[Stork-dev] Stork and LDAP Auth
Brendan Kearney
bpk678 at gmail.com
Mon Oct 16 12:24:06 UTC 2023
On 10/16/23 4:32 AM, Slawek Figiel wrote:
> Hello Brendan!
>
> Thank you for your report. The LDAP hook is in the experimental phase,
> so any feedback is appreciated.
>
> Based on your description, your Stork can log users from LDAP, but
> they are assigned to no Stork group, and any manual assignment is
> reset on user login.
>
> It means the problem is related to group mapping.
>
> First, check if the `STORK_SERVER_HOOK_LDAP_MAP_GROUPS` environment
> variable is set to `true` or `1`. This variable enables the mapping
> groups from LDAP to Stork roles. I suppose you have it already enabled.
>
> It seems the `STORK_SERVER_HOOK_LDAP_GROUP_ADMIN` and
> `STORK_SERVER_HOOK_LDAP_GROUP_SUPER_ADMIN` have improper values. They
> should be only the group's common name (the `cn` attribute value). In
> your case, they should be `dhcpAdmins` and `dhcpEngineers` accordingly.
>
> Please check if the above solution will solve your problem.
>
> Regards,
> Slawek Figiel
>
> On 15/10/2023 04:48, Brendan Kearney wrote:
>> list members,
>>
>> i am a new kea and stork user, but have been using dhcpd for quite
>> some time. i am setting up stork, and want to point at ldap for
>> auth. i set things up, but have run into an issue.
>>
>> i have set:
>>
>> STORK_SERVER_HOOK_LDAP_GROUP_ADMIN="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
>>
>> STORK_SERVER_HOOK_LDAP_GROUP_SUPER_ADMIN="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
>>
>>
>> and no user in those groups winds up getting access. all users get
>> an access error:
>>
>> HTTP Error 403 Forbidden. Access to this page is forbidden for the
>> currently logged in user. If you think you should have access to this
>> page please contact your system administrator to verify your
>> permissions.
>>
>> the users are in the groups, and authentication works it seems
>> because the login happens, but authorization is not working. even
>> when i set the group manually for the users, those settings do not
>> persist in postgresql. i watched the number of rows in
>> system_user_to_group shrink from 3 to 2 to 1 during iterative logins,
>> where the mappings were being deleted from the table.
>>
>> are there tips and tricks to get ldap auth working? any insights
>> would be appreciated.
>>
>> thank you,
>>
>> brendan kearney
>>
Slawek,
i did have the MAP_GROUPS variable set to 1, as you guessed. setting the
GROUP_ADMIN and GROUP_SUPER_ADMIN variables to the 'cn' values in LDAP
did the trick. i am guessing the BIND_USERNAME is also in the short
form, only using the 'cn' value as well.
authentication looks to be working properly now. thanks for the
insight. stork looks like a lot of great capabilities.
thank you,
brendan kearney
More information about the stork-dev
mailing list