waldur / glauth

MIT License
0 stars 1 forks source link

Group names are not recognized by sss #4

Open cipharius opened 3 months ago

cipharius commented 3 months ago

I am not sure if this is an issue with my specific setup, but sssd version 2.9.1 and following sssd configuration does not recognize the group names:

[domain/WALDUR]
cache_credentials = False
enumerate = True
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_uri = ldap://#####:3893
ldap_search_base = dc=glauth,dc=com
ldap_default_bind_dn = cn=admin,dc=glauth,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = #####
ldap_use_tokengroups = False
sudo_provider = none
ldap_group_member = member
ldap_schema = rfc2307bis
ldap_access_order = filter
ldap_access_filter = (memberOf=cn=*,dc=glauth,dc=com)
ldap_user_name = preferredUsername

I noticed that if I change groupformat to "cn" in the preconfig.cfg.template, then sss manages to recognize group names without providing custom ldap_group_search_base in the sssd.conf. https://github.com/waldur/glauth/blob/8f19f297527cf026fdf88da36058a5bd69fb6b39/systemd-conf/refresher/preconfig.cfg.template#L38

I was wondering how groups are configured on other setups and whether groupformat = "cn" should become the default configuration, given that sssd recognizes that by default.

livenson commented 2 months ago

Hi, yes, this is a thing we noticed and indeed it depends on the sssd version.

We generally speaking tried to adjust minimally wrt to upstream - https://github.com/glauth/glauth - but I think that changing to cn as a default can indeed make sense as almost 100% of deployments with Waldur are using SSSD.

livenson commented 2 months ago

Relates to glauth/glauth/issues/181.

livenson commented 2 months ago

Another issue we saw was the format of ldap_user_name in SSSD configuration.

ldap_user_name = preferredUsername vs ldap_user_name = preferred_username

Can you pls check which one is working for you?

Also, what if you use the following SSSD configuration:

[domain/WALDUR]
cache_credentials = True
enumerate = False
id_provider = ldap
auth_provider = ldap
access_provider = ldap
# ldap-server needs to resolve to the host where glauth is running
ldap_uri = ldap://ldap-server:3893
# configured glauth base
ldap_search_base = dc=glauth,dc=com
# configured glauth service user
ldap_default_bind_dn = cn=admin,dc=glauth,dc=com
ldap_default_authtok_type = password
# configured glauth service user password
ldap_default_authtok = mysecret
ldap_use_tokengroups = False
sudo_provider = none
ldap_group_member = member
ldap_schema = rfc2307bis
ldap_access_order = filter
ldap_access_filter = (memberOf=dc=glauth,dc=com)
ldap_user_name = preferredUsername