Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Centreon 18.10 regression - LDAP Groups ACLs are not working #7189

Closed
littlejawa opened this issue Feb 14, 2019 · 8 comments
Closed

Centreon 18.10 regression - LDAP Groups ACLs are not working #7189

littlejawa opened this issue Feb 14, 2019 · 8 comments
Labels
area/ldap kind/bug status/in-backlog A dev will begin to work on your modifications soon

Comments

@littlejawa
Copy link

BUG REPORT INFORMATION

Centreon Web version: 18.10

Centreon Engine version: 18.10

Centreon Broker version: 18.10

OS: Centos 7

Additional environment details (AWS, VirtualBox, physical, etc.):
Virtual environment
The LDAP server is on a separate machine. In our tests, the same LDAP server is used for 2.8 and 18.10
Centreon was installed from the packages

Steps to reproduce the issue:

  1. Configure Centreon 18.10 to connect to LDAP server using POSIX template, protocol v2
  2. Import users and groups to Centreon
  3. Assign ACLs to LDAP groups

Describe the results you received:
ACLs for the LDAP groups are not working

Describe the results you expected:
ACLs should be effective

Additional information you think important (e.g. issue happens only occasionally):
This system was put in place by an update from 2.8, but we could replicate the same issue with a clean install of 18.10.
The 2.8 version works perfectly fine.

We found that the information under the table contactgroup_contact_relations is initially populated, but then emptied whenever the centAcl.php script is run (through its cron schedule).

I have added logs to the centAcl.php class and several functions it calls, and found that the function CentreonLDAP.listUserForGroup() is always returning an empty list of users when it is called in this context, causing the script to skip adding the users to the table.

Comparing the file centreonLDAP.class.php file between 2.8 and 18.10, we found that the function in question has been heavily modified.
If we replace this function in 18.10 by the code from 2.8 (leaving everything else the same in the rest of the file), the problem disappears. So it really looks like this function's modification between 2.8 and 18.10 has introduced the regression.
@littlejawa
Copy link
Author

NOTE: the following ticket looks similar, but mentions the issue happens in 2.8, which is NOT the case in our tests
https://github.com/centreon/centreon/issues/7142

This is why I have created a new issue.
If you think this is a duplicate, I will close this ticket and copy my comments to the other one.

@littlejawa
Copy link
Author

littlejawa commented Feb 14, 2019
edited
Loading

The code I used, from Centreon 2.8.9, is the following:

public function listUserForGroup($groupdn)
{
    if (trim($this->groupSearchInfo['member']) == '') {
        return array();
    }
    $groupdn = str_replace('\\', '\\\\', $groupdn);
    $group = $this->getEntry($groupdn, $this->groupSearchInfo['member']);
    $list = array();
    if (!isset($group[$this->groupSearchInfo['member']])) {
        return $list;
    } elseif (is_array($group[$this->groupSearchInfo['member']])) {
        return $group[$this->groupSearchInfo['member']];
    } else {
        return array($group[$this->groupSearchInfo['member']]);
    }
}

From what I understand, it lists all the users based on the "member" property in the LDAP group.

The code I found in 18.10 is the following:

public function listUserForGroup($groupdn)
{
    $this->setErrorHandler();
    if (trim($this->userSearchInfo['filter']) == '') {
        restore_error_handler();
        return array();
    }
    $groupdn = str_replace('\\', '\\\\', $groupdn);
    $list = array();
    if (!empty($this->userSearchInfo['group'])) {
        /**
         * we have specific parameter for user to denote groups he belongs to
         */
        $filter = '(&' . preg_replace('/%s/', '*', $this->userSearchInfo['filter']) .
            '(' . $this->userSearchInfo['group'] . '=' . $this->replaceFilter($groupdn) . '))';
        $result = @ldap_search($this->ds, $this->userSearchInfo['base_search'], $filter);

         if (false === $result) {
            restore_error_handler();
            return array();
        }
        $entries = ldap_get_entries($this->ds, $result);
        $nbEntries = $entries["count"];
        for ($i = 0; $i < $nbEntries; $i++) {
            $list[] = $entries[$i]['dn'];
        }
        restore_error_handler();
    } else {
        /**
         * we get list of members by group
         */
        $filter = preg_replace('/%s/', $this->getCnFromDn($groupdn), $this->groupSearchInfo['filter']);
        $result = @ldap_search($this->ds, $this->userSearchInfo['base_search'], $filter);

        if (false === $result) {
            restore_error_handler();
            return array();
        }
        $entries = ldap_get_entries($this->ds, $result);
        $nbEntries = !empty($entries[0]['member']['count']) ? $entries[0]['member']['count'] : 0;
        for ($i = 0; $i < $nbEntries; $i++) {
            $list[] = $entries[0]['member'][$i];
        }
        restore_error_handler();
    }

    return $list;
}

For a POSIX LDAP server, "userSearchInfo['group']" is empty, so we are running through the "else" block of code.
In this part, we are making a ldap_search with a filter based on the configured "group filter". By default it is: (&(cn=%s)(objectClass=groupOfNames)). We didn't change that, neither in our 2.8 nor 18.10 environments.
This call to ldap_search() always returns an empty array.

I don't know enough of LDAP to understand the difference and compared benefits of the two methods. I can just see that in our environment, the first works, but not the second.

Is there something we should configure differently (like: the group filter?) to make it work with the new code ?

@lpinsivy
Copy link
Contributor

Hi @littlejawa are you sure that all your LDAP filters are valid?

@lpinsivy lpinsivy added the status/more-info-needed Waiting for more information label Feb 18, 2019
@littlejawa
Copy link
Author

Hi,
I can only assume they are - they are the same in our Centreon 2.8 platform, which is working.
I verified that the LDAP groups have the objectClass "groupOfNames", since this seems to be the only filter involved in the new code that was not involved in the old one. Are there other filters involved in the new code that I should double-check ?

@lpinsivy
Copy link
Contributor

The filters used are:

  • Search user base DN
  • Search group base DN
  • User filter
  • Login attribute
  • Group filter
  • Group attribute

@littlejawa
Copy link
Author

I made a change to this function in 18.10, and found this is solving the issue in our environment.
In this part of the code, we're looking for a group, but the code uses the "userSearchInfo['base_search']" string, which provides the "user" branch as the base search.
It should be groupSearchInfo['base_search'], so that it uses the "group" branch as the base search.

Can you look at my commit and confirm this diagnostic?

@lpinsivy
Copy link
Contributor

https://github.com/littlejawa/centreon/commit/ca2a022ea9830472e3e81f4ad0769f92155da5a1

@lpinsivy lpinsivy added kind/bug status/in-backlog A dev will begin to work on your modifications soon area/ldap and removed status/more-info-needed Waiting for more information labels Feb 19, 2019
@StefThomas StefThomas mentioned this issue Feb 19, 2019
Open
@adr-mo
Copy link
Contributor

adr-mo commented May 28, 2019

Fixed in 18.10.5

@adr-mo adr-mo closed this as completed May 28, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/ldap kind/bug status/in-backlog A dev will begin to work on your modifications soon
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@littlejawa @lpinsivy @adr-mo