we have configured Indico with LDAP authentication and we use ldap groups for authorization.
We have encountered several authorization issues when events are protected with ldap groups.
Is the membership of a user in a group updated every time the user logging in or only when the account linking have been estabilished?
In administration-> groups searching for an external group, we see all the users that belong to it. The ldap query on the directory server returns some users who are not in the external group in indico. How is it possible?
It’s queried whenever needed, but cached for 30 minutes after the check.
Do they have corresponding Indico users? We only show group members with an Indico account (matched via email or by the unique identifier (e.g. ldap username) set during login) in Indico.
What exactly is your problem though? Is it group members not having access to protected events on Indico even though Indico shows them as group members?
This user seems to not be present in any groups in indico
Does any of his email addresses match his email on LDAP?
Does his login username (check the “Accounts” tab in his profile and then the link to the LDAP auth provider) match the unique identifier on LDAP?
Here are some useful things to do in indico shell (replace ID with the user’s ID):
list(User.get(ID).iter_identifiers(check_providers=True)) - this should include a tuple with the ldap provider and his unique identifier on ldap
from indico.modules.groups import GroupProxy and then {x.identifier for x in GroupProxy('GROUPNAME', 'PROVIDERNAME').group} - this should include the LDAP username of the user if he’s seen as a member of the LDAP group; so it should have an overlap with an identifier from the previous point
GroupProxy('GROUPNAME', 'PROVIDERNAME').get_members() should include the indico user for that user
Depending on where this fails (or rather doesn’t return data) we can hopefully figure out what the problem is…
User have changed his primary mail address, but our indico ldap config link user by an uuid attribute (infnUUID).
With indico shell, as you suggest, the user is correctly retrieved and belongs to the right group.
In [1]: list(User.get(4608).iter_identifiers(check_providers=True))
Out[1]: [(u'shib-sso', u'3ad21255-8751-4e4b-a4dc-45c86f1dba9a')]
In [3]: {x.identifier for x in GroupProxy('Istituzioni->INFN->Sezione di Firenze', 'ldap').group}
Out[3]:
{u'0017eeef-bfeb-4bf8-b458-c828b5247169',
...
u'3ad21255-8751-4e4b-a4dc-45c86f1dba9a',
...
u'fe229fb6-62bd-453a-bca2-4f67d3a68fce'}
Is the primary mail the problem? Our users use to change email addresses when the affiliation changes. So it is frequent and this is why we use uuid attribute for mapping.
We require a match via the identifiers OR the email). So it should work. Is the user not shown in the GroupProxy('GROUPNAME', 'PROVIDERNAME').get_members() output? :o
Listing group members uses both - either the email OR the unique identifier need to match.
For the group membership check the iter_identifiers method is used, which takes the user.identities from the DB and also searches ldap for all unique identifiers associated with any of the user’s emails.
So to be honest, I don’t see why it didn’t work since even with a failing email lookup the unique identifier already stored in the DB should have worked…
if the user logged in with LDAP, then the unique ID from LDAP added to indico (that’s what shows up on the “Accounts” page in the profile settings); this is then used for membership checks
we ADDITIONALLY check LDAP for users with a matching email address and check the membership for them as well (again with their unique ids)