gogs: LDAP group verification fails

  • Gogs version (or commit ref): 2:0.11.29.0727+4+52f383381
  • Git version: 2.14.1
  • Operating system: Arch
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • OpenLDAP version: 2.4.45
  • Can you reproduce the bug at https://try.gogs.io:
    • Yes (provide example URL)
    • No
    • Not relevant

Description

Before updating to the latest commit today using my distribution’s package manager, I noticed group verification fails. For example, the following are perfectly valid.

Group Search Base DN: ou=Groups,dc=example,dc=com Group Filter: (&(cn=gogs-users)(objectClass=groupOfNames)) Group Attribute Containing List of Users: member User Attribute Listed in Group: uid

If I query the group membership manually I can see my user does get returned correctly.

$ lgroup '(&(cn=gogs-users)(objectClass=groupOfNames))' uid=tony
dn: cn=gogs-users,ou=Groups,dc=example,dc=com

Despite the group settings defined in Gogs - a trace in the logs shows the user does bind successfully, but the group membership test fails:

2017/09/21 23:31:17 [TRACE] Session ID: 3ae8e6b0c98b938b
2017/09/21 23:31:17 [TRACE] CSRF Token: GNEhLKpiPyFUnTW5hghXUYyl9006MTUwNjA2MTYxOTE0MjIwMDQ4Mg==
2017/09/21 23:31:17 [TRACE] LDAP: Dialing with security protocol '2' without verifying: false
2017/09/21 23:31:17 [TRACE] LDAP will use BindDN
2017/09/21 23:31:17 [TRACE] Search for LDAP user: tony
2017/09/21 23:31:17 [TRACE] LDAP: Bound as BindDN: uid=git,ou=System,dc=example,dc=com
2017/09/21 23:31:17 [TRACE] LDAP: Searching for DN using filter '(&(objectClass=posixAccount)(uid=tony))' and base 'ou=People,dc=example,dc=com'
2017/09/21 23:31:17 [TRACE] Binding with userDN: uid=tony,ou=People,dc=example,dc=com
2017/09/21 23:31:17 [TRACE] Bound successfully with userDN: uid=tony,ou=People,dc=example,dc=com
2017/09/21 23:31:17 [TRACE] Fetching attributes 'uid', 'givenName', 'sn', 'mail', 'uid' with filter '(&(objectClass=posixAccount)(uid=tony))' and base 'uid=tony,ou=People,dc=example,dc=com'
2017/09/21 23:31:17 [TRACE] LDAP: Fetching groups 'member' with filter '(&(cn=gogs-users)(objectClass=groupOfNames))' and base 'ou=Groups,dc=example,dc=com'
2017/09/21 23:31:17 [TRACE] LDAP: Group membership test failed [username: tony, group_member_uid: member, user_uid: tony
2017/09/21 23:31:17 [TRACE] Template: user/auth/login
2017/09/21 23:35:11 [TRACE] Doing: MirrorUpdate

I’ve tried making the group filter as simple as ‘cn=gogs-users’ to no avail.

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 15 (4 by maintainers)

Most upvoted comments

@Unknwon , thanks for checking. I deployed a new 0.11.53 system and tested a couple different “Verify group membership” configurations – all of them were unsuccessful. To be precise, authentication succeeds and then group membership verification fails (which prevents authorization).

gogs’ TRACE logging (log/gogs.log) was helpful in seeing if/how values were getting filled.

LDAP group

Abbreviated look at the LDAP directory side. This is our group:

{
  "dn": "cn=gogs-pro,ou=User Groups,ou=Groups,dc=myorg",
  "gidNumber": "888888",
  "objectClass": [
    "groupOfNames",
    "top",
    "posixGroup"
  ],
  "member": [
    "uid=myuid,ou=People,dc=myorg",
    "uid=someguy,ou=People,dc=myorg"
  ],
  "cn": "gogs-pro"
}

Test 1

Gogs configuration:

  • Group Search Base DN: ou=User Groups,ou=Groups,dc=myorg
  • Group Filter: (&(objectClass=posixGroup)(cn=gogs-pro))
  • Group Attribute Containing List of Users: member
  • User Attribute Listed in Group: uid

Logging:

2018/08/29 17:53:37 [TRACE] LDAP: Fetching groups 'member' with filter '(&(objectClass=posixGroup)(cn=gogs-pro))' and base 'ou=User Groups,ou=Groups,dc=myorg'
2018/08/29 17:53:37 [TRACE] LDAP: Group membership test failed [username: myuid, group_member_uid: member, user_uid: myuid

Test 2

Gogs configuration:

  • Group Search Base DN: ou=User Groups,ou=Groups,dc=myorg
  • Group Filter: (&(objectClass=posixGroup)(cn=gogs-pro)(uid=%s,ou=People,dc=myorg))
  • Group Attribute Containing List of Users: member
  • User Attribute Listed in Group: uid

Logging:

2018/08/29 18:02:09 [TRACE] LDAP: Fetching groups 'member' with filter '(&(objectClass=posixGroup)(cn=gogs-pro)(uid=%s,ou=People,dc=myorg))' and base 'ou=User Groups,ou=Groups,dc=myorg'
2018/08/29 18:02:09 [TRACE] LDAP: Group membership test failed [username: myuid, group_member_uid: member, user_uid: myuid

Test 3

Gogs configuration:

  • Group Search Base DN: ou=User Groups,ou=Groups,dc=myorg
  • Group Filter: (&(objectClass=posixGroup)(cn=gogs-pro))
  • Group Attribute Containing List of Users: member
  • User Attribute Listed in Group: uid=%s,ou=People,dc=myorg

Logging:

2018/08/29 18:05:42 [TRACE] LDAP: Fetching groups 'member' with filter '(&(objectClass=posixGroup)(cn=gogs-pro))' and base 'ou=User Groups,ou=Groups,dc=myorg'
2018/08/29 18:05:42 [TRACE] LDAP: Group membership test failed [username: myuid, group_member_uid: member, user_uid:

(I ran out of ideas for more config combinations to test.)

I was able to get group membership verification to work with Active Directory using something like this:

  • Group Search Base DN: OU=Groups,DC=myDomain,DC=com
  • Group Filter: (|(cn=myGroup1)(cn=myGroup2))
  • Group Attribute Containing List of Users: member
  • User Attribute Listed in Group: distinguishedName

@Unknwon , I have tested and can confirm that the issue appears to be fixed. (I checked out commit 43bca4df40b933 for the develop branch and built it.)

LDAP group

Quick reminder about how our LDAP group is structured:

{
  "dn": "cn=gogs-pro,ou=User Groups,ou=Groups,dc=myorg",
  "gidNumber": "888888",
  "objectClass": [
    "groupOfNames",
    "top",
    "posixGroup"
  ],
  "member": [
    "uid=myuid,ou=People,dc=myorg",
    "uid=someguy,ou=People,dc=myorg"
  ],
  "cn": "gogs-pro"
}

Successful test

Gogs version 0.11.68.0928

Gogs configuration:

  • Group Search Base DN: ou=User Groups,ou=Groups,dc=myorg
  • Group Filter: (&(objectClass=posixGroup)(cn=gogs-pro))
  • Group Attribute Containing List of Users: member
  • User Attribute Listed in Group: dn

I believe because of #4688 , I am able to specify dn (rather than uid) and actually have it populated with a value. Group verification is working correctly now, at least for my test case.

Sanity check (re-test broken previous version)

Gogs version 0.11.53.0603

Just to compare (since my earlier post did not include this exact test), I fired this version up again and tried specifying:

  • Group Search Base DN: ou=User Groups,ou=Groups,dc=myorg
  • Group Filter: (&(objectClass=posixGroup)(cn=gogs-pro))
  • Group Attribute Containing List of Users: member
  • User Attribute Listed in Group: dn

As expected, group verification is broken. Here is the log snippet:

2018/10/30 23:28:07 [TRACE] LDAP: Fetching groups 'member' with filter '(&(objectClass=posixGroup)(cn=gogs-pro))' and base 'ou=User Groups,ou=Groups,dc=myorg'
2018/10/30 23:28:07 [TRACE] LDAP: Group membership test failed [username: myuid, group_member_uid: member, user_uid: