:389
      - LDAP_BASE_DN=DC=example,DC=org
      - LDAP_USER_TEMPLATE=uid=%s,%s

Just giving the above configs won't work because even if the base-dn and user-attr-template in LDAP group search config is always picked up from the parent level if not specified. (https://github.com/lmenezes/cerebro/blob/v0.9.4/app/controllers/auth/ldap/LDAPAuthConfig.scala#L24)
(https://github.com/lmenezes/cerebro/blob/v0.9.4/app/controllers/auth/ldap/LDAPAuthConfig.scala#L26)

this causes the LDAP group search config to Nonempty causing line 63 to execute always instead of line 64.

FIX: Removed LDAP config inheriting from the parent level

@bhataprameya bhataprameya changed the title Fixed #522 Ldap bind-dn and bind-pwd are required even for non group authentication. Fixed #522 Jul 16, 2021
@bhataprameya bhataprameya changed the title Ldap bind-dn and bind-pwd are required even for non group authentication. Fixed #522 Ldap bind-dn and bind-pwd are required even for non group authentication. #522 Jul 16, 2021
@bhataprameya bhataprameya changed the title Ldap bind-dn and bind-pwd are required even for non group authentication. #522 Fix #522: Ldap bind-dn and bind-pwd are required even for non group authentication. Jul 16, 2021
@moliware
Copy link
Collaborator

moliware commented Sep 5, 2021

The desired workflow would be:

  • If LDAP_GROUP is unset then check user auth (line 64)
  • if LDAP_GROUP is set then check user auth and group membership.

I don't see a problem on inherit base-dn and user-attr-template from parent. I see problematic that group membership is test and LDAP_GROUP is not set.

Could you confirm that LDAP_GROUP was unset when you did the test?

Thank you!!

@bhataprameya
Copy link
Author

bhataprameya commented Feb 25, 2022

The desired workflow would be:

  • If LDAP_GROUP is unset then check user auth (line 64)
  • if LDAP_GROUP is set then check user auth and group membership.

I don't see a problem on inherit base-dn and user-attr-template from parent. I see problematic that group membership is test and LDAP_GROUP is not set.

Could you confirm that LDAP_GROUP was unset when you did the test?

Thank you!!

Yes, LDAP_GROUP is unset.

please try this docker-compose file with version 0.9.4 : https://github.com/lmenezes/cerebro/blob/main/examples/open_ldap/docker-compose.yml
you will see that it fails with Missing required setting [bind-dn]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants