LDAP groups authorization

Dear Indico team,

we have configured Indico with LDAP authentication and we use ldap groups for authorization.

We have encountered several authorization issues when events are protected with ldap groups.

Is the membership of a user in a group updated every time the user logging in or only when the account linking have been estabilished?

In administration-> groups searching for an external group, we see all the users that belong to it. The ldap query on the directory server returns some users who are not in the external group in indico. How is it possible?

Thank you

It’s queried whenever needed, but cached for 30 minutes after the check.

Do they have corresponding Indico users? We only show group members with an Indico account (matched via email or by the unique identifier (e.g. ldap username) set during login) in Indico.

What exactly is your problem though? Is it group members not having access to protected events on Indico even though Indico shows them as group members?

We have a lot of users linked to LDAP and it works for every but one.

This user seems to not be present in any groups in indico, while in LDAP he is member of some.

Is there any way to debug the ldap mapping process at login?

This user seems to not be present in any groups in indico

  • Does any of his email addresses match his email on LDAP?
  • Does his login username (check the “Accounts” tab in his profile and then the link to the LDAP auth provider) match the unique identifier on LDAP?

Here are some useful things to do in indico shell (replace ID with the user’s ID):

  • list(User.get(ID).iter_identifiers(check_providers=True)) - this should include a tuple with the ldap provider and his unique identifier on ldap
  • from indico.modules.groups import GroupProxy and then {x.identifier for x in GroupProxy('GROUPNAME', 'PROVIDERNAME').group} - this should include the LDAP username of the user if he’s seen as a member of the LDAP group; so it should have an overlap with an identifier from the previous point
  • GroupProxy('GROUPNAME', 'PROVIDERNAME').get_members() should include the indico user for that user

Depending on where this fails (or rather doesn’t return data) we can hopefully figure out what the problem is…

User have changed his primary mail address, but our indico ldap config link user by an uuid attribute (infnUUID).

With indico shell, as you suggest, the user is correctly retrieved and belongs to the right group.

In [1]: list(User.get(4608).iter_identifiers(check_providers=True))
Out[1]: [(u'shib-sso', u'3ad21255-8751-4e4b-a4dc-45c86f1dba9a')]

In [3]: {x.identifier for x in GroupProxy('Istituzioni->INFN->Sezione di Firenze', 'ldap').group}

Is the primary mail the problem? Our users use to change email addresses when the affiliation changes. So it is frequent and this is why we use uuid attribute for mapping.

How can we manage this? Thank you a lot!!

We require a match via the identifiers OR the email). So it should work. Is the user not shown in the GroupProxy('GROUPNAME', 'PROVIDERNAME').get_members() output? :o

The user is not in the output list.

What does User.get(4608).identifies show?

AttributeError: ‘User’ object has no attribute ‘identifies’

Sorry, I meant identifiers

AttributeError: ‘User’ object has no attribute ‘identifiers’

err, it should be identities :see_no_evil:

In [12]: User.get(4608).identities
Out[12]: {<Identity(22952, 4608, shib-sso, 3ad21255-8751-4e4b-a4dc-45c86f1dba9a)>}

        Identity.provider == 'shib-sso',
        Identity.identifier == '3ad21255-8751-4e4b-a4dc-45c86f1dba9a'

Does this find the user?

yes, user found correctly.

Then I don’t understand how he can not show up on the group member list page in the indico admin area nor in the .get_members() output…

we have changed the mail attribute on ldap with the primary email of user in indico. The user is now found in the groups and authorized correctly.

It seems that the account linking is done with the uuid attribute but the search on groups with the primary mail address, is it possible?

Is it a bug? Do we need to open an issue on github project?

Listing group members uses both - either the email OR the unique identifier need to match.

For the group membership check the iter_identifiers method is used, which takes the user.identities from the DB and also searches ldap for all unique identifiers associated with any of the user’s emails.

So to be honest, I don’t see why it didn’t work since even with a failing email lookup the unique identifier already stored in the DB should have worked…

So the ldap search is always based on the email address? If so, this should be the problem.

It uses both:

  • if the user logged in with LDAP, then the unique ID from LDAP added to indico (that’s what shows up on the “Accounts” page in the profile settings); this is then used for membership checks
  • we ADDITIONALLY check LDAP for users with a matching email address and check the membership for them as well (again with their unique ids)