LDAP groups authorization

michele.tota · July 6, 2021, 1:31pm

Dear Indico team,

we have configured Indico with LDAP authentication and we use ldap groups for authorization.

We have encountered several authorization issues when events are protected with ldap groups.

Is the membership of a user in a group updated every time the user logging in or only when the account linking have been estabilished?

In administration-> groups searching for an external group, we see all the users that belong to it. The ldap query on the directory server returns some users who are not in the external group in indico. How is it possible?

Thank you

ThiefMaster · July 6, 2021, 1:36pm

It’s queried whenever needed, but cached for 30 minutes after the check.

Do they have corresponding Indico users? We only show group members with an Indico account (matched via email or by the unique identifier (e.g. ldap username) set during login) in Indico.

What exactly is your problem though? Is it group members not having access to protected events on Indico even though Indico shows them as group members?

michele.tota · July 6, 2021, 2:17pm

We have a lot of users linked to LDAP and it works for every but one.

This user seems to not be present in any groups in indico, while in LDAP he is member of some.

Is there any way to debug the ldap mapping process at login?

ThiefMaster · July 6, 2021, 2:27pm

This user seems to not be present in any groups in indico

Does any of his email addresses match his email on LDAP?
Does his login username (check the “Accounts” tab in his profile and then the link to the LDAP auth provider) match the unique identifier on LDAP?

Here are some useful things to do in indico shell (replace ID with the user’s ID):

list(User.get(ID).iter_identifiers(check_providers=True)) - this should include a tuple with the ldap provider and his unique identifier on ldap
from indico.modules.groups import GroupProxy and then {x.identifier for x in GroupProxy('GROUPNAME', 'PROVIDERNAME').group} - this should include the LDAP username of the user if he’s seen as a member of the LDAP group; so it should have an overlap with an identifier from the previous point
GroupProxy('GROUPNAME', 'PROVIDERNAME').get_members() should include the indico user for that user

Depending on where this fails (or rather doesn’t return data) we can hopefully figure out what the problem is…

michele.tota · July 6, 2021, 3:03pm

User have changed his primary mail address, but our indico ldap config link user by an uuid attribute (infnUUID).

With indico shell, as you suggest, the user is correctly retrieved and belongs to the right group.

In [1]: list(User.get(4608).iter_identifiers(check_providers=True))
Out[1]: [(u'shib-sso', u'3ad21255-8751-4e4b-a4dc-45c86f1dba9a')]

In [3]: {x.identifier for x in GroupProxy('Istituzioni->INFN->Sezione di Firenze', 'ldap').group}
Out[3]:
{u'0017eeef-bfeb-4bf8-b458-c828b5247169',
 ...
 u'3ad21255-8751-4e4b-a4dc-45c86f1dba9a',
...
 u'fe229fb6-62bd-453a-bca2-4f67d3a68fce'}

Is the primary mail the problem? Our users use to change email addresses when the affiliation changes. So it is frequent and this is why we use uuid attribute for mapping.

How can we manage this? Thank you a lot!!

ThiefMaster · July 6, 2021, 3:06pm

We require a match via the identifiers OR the email). So it should work. Is the user not shown in the GroupProxy('GROUPNAME', 'PROVIDERNAME').get_members() output? :o

michele.tota · July 6, 2021, 3:12pm

The user is not in the output list.

ThiefMaster · July 6, 2021, 3:14pm

What does User.get(4608).identifies show?

michele.tota · July 6, 2021, 3:15pm

AttributeError: ‘User’ object has no attribute ‘identifies’

ThiefMaster · July 6, 2021, 3:16pm

Sorry, I meant identifiers

michele.tota · July 6, 2021, 3:16pm

same
AttributeError: ‘User’ object has no attribute ‘identifiers’

ThiefMaster · July 6, 2021, 3:17pm

err, it should be identities

michele.tota · July 6, 2021, 3:17pm

In [12]: User.get(4608).identities
Out[12]: {<Identity(22952, 4608, shib-sso, 3ad21255-8751-4e4b-a4dc-45c86f1dba9a)>}

ThiefMaster · July 6, 2021, 3:24pm

set(User.query.outerjoin(Identity).filter(
    ~User.is_deleted,
    db.and_(
        Identity.provider == 'shib-sso',
        Identity.identifier == '3ad21255-8751-4e4b-a4dc-45c86f1dba9a'
    )
))

Does this find the user?

michele.tota · July 6, 2021, 3:27pm

yes, user found correctly.

ThiefMaster · July 6, 2021, 3:28pm

Then I don’t understand how he can not show up on the group member list page in the indico admin area nor in the .get_members() output…

michele.tota · July 6, 2021, 4:17pm

we have changed the mail attribute on ldap with the primary email of user in indico. The user is now found in the groups and authorized correctly.

It seems that the account linking is done with the uuid attribute but the search on groups with the primary mail address, is it possible?

Is it a bug? Do we need to open an issue on github project?

ThiefMaster · July 6, 2021, 4:24pm

Listing group members uses both - either the email OR the unique identifier need to match.

For the group membership check the iter_identifiers method is used, which takes the user.identities from the DB and also searches ldap for all unique identifiers associated with any of the user’s emails.

So to be honest, I don’t see why it didn’t work since even with a failing email lookup the unique identifier already stored in the DB should have worked…

michele.tota · July 8, 2021, 8:27am

So the ldap search is always based on the email address? If so, this should be the problem.

ThiefMaster · July 8, 2021, 8:30am

It uses both:

if the user logged in with LDAP, then the unique ID from LDAP added to indico (that’s what shows up on the “Accounts” page in the profile settings); this is then used for membership checks
we ADDITIONALLY check LDAP for users with a matching email address and check the membership for them as well (again with their unique ids)