[Stork-dev] Stork and LDAP Auth

Slawek Figiel slawek at isc.org
Mon Oct 16 16:55:27 UTC 2023 

Glad to hear that your problem is solved, Brendan!

I would appreciate it if you shared your experiences using LDAP hook in 
a while. Your feedback will allow us to improve the quality of our solution.

Best regards
Slawek Figiel


On 16/10/2023 14:24, Brendan Kearney wrote:
> On 10/16/23 4:32 AM, Slawek Figiel wrote:
>> Hello Brendan!
>>
>> Thank you for your report. The LDAP hook is in the experimental phase, 
>> so any feedback is appreciated.
>>
>> Based on your description, your Stork can log users from LDAP, but 
>> they are assigned to no Stork group, and any manual assignment is 
>> reset on user login.
>>
>> It means the problem is related to group mapping.
>>
>> First, check if the `STORK_SERVER_HOOK_LDAP_MAP_GROUPS` environment 
>> variable is set to `true` or `1`. This variable enables the mapping 
>> groups from LDAP to Stork roles. I suppose you have it already enabled.
>>
>> It seems the `STORK_SERVER_HOOK_LDAP_GROUP_ADMIN` and 
>> `STORK_SERVER_HOOK_LDAP_GROUP_SUPER_ADMIN` have improper values. They 
>> should be only the group's common name (the `cn` attribute value). In 
>> your case, they should be `dhcpAdmins` and `dhcpEngineers` accordingly.
>>
>> Please check if the above solution will solve your problem.
>>
>> Regards,
>> Slawek Figiel
>>
>> On 15/10/2023 04:48, Brendan Kearney wrote:
>>> list members,
>>>
>>> i am a new kea and stork user, but have been using dhcpd for quite 
>>> some time.  i am setting up stork, and want to point at ldap for 
>>> auth.  i set things up, but have run into an issue.
>>>
>>> i have set:
>>>
>>> STORK_SERVER_HOOK_LDAP_GROUP_ADMIN="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
>>> STORK_SERVER_HOOK_LDAP_GROUP_SUPER_ADMIN="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
>>>
>>> and no user in those groups winds up getting access.  all users get 
>>> an access error:
>>>
>>> HTTP Error 403 Forbidden. Access to this page is forbidden for the 
>>> currently logged in user. If you think you should have access to this 
>>> page please contact your system administrator to verify your 
>>> permissions.
>>>
>>> the users are in the groups, and authentication works it seems 
>>> because the login happens, but authorization is not working. even 
>>> when i set the group manually for the users, those settings do not 
>>> persist in postgresql.  i watched the number of rows in 
>>> system_user_to_group shrink from 3 to 2 to 1 during iterative logins, 
>>> where the mappings were being deleted from the table.
>>>
>>> are there tips and tricks to get ldap auth working?  any insights 
>>> would be appreciated.
>>>
>>> thank you,
>>>
>>> brendan kearney
>>>
> Slawek,
> 
> i did have the MAP_GROUPS variable set to 1, as you guessed. setting the 
> GROUP_ADMIN and GROUP_SUPER_ADMIN variables to the 'cn' values in LDAP 
> did the trick.  i am guessing the BIND_USERNAME is also in the short 
> form, only using the 'cn' value as well.
> 
> authentication looks to be working properly now.  thanks for the 
> insight.  stork looks like a lot of great capabilities.
> 
> thank you,
> 
> brendan kearney
>

More information about the stork-dev mailing list