gogs: LDAP group verification fails
- Gogs version (or commit ref): 2:0.11.29.0727+4+52f383381
- Git version: 2.14.1
- Operating system: Arch
- Database (use
[x]
):- PostgreSQL
- MySQL
- MSSQL
- SQLite
- OpenLDAP version: 2.4.45
- Can you reproduce the bug at https://try.gogs.io:
- Yes (provide example URL)
- No
- Not relevant
Description
Before updating to the latest commit today using my distribution’s package manager, I noticed group verification fails. For example, the following are perfectly valid.
Group Search Base DN: ou=Groups,dc=example,dc=com
Group Filter: (&(cn=gogs-users)(objectClass=groupOfNames))
Group Attribute Containing List of Users: member
User Attribute Listed in Group: uid
If I query the group membership manually I can see my user does get returned correctly.
$ lgroup '(&(cn=gogs-users)(objectClass=groupOfNames))' uid=tony
dn: cn=gogs-users,ou=Groups,dc=example,dc=com
Despite the group settings defined in Gogs - a trace in the logs shows the user does bind successfully, but the group membership test fails:
2017/09/21 23:31:17 [TRACE] Session ID: 3ae8e6b0c98b938b
2017/09/21 23:31:17 [TRACE] CSRF Token: GNEhLKpiPyFUnTW5hghXUYyl9006MTUwNjA2MTYxOTE0MjIwMDQ4Mg==
2017/09/21 23:31:17 [TRACE] LDAP: Dialing with security protocol '2' without verifying: false
2017/09/21 23:31:17 [TRACE] LDAP will use BindDN
2017/09/21 23:31:17 [TRACE] Search for LDAP user: tony
2017/09/21 23:31:17 [TRACE] LDAP: Bound as BindDN: uid=git,ou=System,dc=example,dc=com
2017/09/21 23:31:17 [TRACE] LDAP: Searching for DN using filter '(&(objectClass=posixAccount)(uid=tony))' and base 'ou=People,dc=example,dc=com'
2017/09/21 23:31:17 [TRACE] Binding with userDN: uid=tony,ou=People,dc=example,dc=com
2017/09/21 23:31:17 [TRACE] Bound successfully with userDN: uid=tony,ou=People,dc=example,dc=com
2017/09/21 23:31:17 [TRACE] Fetching attributes 'uid', 'givenName', 'sn', 'mail', 'uid' with filter '(&(objectClass=posixAccount)(uid=tony))' and base 'uid=tony,ou=People,dc=example,dc=com'
2017/09/21 23:31:17 [TRACE] LDAP: Fetching groups 'member' with filter '(&(cn=gogs-users)(objectClass=groupOfNames))' and base 'ou=Groups,dc=example,dc=com'
2017/09/21 23:31:17 [TRACE] LDAP: Group membership test failed [username: tony, group_member_uid: member, user_uid: tony
2017/09/21 23:31:17 [TRACE] Template: user/auth/login
2017/09/21 23:35:11 [TRACE] Doing: MirrorUpdate
I’ve tried making the group filter as simple as ‘cn=gogs-users’ to no avail.
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 15 (4 by maintainers)
@Unknwon , thanks for checking. I deployed a new 0.11.53 system and tested a couple different “Verify group membership” configurations – all of them were unsuccessful. To be precise, authentication succeeds and then group membership verification fails (which prevents authorization).
gogs’ TRACE logging (
log/gogs.log
) was helpful in seeing if/how values were getting filled.LDAP group
Abbreviated look at the LDAP directory side. This is our group:
Test 1
Gogs configuration:
ou=User Groups,ou=Groups,dc=myorg
(&(objectClass=posixGroup)(cn=gogs-pro))
member
uid
Logging:
Test 2
Gogs configuration:
ou=User Groups,ou=Groups,dc=myorg
(&(objectClass=posixGroup)(cn=gogs-pro)(uid=%s,ou=People,dc=myorg))
member
uid
Logging:
Test 3
Gogs configuration:
ou=User Groups,ou=Groups,dc=myorg
(&(objectClass=posixGroup)(cn=gogs-pro))
member
uid=%s,ou=People,dc=myorg
Logging:
(I ran out of ideas for more config combinations to test.)
I was able to get group membership verification to work with Active Directory using something like this:
OU=Groups,DC=myDomain,DC=com
(|(cn=myGroup1)(cn=myGroup2))
member
distinguishedName
@Unknwon , I have tested and can confirm that the issue appears to be fixed. (I checked out commit 43bca4df40b933 for the
develop
branch and built it.)LDAP group
Quick reminder about how our LDAP group is structured:
Successful test
Gogs version 0.11.68.0928
Gogs configuration:
ou=User Groups,ou=Groups,dc=myorg
(&(objectClass=posixGroup)(cn=gogs-pro))
member
dn
I believe because of #4688 , I am able to specify
dn
(rather thanuid
) and actually have it populated with a value. Group verification is working correctly now, at least for my test case.Sanity check (re-test broken previous version)
Gogs version 0.11.53.0603
Just to compare (since my earlier post did not include this exact test), I fired this version up again and tried specifying:
ou=User Groups,ou=Groups,dc=myorg
(&(objectClass=posixGroup)(cn=gogs-pro))
member
dn
As expected, group verification is broken. Here is the log snippet: