search

DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.72k stars 1.56k forks source link

Problems with LDAP group replication #8516

Closed reichertan closed 1 year ago

reichertan commented 1 year ago

Hello, I have a problem with group replication from ActiveDirectory. An ActiveDirectory user can log in, but the AD groups are not replicated correctly.

If I set AUTH_LDAP_MIRROR_GROUPS = True and log in with an AD user, I see in the database that the Django tables auth_group, auth_group_permissions and auth_user_groups are written correctly. However, the AD groups are missing from the DefectDojo tables dojo_dojo_group and dojo_dojo_group_member. I can't see these AD groups in the DefectDojo web user interface either.

If I set AUTH_LDAP_MIRROR_GROUPS = False and create the groups manually via the DefectDojo web user interface, the AD user is not assigned to these groups when logging in.

Here is my LDAP configuration:

import ldap from django_auth_ldap.config import LDAPSearch, LDAPGroupQuery, NestedActiveDirectoryGroupType

AUTHENTICATION_BACKENDS = (
    "django_auth_ldap.backend.LDAPBackend",
    "django.contrib.auth.backends.ModelBackend",
)

AUTH_LDAP_SERVER_URI = "ldaps://ldap.example.com"
AUTH_LDAP_CONNECTION_OPTIONS = {
 ldap.OPT_REFERRALS: 0,
 ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER
}
AUTH_LDAP_GLOBAL_OPTIONS = AUTH_LDAP_CONNECTION_OPTIONS

AUTH_LDAP_BIND_DN = "django-agent@ldap.example.com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
    "ou=users,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"
)

AUTH_LDAP_USER_ATTR_MAP = {
    "username": "sAMAccountName",
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
}

AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    "ou=django,ou=groups,dc=example,dc=com",
    ldap.SCOPE_SUBTREE,
    "(objectClass=group)",
)
AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType(name_attr="cn")

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "cn=active,ou=django,ou=groups,dc=example,dc=com",
    "is_staff": "cn=staff,ou=django,ou=groups,dc=example,dc=com",
    "is_superuser": "cn=superuser,ou=django,ou=groups,dc=example,dc=com",
}

AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_MIRROR_GROUPS = True
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_CACHE_TIMEOUT = 3600

Expected behavior AD users should also have their AD group membership in DefectDojo.

Deployment method (select with an X)

Environment information

martigr commented 8 months ago

Did you solve this problem? I face a similar problem. Groups are not populated to database and not visible in the UI.

reichertan commented 8 months ago

Hello @martigr , it's been a while now. As far as I remember, I created a custom LDAP authentication backend in which the DefectDojo group assignments were set.

martigr commented 8 months ago

I had a closer look into the database. The LDAP groups are populated to the table auth_group. But they are not populated to the table dojo_dojo_group. This is the table used to show the group in the UI and used for permissions…

xzavrel commented 5 months ago

Hello @martigr , it's been a while now. As far as I remember, I created a custom LDAP authentication backend in which the DefectDojo group assignments were set.

Hi, @reichertan can you share the LDAP backend you have implemented? We are dealing with the same situation.

reichertan commented 5 months ago

Hi @xzavrel, I used https://github.com/django-auth-ldap/django-auth-ldap/blob/master/django_auth_ldap/backend.py as a template. The _LDAPUser class there has a _get_or_create_user method, there you could add code to assign users to or remove users from Dojo groups.

If you have created your own backend, you can add it in settings.dist.py to the AUTHENTICATION_BACKENDS list.

Sorry, I'm not allowed to paste my exact code.