<div dir="ltr"><div>
<p class="MsoNormal" style="margin-bottom:12pt"><span style="font-size:10pt;font-family:Times">Hi Jean-Francois (and everyone else),</span></p><p class="MsoNormal" style="margin-bottom:12pt"><span style="font-size:10pt;font-family:Times">I'm attempting to use the patch for using groups that you provided here <a href="https://bitbucket.org/jfbeaumont/kallithea/commits/6cc72bef379ce1df856ed5f8b6f4b9661f661c57">https://bitbucket.org/jfbeaumont/kallithea/commits/6cc72bef379ce1df856ed5f8b6f4b9661f661c57</a></span></p><p class="MsoNormal" style="margin-bottom:12pt"><span style="font-size:10pt;font-family:Times">but at present I am unable to get the system to do anything with
the LDAP groups functionality and I would appreciate your advice upon how you
expected it to work (or is working in your installation).</span></p><p class="MsoNormal" style="margin-bottom:12pt">My suspicion is that:</p><ul><li>I have an incorrect group filter specified</li><li>the code assumes a two way navigation between users-> groups and vice versa (groups-> users) whereas my LDAP only has groups-> users (my LDAP has no actual attributes to do this but it does have "operational attributes" that support this - as would seem logical)<br></li></ul><p class="MsoNormal" style="margin-bottom:12pt"><span style="font-size:10pt;font-family:Times"></span></p><p class="MsoNormal" style="margin-bottom:12pt"><span style="font-size:10pt;font-family:Times">I'm a Java Dev by training so my grasp of python isn't that great and the extensive use of dictionaries makes it hard for me to follow just what is being returned where (eg attrs)<br></span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span style="font-size:10pt;font-family:Times">I can authenticate using LDAP as normal users (so the LDAP
connection and filters are AOK for users). I'm uncertain for the groups though
if it is working as expected - ie the group configuration is correct or if it
is not working as I expected.</span></p><span style="font-size:10pt;font-family:Times">I
am using an OpenDJ (OpenDS fork) and my LDAP group configuration is:</span>
<ul type="disc"><li class="MsoNormal" style><span style="font-size:10pt;font-family:Times">Groups Attribute: memberOf</span></li></ul>
<ul type="disc"><li class="MsoNormal" style><span style="font-size:10pt;font-family:Times">LDAP Search Filter for groups:
(objectClass=groupOfUniqueNames)</span></li></ul>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Times">The
above group search filter works AOK within Apache Directory Studio for
filtering the LDAP and returning all of the groups contained therein.</span></p><p class="MsoNormal" style><br></p><p class="MsoNormal" style>What exactly does the "Groups Attribute" represent? Is it the attribute upon the user that allows navigating from the user to the group? or is it an attribute of the Group that allows navigating back to the user?<br></p><p class="MsoNormal" style><span style="font-size:10pt;font-family:Times"></span></p><p class="MsoNormal" style><span style="font-size:10pt;font-family:Times"></span><span style="font-size:10pt;font-family:Times"> </span>
</p><p class="MsoNormal" style><span style="font-size:10pt;font-family:Times">You
mentioned that this was "minimally working". What do you mean by minimally
working? You can start with an empty Kallithea, point it to the your LDAP,
configured appropriately, and as your users login to the system both their
account and the associated groups get populated into Kallithea? Or perhaps
something else?</span></p>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Times"><br></span></p><p class="MsoNormal" style><span style="font-size:10pt;font-family:Times">I
just tried amending line 379/380 as follows:</span></p>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Times"><br></span></p><p class="MsoNormal" style><span style="font-size:10pt;font-family:Times">
<a href="http://log.info"><span style="color:blue">log.info</span></a>('user %s
authenticated correctly' %user_attrs['username'])<br>
log.debug('all group details %s' %user_attrs)</span></p>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Times"> </span></p>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Times">And
it produces output like this</span></p>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Times"> </span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span style="font-size:10pt;font-family:Times">2015-05-10
23:16:02.091 INFO [kallithea.lib.auth_modules.auth_ldap] user todd.morgan
authenticated correctly<br>
2015-05-10 23:16:02.091 DEBUG [kallithea.lib.auth_modules.auth_ldap] all group
details {'username': u'todd.morgan', 'active': True, 'extern_type': '',
'firstname': u'Todd', 'admin': False, 'lastname': u'Morgan', 'groups': [],
'email': '<a href="mailto:todd.morgan@bigcorp.com.au"><span style="color:blue">todd.morgan@bigcorp.com.au</span></a>',
'active_from_extern': None, 'extern_name': 'cn=todd.morgan,dc=bts,dc=bigcorp,dc=com,dc=au'}</span></p>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Times">The
groups': [] would suggest that nothing is coming back from the LDAP.</span></p><p class="MsoNormal" style><br><span style="font-size:10pt;font-family:Times"></span></p>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Times">Does
your code assume anything about the LDAP user and group relationship?</span><span style="font-size:10pt;font-family:Times"> ie
that you can navigate from the user to the group and vice versa?</span></p><p class="MsoNormal" style><span style="font-size:10pt;font-family:Times"><br></span>
</p><p class="MsoNormal" style><span style="font-size:10pt;font-family:Times">From
what I can see in my LDAP the user has nothing linking them to groups directly in their
attributes</span></p>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Times">and
the group has an attribute "uniqueMember" which is a list of the CNs
for all of the contained users. So it is a one-way relationship, with operational attributes to support bi-directional navigation.<br></span></p><p class="MsoNormal" style><span style="font-size:10pt;font-family:Times"><br></span></p>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Times">I
already tried using "uniqueMember" as the groups attribute field
(with the same result). The current values (ie above) are taken from our CROWD
installation which sits on top of the same LDAP and it uses the same
"memberOf" attribute that you are using.</span></p>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Times">Hope
you can help :- )</span></p>
<p class="MsoNormal" style><span style="font-size:10pt;font-family:Times">Thanks
for your time</span></p>
<br></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">Hi Mads,<br><br>Thanks for your reply. With my limited knowledge of the source code, I<br>suspect this was already implemented<br>in kallithea/lib/auth_modules/__init__.py.KallitheaExternalAuthPlugin. This<br>class calls UserGroupModel().enforce_groups in its _authenticate function.<br><br>The foreign LDAP groups are then managed automatically and added to the<br>database with the description "Automatically created from plugin:ldap".<br>Moreover, if I add a user to a LDAP group he is not a member of, Kallithea<br>will make sure the user is removed from that group if not provided by LDAP<br>when that user logs in. The groups get created if needed but are not<br>deleted if they are empty, which make sense to me as you might have<br>permissions for that group.<br><br>I've created the following patch to expose this in the UI and returning the<br>LDAP groups to the framework. Not claiming this is final work by any mean<br>but minimally, it works:<br><br><a href="https://bitbucket.org/jfbeaumont/kallithea/commits/6cc72bef379ce1df856ed5f8b6f4b9661f661c57">https://bitbucket.org/jfbeaumont/kallithea/commits/6cc72bef379ce1df856ed5f8b6f4b9661f661c57</a><br><br>In the UI, I set the new group attributes to:<br><br>Groups Attribute: memberOf<br>LDAP search Filter for groups:OU=Distribution,OU=Corp<br>Groups,DC=company,DC=com<br><br>Hope that helps,<br><br>JF<br><br>2015-04-10 12:21 GMT-04:00 Mads Kiilerich <mads at <a href="http://kiilerich.com">kiilerich.com</a>>:<br><br>> On 04/10/2015 11:23 AM, Jean-Francois Beaumont wrote:<br>><br>>> Hi,<br>>><br>>> I've been searching for a way so Kallithea preserves the groups from LDAP<br>>> and didn't find how to achieve this from the configuration alone. However,<br>>> I see all the code that is necessary to achieve that is there and all<br>>> lib/auth_modules/auth_ldap.py needs to do is to add a 'groups' to<br>>> user_attrs so this would be done.<br>>><br>>> So I've written some code to expose this in Kallithea but it looks so<br>>> easy that I'm wondering if the feature is not actually implemented and I've<br>>> simply overlooked something in the documentation.<br>>><br>>> Otherwise, if people are interested, I would be glad to contribute a<br>>> patch.<br>>><br>><br>> I think you are right it hasn't been implemented upstream.<br>><br>> One problem with this (and other use of external sources for user<br>> information) is to figure out which source is authoritative and/or how to<br>> synchronize. For group memberships, it is nice to be able to see in the<br>> Kallithea web interface exactly who have access through a group. That<br>> problem could probably be mitigated by making sure to synchronize all user<br>> memberships when the user logs in ... and when looking at a user group ...<br>> and when looking at permissions for a repo where a group has access. But<br>> how to handle the case where users were given access through LDAP but was<br>> removed from the group again? Or when the user has been granted access in<br>> Kallithea instead of in LDAP?<br>><br>> A good solution would require redefining the problem somewhat ... or at<br>> least make it clear which trade-off you make. (From your description it<br>> seems like you define the problem differently than I did here and accept<br>> that the Kallithea UI doesn't give the full answer. That might be ok.)<br>><br>> I look forward too see how you have solved the problem!<br>><br>> /Mads<br>><br></blockquote></div>