search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.28k stars 887 forks source link

"Search full LDAP directory" doesn't actually work #11548

Open Banh-Canh opened 3 weeks ago

Banh-Canh commented 3 weeks ago

Describe the bug "Search full LDAP directory" doesn't actually work.

To Reproduce Steps to reproduce the behavior:

Add "Search full LDAP directory" permission to a freshly created user/serviceaccount. Then run the query:

ldapsearch -x -H ldap://<outpost-ldap>:389 -D 'cn=ldapbind,ou=users,DC=ldap,DC=goauthentik,DC=io'  -w 'xxx'  -b 'OU=users,DC=ldap,DC=goauthentik,DC=io' '(objectClass=user)

It only returns the binduser. If I ran the same command after I gave superuser permission to the bind user, it just work and i get the whole directory of users.

Expected behavior I should get the whole directory of user with this permission without superuser rights.

Version and Deployment (please complete the following information):

shawnbonifas commented 3 weeks ago

I'm having the same issue here. I only just today set up the LDAP application, outpost, provider, flows, etc. so I don't know if it was working previously. If I use the akadmin account I can search for users and see all of them. Using the service account I created it can only find itself and the groups it's a member of. I have tried giving it superuser permission, all LDAP permissions, and all permissions to users the user search still only returns the bind user. I'm also using 2024.8.3, deployed using the helm template.

DrMax1 commented 5 days ago

Same issue here. Using the "Search full LDAP directory" permission to the bind user makes the query only return the bind user itself. After adding the bind user to the superuser group it returns all users in the current authentik instance.

Running 2024.8.3 with docker-compose

BeryJu commented 5 days ago

@DrMax1 @shawnbonifas @Banh-Canh are you assigning the search full LDAP directory to the service user within a single provider or globally?

Also try restarting the LDAP outpost after the permissions are assigned, this might be a caching part (it shouldn't but just to rule it out)

DrMax1 commented 5 days ago

@DrMax1 @shawnbonifas @Banh-Canh are you assigning the search full LDAP directory to the service user within a single provider or globally?

Also try restarting the LDAP outpost after the permissions are assigned, this might be a caching part (it shouldn't but just to rule it out)

@BeryJu I am assigning the permission to the service user globally:

grafik

I restarted the LDAP outpost and also set the provider to direct binding and querying to avoid caching issues.

I also tried downgrading to Version 2024.8.2 but the issue persists.