search

simplesamlphp / simplesamlphp-module-ldap

Module that provides authentication against LDAP stores
GNU Lesser General Public License v2.1
4 stars 9 forks source link

dn missing in attributes ? #60

Open huckabeec opened 2 days ago

huckabeec commented 2 days ago

I've got a simple authproc that calls ldap:AttributeAddUsersGroups to get the user's group information. Our LDAP is OpenLDAP that has groups with both groupOfNames and posixGroup objectclasses. So we have both uniqueMember and memberuid attributes our groups.

If I call that authproc like this - it works, the uid is used and matches the memberUid attribute:

 50 => [
            'class' => 'ldap:AttributeAddUsersGroups',
            'authsource' => 'ldap',
            'ldap.product' => 'OpenLDAP',
            'search.base' => [
              'ou=Groups,dc=mycompany,dc=com',
            ],
            'attribute.dn' => 'dn',
            'attribute.return' => 'cn',
            'attribute.groups' => 'groups',
            'attribute.username' => 'uid',
            'attribute.memberOf' => 'memberuid',
            'timeout' => 30,
       ],

However if I call it like this:

 50 => [
            'class' => 'ldap:AttributeAddUsersGroups',
            'authsource' => 'ldap',
            'ldap.product' => 'OpenLDAP',
            'search.base' => [
              'ou=Groups,dc=mycompany,dc=com',
            ],
            'attribute.dn' => 'dn',
            'attribute.return' => 'cn',
            'attribute.groups' => 'groups',
            'attribute.username' => 'dn',
            'attribute.memberOf' => 'uniquemember',
            'timeout' => 30,
       ],

I get an error telling me 'dn' is not found in the attributes array. So, I added another authproc call to ldap:AttributeAddFromLDAP to go specifically grab 'dn' for the user. To my knowledge 'dn' is always returned by LDAP searches, but I figured let's try this:

40 => [
             'class' => 'ldap:AttributeAddFromLDAP',
             'authsource' => 'ldap',
             'attributes' => ['dn'],
             'attribute.policy' => 'add',
             'search.filter' => '(cn=%cn%)',
       ],

Which itself works without error, but I still get the following on the very next call to 'ldap:AttributeAddUsersGroups' :

SimpleSAML\Error\Exception: Warning - Undefined array key "dn" at /usr/local/install/simplesamlphp/modules/ldap/src/Auth/Process/AttributeAddUsersGroups.php:229

I can't find where or if 'dn' is somehow being filtered out but the attribute is definitely being returned by a search.

We'd like to switch to using the DN where we can but this has been a roadblock I can't figure out.

tvdijen commented 1 day ago

How are you authenticating before this authproc runs? The AttributeAddUserGroups authproc-filter assumed that the attribute specified in attribute.username is already present in the attributes-array before the filter runs..

PS: I'm responding slowly due to a vacation and limited access to a computer.

huckabeec commented 1 day ago

I'm using the authX509 module (which calls the ldap module internally) which seems to be working correctly - when I've verified that module using a different SP (that doesn't require an authproc) I get the expected attributes although no DN showing up there either.

Also enjoy your vacation - this can wait until you return for sure.

EDIT: This may be a problem is both the ldap and x509 modules. Doing a test from the SimpleSamlPHP console, I get all of the expected attributes except the 'dn' from the ldap module. When I test the authX509 module I get a very small number of attributes back (also missing the dn). I will be doing some more digging.