netbox: Integration with AUTH_LDAP_FIND_GROUP_PERMS does not work

Environment

Python version:
NetBox version: 2.9.10

Steps to Reproduce

Configure LDAP authentication
Enable AUTH_LDAP_FIND_GROUP_PERMS
Create in the admin panel group that would be returned by LDAP and grant it some permissions (e.g. users.add_token)
DO NOT add user into the group, this should be done explicitly by the django-auth-ldap module

Expected Behavior

User is able to use those permissions.

Observed Behavior

User is getting permission denied on creating api token.

Analyze

I’ve spent many hours trying to find out why users can’t have permissions in our netbox installation but it does seem to me like a bug in Netbox.

What django-auth-ldap is doing:

    def _load_group_permissions(self):
        """
        Populates self._group_permissions based on LDAP group membership and
        Django group permissions.
        """
        group_names = self._get_groups().get_group_names()
 
        perms = Permission.objects.filter(group__name__in=group_names)
        ...

Here it gets empty QuerySet.

Enabling DEBUG and inspecting SQL:

SELECT "auth_permission"."id",
       "auth_permission"."name",
       "auth_permission"."content_type_id",
       "auth_permission"."codename"
  FROM "auth_permission"
 INNER JOIN "auth_group_permissions"
    ON ("auth_permission"."id" = "auth_group_permissions"."permission_id")
 INNER JOIN "auth_group"
    ON ("auth_group_permissions"."group_id" = "auth_group"."id")
 INNER JOIN "django_content_type"
    ON ("auth_permission"."content_type_id" = "django_content_type"."id")
 WHERE "auth_group"."name" IN ('github-private-cloud-elders', 'gapps', 'team-privatecloud', 'github-na-elders', 'mgmt-prod', 'confluence-users', 'github-keyring-elders', 'pagerduty-users', 'ipausers', 'github-tools-s3provision-hackers', 'github-gooddata-hackers', 'jira-gooddata-users', 'role-swdeveloper')
 ORDER BY "django_content_type"."app_label" ASC, "django_content_type"."model" ASC, "auth_permission"."codename" ASC
 LIMIT 21

It is trying to get info from the auth_group_permissions, but inspecting the database it shows completely empty table. Even there is some permissions assigned to the group.

netbox=# select * from auth_group;
 id |               name
----+----------------------------------
  3 | ipausers
 16 | github-gooddata-hackers
 17 | github-keyring-elders
 18 | pagerduty-users
 19 | gapps
 20 | role-swdeveloper
 21 | jira-gooddata-users
 22 | github-tools-s3provision-hackers
 23 | github-na-elders
 24 | mgmt-prod
 25 | github-private-cloud-elders
 26 | team-privatecloud
 27 | confluence-users
(13 rows)
 
netbox=# select * from auth_group_permissions;
 id | group_id | permission_id
----+----------+---------------
(0 rows)
 
netbox=#

Dumping the DB, removing group permission, dumping DB again and comparing shows something interesting:

@@ -5522,6 +5522,7 @@
 37     2020-12-11 13:35:00.497982+01   10      lubomir.tomecek 2       [{"changed": {"fields": ["Groups"]}}]   80      3                                                                                           
 38     2020-12-11 13:37:53.0537+01     10      lubomir.tomecek 2       [{"changed": {"fields": ["Groups"]}}]   80      3                                                                                           
 39     2020-12-11 13:42:45.743739+01   3       Allow managing API tokens       2       [{"changed": {"fields": ["Users"]}}]    81      3                                                                           
+40     2020-12-11 13:43:36.651894+01   3       Allow managing API tokens       2       [{"changed": {"fields": ["Groups"]}}]   81      3                                                                           
 \.
 
 
@@ -6273,7 +6274,6 @@
 --
 
 COPY public.users_objectpermission_groups (id, objectpermission_id, group_id) FROM stdin;
-3      3       3
 \.
 
 
@@ -6667,7 +6667,7 @@
 -- Name: django_admin_log_id_seq; Type: SEQUENCE SET; Schema: public; Owner: netbox
 --
 
-SELECT pg_catalog.setval('public.django_admin_log_id_seq', 39, true);
+SELECT pg_catalog.setval('public.django_admin_log_id_seq', 40, true);

So it does change users_objectpermission_groups and not the auth_permission_groups. And that’s why django-auth-ldap can’t find any permissions (without explicitly creating group).

Seems that ObjectPermissionBackend written in netbox is behaving differently than the standard django one.

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 19 (12 by maintainers)

Commits related to this issue

Fixes #5442: Use LDAP groups to find permissions When AUTH_LDAP_FIND_GROUP_PERMS is set to true the filter to find the users permissions is extended to search for all permissions assigned to groups i... — committed to scanplus/netbox by tobiasge 3 years ago
Fixes #5442: Use LDAP groups to find permissions When AUTH_LDAP_FIND_GROUP_PERMS is set to true the filter to find the users permissions is extended to search for all permissions assigned to groups i... — committed to scanplus/netbox by tobiasge 3 years ago
Fixes #5442: Use LDAP groups to find permissions When AUTH_LDAP_FIND_GROUP_PERMS is set to true the filter to find the users permissions is extended to search for all permissions assigned to groups i... — committed to scanplus/netbox by tobiasge 3 years ago
Merge pull request #6580 from scanplus/fix-5442 Fixes #5442: Use LDAP groups to find permissions — committed to netbox-community/netbox by jeremystretch 3 years ago
Changelog for #5442 — committed to netbox-community/netbox by jeremystretch 3 years ago
Fixes #5442: Use LDAP groups to find permissions When AUTH_LDAP_FIND_GROUP_PERMS is set to true the filter to find the users permissions is extended to search for all permissions assigned to groups i... — committed to candlerb/netbox by tobiasge 3 years ago
Changelog for #5442 — committed to candlerb/netbox by jeremystretch 3 years ago

Most upvoted comments

If you can wait a couple days I’d be happy to test out the change.

tyler-8 on Jun 10, 2021

Mirror groups does seem to workaround this issue (and other LDAP issues I’ve had) - however I’d recommend also setting AUTH_LDAP_MIRROR_GROUPS (docs) to a list of the groups you want NetBox to mirror, otherwise you’ll get unrelated LDAP groups being created in NetBox. That setting should probably be added to the NetBox docs as well.

I’d initially not used the group mirroring since the django-auth-ldap docs had described it as less ideal. In the past I’d solely relied on AUTH_LDAP_FIND_GROUP_PERMS since I was manually creating the NetBox-specific groups in NetBox to line up with the LDAP groups.

However - in NetBox’s case ~it~ mirroring does have advantages; API tokens will work for LDAP authenticated users, and as established in this thread, it works with the new permissions model without having to create a custom LDAP handler (though I imagine there will be some users that really don’t want to mirror groups for good reasons and then will need a custom handler).

tyler-8 on Feb 1, 2021