Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Group role mapping

See original GitHub issue

Hi! I have two groups:

  • sentry_admin
  • sentry_owner Where each group have members which are memberof each group.
# sentry_admin, groups, site.io
dn: cn=sentry_admin,ou=groups,dc=site,dc=io
objectClass: groupOfNames
cn: sentry_admin_user
member: uid=sentry_admin_user,ou=people,dc=site,dc=io

# sentry_owner, groups, site.io
dn: cn=sentry_owner,ou=groups,dc=site,dc=io
objectClass: groupOfNames
cn: sentry_owner_user
member: uid=sentry_owner_user,ou=people,dc=site,dc=io

My current ldap configuration is as follows

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    "ou=people,dc=site,dc=io", 
    ldap.SCOPE_SUBTREE, 
    "(uid=%(user)s)"
)

AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    "ou=groups,dc=site,dc=io", ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)"
)

AUTH_LDAP_SENTRY_USERNAME_FIELD = 'uid'
AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_REQUIRE_GROUP = None
AUTH_LDAP_DENY_GROUP = None

AUTH_LDAP_USER_ATTR_MAP = {
    'name': 'cn',
    'email': 'mail'
}

AUTH_LDAP_SENTRY_GROUP_ROLE_MAPPING = {
    'owner': ['cn=sentry_owner,ou=groups,dc=site,dc=io'],
    'admin': ['cn=sentry_admin,ou=groups,dc=site,dc=io']
}

AUTH_LDAP_FIND_GROUP_PERMS   = False
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'Sentry'
# AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member'
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True
AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = True

User login works perfect, but always as “Member”. Is there any way to approach a user management by its group? Not really sure if I’m using

AUTH_LDAP_SENTRY_GROUP_ROLE_MAPPING = {
    'owner': ['cn=sentry_owner,ou=groups,dc=site,dc=io'],
    'admin': ['cn=sentry_admin,ou=groups,dc=site,dc=io']
}

correctly.

Issue Analytics

  • State:open
  • Created 4 years ago
  • Reactions:1
  • Comments:12

github_iconTop GitHub Comments

1reaction
anitabeecommented, Sep 25, 2019

Huh I’m out of ideas 😦, but I would validate that group queries are proper towards LDAP. Did you tried to run Sentry in debug mode? If so what are results from group query towards LDAP? For me I get something like this (when user first time logins):

08:28:21 [DEBUG] django_auth_ldap: search_s('ou=Users,dc=example,dc=org', 2, '(cn=%(user)s)') returned 1 objects: cn=john,ou=users,dc=example,dc=org
08:28:21 [DEBUG] django_auth_ldap: search_s('ou=Users,dc=example,dc=org', 2, '(cn=%(user)s)') returned 1 objects: cn=john,ou=users,dc=example,dc=org
08:28:21 [DEBUG] django_auth_ldap: search_s('ou=Groups,dc=example,dc=org', 2, '(&(objectClass=groupOfUniqueNames)(uniqueMember=cn=john,ou=users,dc=example,dc=org))') returned 1 objects: cn=sentry_admin,ou=groups,dc=example,dc=org
08:28:21 [DEBUG] django_auth_ldap: search_s('ou=Groups,dc=example,dc=org', 2, '(&(objectClass=groupOfUniqueNames)(uniqueMember=cn=john,ou=users,dc=example,dc=org))') returned 1 objects: cn=sentry_admin,ou=groups,dc=example,dc=org
08:28:21 [DEBUG] django_auth_ldap: Created Django user john
08:28:21 [DEBUG] django_auth_ldap: Created Django user john
08:28:21 [DEBUG] django_auth_ldap: Populating Django user john
08:28:21 [DEBUG] django_auth_ldap: Populating Django user john

Not sure if it helps you, but I can share development setup that works for me. This is my dev Groups LDIF:

✘  ~/ve/docker-sentry-ldap/9.1   master ●  ldapsearch -H ldap://localhost:389 -x -D "cn=my_super_powerfull_user,dc=example,dc=org" -b "ou=Groups,dc=example,dc=org" -W
# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Groups, example.org
dn: ou=Groups,dc=example,dc=org
ou: Groups
objectClass: organizationalUnit
objectClass: top

# sentry_admin, Groups, example.org
dn: cn=sentry_admin,ou=Groups,dc=example,dc=org
uniqueMember: cn=john,ou=Users,dc=example,dc=org
cn: sentry_admin
objectClass: groupOfUniqueNames
objectClass: top

# sentry_owner, Groups, example.org
dn: cn=sentry_owner,ou=Groups,dc=example,dc=org
uniqueMember: cn=anita,ou=Users,dc=example,dc=org
cn: sentry_owner
objectClass: groupOfUniqueNames
objectClass: top

Conf for package:

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfUniqueNamesType

AUTH_LDAP_SERVER_URI = 'ldap://my-ldap:389'
AUTH_LDAP_BIND_DN = 'cn=my_super_powerfull_user,dc=example,dc=org'
AUTH_LDAP_BIND_PASSWORD = '*********'

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    'ou=Users,dc=example,dc=org',
    ldap.SCOPE_SUBTREE,
    '(cn=%(user)s)'
)

AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
   'ou=Groups,dc=example,dc=org',
    ldap.SCOPE_SUBTREE,
   '(objectClass=groupOfUniqueNames)'
)

AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_USER_ATTR_MAP = {'username': 'mail', 'name': 'cn', 'email': 'mail'}

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = 'Sentry'
AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = False
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = False
AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member'

AUTH_LDAP_SENTRY_GROUP_ROLE_MAPPING = {
    'owner': ['sentry_owner'],
    'admin': ['sentry_admin'],
}

AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
    'sentry_ldap_auth.backend.SentryLdapBackend',
)

requirements.txt

https://github.com/Banno/getsentry-ldap-auth/archive/master.zip
django-auth-ldap <=1.2.17
0reactions
agendartobiascommented, Jun 1, 2020

Did anyone get this working? I have role mapped but every user that login for first time the default “member” role is assinged to him. So role mapping dont work for me 😦

Read more comments on GitHub >

github_iconTop Results From Across the Web

Mapping users and groups to roles | Elasticsearch Guide [8.5]
Within the role mapping file, the security roles are keys and groups and users are values. The mappings can have a many-to-many relationship....
Read more >
Mapping AD Groups to Roles - Fortinet Documentation Library
FortiSIEM provides the ability to map Microsoft Active Directory (AD) Groups to Roles. A user mapped to more than one Role has permissions...
Read more >
Groups, Roles and Mappings, Oh My! | OneLogin Training
Groups, Roles and Mappings, Oh My! Take a look at this brief training video to understand the differences between OneLogin Groups and OneLogin...
Read more >
Security role to user or group mapping - IBM
Use this page to specify the users and groups that are mapped to the security roles that are used with the enterprise application....
Read more >
Mapping Roles to Users and Groups - Oracle Help Center
Mapping Roles to Users and Groups ... The role name can be mapped to either a specific principal (user), a group, or both....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Sentry 20 !! Configuration error: ImportError: No module named ldap

Next page

Sentry LDAP Plugin ignored with latest Version