Fuel Plugins

[LMA] ldap integration (AD)

Bug #1648464 reported by Michał Górniak
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel Plugins
Invalid
Undecided
Unassigned
StackLight
Confirmed
Medium
LMA-Toolchain Fuel Plugins

Bug Description

Hey,
in plugins (i checked version 1.0.0) we have ldap integration but its not working correctly with AD ldap. The groups in AD ldap are schema with membefOf and we always assume that we dont have this attribute in ldap.

To make it working (with AD) we need to uncomment ldap scheme for apache:

in https://github.com/openstack/fuel-plugin-influxdb-grafana/blob/master/deployment_scripts/puppet/modules/lma_monitoring_analytics/templates/ldap.toml.erb
https://github.com/openstack/fuel-plugin-influxdb-grafana/blob/master/deployment_scripts/puppet/modules/lma_monitoring_analytics/templates/ldap.toml.erb

comment:
group_search_base_dns = [<%= @ldap_group_search_base_dns.split(' ').collect{|x| "\"#{x}\"" }.join(',') %>]
group_search_filter = "<%= @ldap_group_search_filter %>"

and change
member_of = "cn"

to
member_of = "memberOf"

i think the best will be put all this variable to UI and give user possibility to decide how to configure those options.

Simon Pasquier (simon-pasquier)
Changed in fuel-plugins:
status: New → Invalid
Changed in lma-toolchain:
status: New → Confirmed
assignee: nobody → LMA-Toolchain Fuel Plugins (mos-lma-toolchain)
Simon Pasquier (simon-pasquier)
Changed in lma-toolchain:
importance: Undecided → Medium
Revision history for this message
Swann Croiset (swann-w) wrote :

Thanks for reporting issue.
The bug described here is related to Grafana. This is not Apache which deals with LDAP authz but Grafana directly.

Apache handles LDAP authz for the 2 other plugins elasticsearch-kibana and lma_infra_alerting, are they impacted the same way ?

Revision history for this message
Michał Górniak (p4cket) wrote :

Hey,
yes both plugins are impacted in the same way :)

Revision history for this message
Swann Croiset (swann-w) wrote :

ok, in this case would be the proper Apache configuration ?

Revision history for this message
Michał Górniak (p4cket) wrote :

hey,
to make it working with AD ldap we need to change this files

--- fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/modules/nagios/templates/apache_vhost_ubuntu.conf.erb 2016-11-22 13:03:40.000000000 +0300
+++ /Users/packet/Desktop/screens/plugins/lma_infrastructure_alerting-1.0/deployment_scripts/puppet/modules/nagios/templates/apache_vhost_ubuntu.conf.erb 2016-11-17 12:26:53.000000000 +0300
@@ -54,7 +54,8 @@ LDAPVerifyServerCert off
     AuthBasicAuthoritative on
     <RequireAny>
     require user <%= @user %>
- Require ldap-group <%= @ldap_admin_group_dn %>
+ Require ldap-attribute memberOf="<%= @ldap_admin_group_dn %>"
+ Require ldap-group "<%= @ldap_admin_group_dn %>"
     </RequireAny>
 <% else -%>
     require valid-user

diff -ruNp modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb /Users/packet/Desktop/screens/plugins/elasticsearch_kibana-1.0/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb
--- modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb 2016-11-22 13:06:40.000000000 +0300
+++ /Users/packet/Desktop/screens/plugins/elasticsearch_kibana-1.0/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb 2016-11-17 12:28:50.000000000 +0300
@@ -30,7 +30,8 @@ LDAPVerifyServerCert off
     AuthBasicAuthoritative on
     <RequireAny>
     require user <%= @username %>
- Require ldap-group <%= @ldap_admin_group_dn %>
+ Require ldap-group "<%= @ldap_admin_group_dn %>"
+ Require ldap-attribute memberOf="<%= @ldap_admin_group_dn %>"
     </RequireAny>
 <% else -%>
     require valid-user
diff -ruNp modules/lma_logging_analytics/templates/apache_kibana_proxy_viewer.conf.erb /Users/packet/Desktop/screens/plugins/elasticsearch_kibana-1.0/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy_viewer.conf.erb
--- modules/lma_logging_analytics/templates/apache_kibana_proxy_viewer.conf.erb 2016-11-22 13:06:40.000000000 +0300
+++ /Users/packet/Desktop/screens/plugins/elasticsearch_kibana-1.0/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy_viewer.conf.erb 2016-11-17 12:28:27.000000000 +0300
@@ -26,8 +26,10 @@
     AuthBasicAuthoritative on
     <RequireAny>
     require user <%= @username %>
- Require ldap-group <%= @ldap_viewer_group_dn %>
- Require ldap-group <%= @ldap_admin_group_dn %>
+ Require ldap-attribute memberOf="<%= @ldap_viewer_group_dn %>"
+ Require ldap-attribute memberOf="<%= @ldap_admin_group_dn %>"
+ Require ldap-group "<%= @ldap_viewer_group_dn %>"
+ Require ldap-group "<%= @ldap_admin_group_dn %>"
     </RequireAny>
 <% else -%>
     require valid-user

But i think we should give user to possibility to modify this whole file in web UI, because user should have possibility to modify all parameters all AD can have different settings and can require different parameters

Revision history for this message
Patrick Petit (patrick-michel-petit) wrote :

This more a feature request than a bug since we do not claim support of AD but support of standard LDAP like OpenLDAP.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.