[Stork-dev] Stork and LDAP Auth

Fri Oct 20 19:07:56 UTC 2023

On 10/16/23 12:55 PM, Slawek Figiel wrote:
> Glad to hear that your problem is solved, Brendan!
>
> I would appreciate it if you shared your experiences using LDAP hook 
> in a while. Your feedback will allow us to improve the quality of our 
> solution.
>
> Best regards
> Slawek Figiel
>
>
> On 16/10/2023 14:24, Brendan Kearney wrote:
>> On 10/16/23 4:32 AM, Slawek Figiel wrote:
>>> Hello Brendan!
>>>
>>> Thank you for your report. The LDAP hook is in the experimental 
>>> phase, so any feedback is appreciated.
>>>
>>> Based on your description, your Stork can log users from LDAP, but 
>>> they are assigned to no Stork group, and any manual assignment is 
>>> reset on user login.
>>>
>>> It means the problem is related to group mapping.
>>>
>>> First, check if the `STORK_SERVER_HOOK_LDAP_MAP_GROUPS` environment 
>>> variable is set to `true` or `1`. This variable enables the mapping 
>>> groups from LDAP to Stork roles. I suppose you have it already enabled.
>>>
>>> It seems the `STORK_SERVER_HOOK_LDAP_GROUP_ADMIN` and 
>>> `STORK_SERVER_HOOK_LDAP_GROUP_SUPER_ADMIN` have improper values. 
>>> They should be only the group's common name (the `cn` attribute 
>>> value). In your case, they should be `dhcpAdmins` and 
>>> `dhcpEngineers` accordingly.
>>>
>>> Please check if the above solution will solve your problem.
>>>
>>> Regards,
>>> Slawek Figiel
>>>
>>> On 15/10/2023 04:48, Brendan Kearney wrote:
>>>> list members,
>>>>
>>>> i am a new kea and stork user, but have been using dhcpd for quite 
>>>> some time.  i am setting up stork, and want to point at ldap for 
>>>> auth.  i set things up, but have run into an issue.
>>>>
>>>> i have set:
>>>>
>>>> STORK_SERVER_HOOK_LDAP_GROUP_ADMIN="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" 
>>>>
>>>> STORK_SERVER_HOOK_LDAP_GROUP_SUPER_ADMIN="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" 
>>>>
>>>>
>>>> and no user in those groups winds up getting access.  all users get 
>>>> an access error:
>>>>
>>>> HTTP Error 403 Forbidden. Access to this page is forbidden for the 
>>>> currently logged in user. If you think you should have access to 
>>>> this page please contact your system administrator to verify your 
>>>> permissions.
>>>>
>>>> the users are in the groups, and authentication works it seems 
>>>> because the login happens, but authorization is not working. even 
>>>> when i set the group manually for the users, those settings do not 
>>>> persist in postgresql.  i watched the number of rows in 
>>>> system_user_to_group shrink from 3 to 2 to 1 during iterative 
>>>> logins, where the mappings were being deleted from the table.
>>>>
>>>> are there tips and tricks to get ldap auth working?  any insights 
>>>> would be appreciated.
>>>>
>>>> thank you,
>>>>
>>>> brendan kearney
>>>>
>> Slawek,
>>
>> i did have the MAP_GROUPS variable set to 1, as you guessed. setting 
>> the GROUP_ADMIN and GROUP_SUPER_ADMIN variables to the 'cn' values in 
>> LDAP did the trick.  i am guessing the BIND_USERNAME is also in the 
>> short form, only using the 'cn' value as well.
>>
>> authentication looks to be working properly now.  thanks for the 
>> insight.  stork looks like a lot of great capabilities.
>>
>> thank you,
>>
>> brendan kearney
>>
this is not working now.  the creds presented in the bind request are 
"cn=dhcp,dc=bpk2,dc=com", and that is not the proper dn.

Oct 20 15:05:04 x1titanium stork-server[99377]: time="2023-10-20 
15:05:04" level="error" msg="Cannot authenticate a user" 
file="            users.go:185  " error="cannot authenticate a user: 
error occurred in the Authenticate callout: cannot bind the 
'cn=dhcp,dc=bpk2,dc=com' user: LDAP Result Code 49 \"Invalid 
Credentials\": " identifier="brendan" method="ldap"

the process user i have created for this is the dhcp user, 
uid=dhcp,ou=processUsers,ou=Users,dc=bpk2,dc=com.  how do i use this id, 
since things seem to have changed in how this all works.