[Stork-dev] Stork and LDAP Auth

Slawek Figiel slawek at isc.org
Mon Oct 16 08:32:23 UTC 2023 

Hello Brendan!

Thank you for your report. The LDAP hook is in the experimental phase, 
so any feedback is appreciated.

Based on your description, your Stork can log users from LDAP, but they 
are assigned to no Stork group, and any manual assignment is reset on 
user login.

It means the problem is related to group mapping.

First, check if the `STORK_SERVER_HOOK_LDAP_MAP_GROUPS` environment 
variable is set to `true` or `1`. This variable enables the mapping 
groups from LDAP to Stork roles. I suppose you have it already enabled.

It seems the `STORK_SERVER_HOOK_LDAP_GROUP_ADMIN` and 
`STORK_SERVER_HOOK_LDAP_GROUP_SUPER_ADMIN` have improper values. They 
should be only the group's common name (the `cn` attribute value). In 
your case, they should be `dhcpAdmins` and `dhcpEngineers` accordingly.

Please check if the above solution will solve your problem.

Regards,
Slawek Figiel

On 15/10/2023 04:48, Brendan Kearney wrote:
> list members,
> 
> i am a new kea and stork user, but have been using dhcpd for quite some 
> time.  i am setting up stork, and want to point at ldap for auth.  i set 
> things up, but have run into an issue.
> 
> i have set:
> 
> STORK_SERVER_HOOK_LDAP_GROUP_ADMIN="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> STORK_SERVER_HOOK_LDAP_GROUP_SUPER_ADMIN="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> 
> and no user in those groups winds up getting access.  all users get an 
> access error:
> 
> HTTP Error 403 Forbidden. Access to this page is forbidden for the 
> currently logged in user. If you think you should have access to this 
> page please contact your system administrator to verify your permissions.
> 
> the users are in the groups, and authentication works it seems because 
> the login happens, but authorization is not working.  even when i set 
> the group manually for the users, those settings do not persist in 
> postgresql.  i watched the number of rows in system_user_to_group shrink 
> from 3 to 2 to 1 during iterative logins, where the mappings were being 
> deleted from the table.
> 
> are there tips and tricks to get ldap auth working?  any insights would 
> be appreciated.
> 
> thank you,
> 
> brendan kearney
>

More information about the stork-dev mailing list