[Stork-dev] Stork and LDAP Auth

Mon Oct 23 08:28:13 UTC 2023

Hello Brendan!

Did you change the user credentials provided in:

- the `--ldap.bind-username` flag or 
`STORK_SERVER_HOOK_LDAP_BIND_USERNAME` environment variable
- the `--ldap.bind-password` flag or 
`STORK_SERVER_HOOK_LDAP_BIND_PASSWORD` environment variable

?

Stork cannot bind to the LDAP server using these credentials, but it was 
previously able to do it because you reported you can log in users.

Stork always binds the process/maintenance user using the `cn` attribute 
concatenated with the LDAP root (`--ldap-root` or 
`STORK_SERVER_HOOK_LDAP_ROOT` environment variable).
It never changes.

Please check the above credentials and analyze your LDAP server's recent 
changes.

Regards,
Slawek Figiel

On 20/10/2023 21:07, Brendan Kearney wrote:
> On 10/16/23 12:55 PM, Slawek Figiel wrote:
>> Glad to hear that your problem is solved, Brendan!
>>
>> I would appreciate it if you shared your experiences using LDAP hook 
>> in a while. Your feedback will allow us to improve the quality of our 
>> solution.
>>
>> Best regards
>> Slawek Figiel
>>
>>
>> On 16/10/2023 14:24, Brendan Kearney wrote:
>>> On 10/16/23 4:32 AM, Slawek Figiel wrote:
>>>> Hello Brendan!
>>>>
>>>> Thank you for your report. The LDAP hook is in the experimental 
>>>> phase, so any feedback is appreciated.
>>>>
>>>> Based on your description, your Stork can log users from LDAP, but 
>>>> they are assigned to no Stork group, and any manual assignment is 
>>>> reset on user login.
>>>>
>>>> It means the problem is related to group mapping.
>>>>
>>>> First, check if the `STORK_SERVER_HOOK_LDAP_MAP_GROUPS` environment 
>>>> variable is set to `true` or `1`. This variable enables the mapping 
>>>> groups from LDAP to Stork roles. I suppose you have it already enabled.
>>>>
>>>> It seems the `STORK_SERVER_HOOK_LDAP_GROUP_ADMIN` and 
>>>> `STORK_SERVER_HOOK_LDAP_GROUP_SUPER_ADMIN` have improper values. 
>>>> They should be only the group's common name (the `cn` attribute 
>>>> value). In your case, they should be `dhcpAdmins` and 
>>>> `dhcpEngineers` accordingly.
>>>>
>>>> Please check if the above solution will solve your problem.
>>>>
>>>> Regards,
>>>> Slawek Figiel
>>>>
>>>> On 15/10/2023 04:48, Brendan Kearney wrote:
>>>>> list members,
>>>>>
>>>>> i am a new kea and stork user, but have been using dhcpd for quite 
>>>>> some time.  i am setting up stork, and want to point at ldap for 
>>>>> auth.  i set things up, but have run into an issue.
>>>>>
>>>>> i have set:
>>>>>
>>>>> STORK_SERVER_HOOK_LDAP_GROUP_ADMIN="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
>>>>> STORK_SERVER_HOOK_LDAP_GROUP_SUPER_ADMIN="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
>>>>>
>>>>> and no user in those groups winds up getting access.  all users get 
>>>>> an access error:
>>>>>
>>>>> HTTP Error 403 Forbidden. Access to this page is forbidden for the 
>>>>> currently logged in user. If you think you should have access to 
>>>>> this page please contact your system administrator to verify your 
>>>>> permissions.
>>>>>
>>>>> the users are in the groups, and authentication works it seems 
>>>>> because the login happens, but authorization is not working. even 
>>>>> when i set the group manually for the users, those settings do not 
>>>>> persist in postgresql.  i watched the number of rows in 
>>>>> system_user_to_group shrink from 3 to 2 to 1 during iterative 
>>>>> logins, where the mappings were being deleted from the table.
>>>>>
>>>>> are there tips and tricks to get ldap auth working?  any insights 
>>>>> would be appreciated.
>>>>>
>>>>> thank you,
>>>>>
>>>>> brendan kearney
>>>>>
>>> Slawek,
>>>
>>> i did have the MAP_GROUPS variable set to 1, as you guessed. setting 
>>> the GROUP_ADMIN and GROUP_SUPER_ADMIN variables to the 'cn' values in 
>>> LDAP did the trick.  i am guessing the BIND_USERNAME is also in the 
>>> short form, only using the 'cn' value as well.
>>>
>>> authentication looks to be working properly now.  thanks for the 
>>> insight.  stork looks like a lot of great capabilities.
>>>
>>> thank you,
>>>
>>> brendan kearney
>>>
> this is not working now.  the creds presented in the bind request are 
> "cn=dhcp,dc=bpk2,dc=com", and that is not the proper dn.
> 
> Oct 20 15:05:04 x1titanium stork-server[99377]: time="2023-10-20 
> 15:05:04" level="error" msg="Cannot authenticate a user" 
> file="            users.go:185  " error="cannot authenticate a user: 
> error occurred in the Authenticate callout: cannot bind the 
> 'cn=dhcp,dc=bpk2,dc=com' user: LDAP Result Code 49 \"Invalid 
> Credentials\": " identifier="brendan" method="ldap"
> 
> the process user i have created for this is the dhcp user, 
> uid=dhcp,ou=processUsers,ou=Users,dc=bpk2,dc=com.  how do i use this id, 
> since things seem to have changed in how this all works.
> 