Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #10941 Cannot bind a ugroup to a LDAP directory group that is not at the first level of the tree
    Actions
    Infos
    #10941
    Ruben (lmcrubs)
    2018-01-11 13:21
    2017-12-20 21:16
    11276
    Details
    Cannot bind a ugroup to a LDAP directory group that is not at the first level of the tree
    While doing tests on Tuleap 9.15
    I am finding problem to ‘Set directory group binding’

    Whatever LDAP group I fill (See included picture) in the text box it results in ‘No results found’
    While this functionality works fine in 9.14

    Is there anything else that should be done in order to be able to bind the directory ?

    It seem that an extra check is being done as compared with 9.14 version
    And this checking seems to be failing
    https://<domainname>/plugins/ldap/autocomplete.php?ldap_group_name=<dir_group>&page=1

    And hence it is not possible to synchronize. The Synchronize button is never clickable

    Authentication & LDAP
    9.15
    CentOS 6
    • [ ] enhancement
    • [ ] internal improvement
    Patricia Carrasco (pcar), Emilio Palmiero (empa), Stephan Bill (stephanbill)
    Stage
    Empty
    Closed
    2018-01-11
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #10877 Tuleap Releases 9.17 Delivered 2018-01-31 14:03 Manuel Vacelet (vaceletm)
    By Ruben (lmcrubs)
    (33 kB)
    dirgroup_notfound.JPG
    By Ruben (lmcrubs)
    (33 kB)
    errorBindLdap.JPG
    References
    Referencing request #10941

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/95/10295/2' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD c5913745c7
    User avatar Joris MASSON (jmasson) , 2018-01-11 10:07
    request #10941: Cannot bind a ugroup to a LDAP directory group that is not at the first level of the tree d317518a08
    User avatar Thomas Gerbet (tgerbet) , 2018-01-10 18:03
    Referenced by request #10941

    Artifact Tracker v5

    rel #10877 9.17

    Other

    gerrit #10295
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-01-09 17:12
    A patch is under review: gerrit #10295.
    • Summary
      -Set directory group binding , not working in 9.15 
      +Cannot bind a ugroup to a LDAP directory group that is not at the first level of the tree 
    • Status changed from Acknowledged to Under review
    User avatar
    Ruben (lmcrubs)2018-01-03 15:48
    Hello Thomas,

    The ldap search for an ldap group from command line is like:
    ldapsearch -H ldaps://<ldap server> -x -s sub -D "CN=ALMEGADSVC,OU=CA,OU=SvcAccount,OU=P001,OU=ID,OU=Data,DC=ericsson,DC=se" -w psw -b "OU=P001,OU=GRP,OU=Data,DC=ericsson,DC=se" "cn=idm-openalmadmin"

    Where the last parameter is the group
    User avatar
    Thomas Gerbet (tgerbet)2018-01-03 09:57
    Hello,

    Can you please share the ldapsearch command you have used to test the behavior on a command line interface?
    User avatar
    Ruben (lmcrubs)2018-01-02 20:37
    Please let me know if there more information you may need to know. To continue on this
    User avatar
    Ruben (lmcrubs)2018-01-02 16:48
    Hello Thomas,

    Below is the result when accessing the 'url' as required

    results []
    pagination
    more false
    User avatar
    Thomas Gerbet (tgerbet)2017-12-28 14:54
    Hello,

    After more testing on our side, we are still not able to reproduce the issue.

    Can you please give us the result you got when you try to directly access the URL: https://<your_tuleap_instance>/plugins/ldap/autocomplete.php?ldap_group_name=idm-openalmadmin&page=1
    User avatar
    Ruben (lmcrubs)2017-12-21 17:19
    The entry in the Log don't really mean that the search was really successful it gives the same lines even for not valid groups

    e.g. If I type 'hello' I get
    2017-12-21T11:15:41-05:00 [4101] [debug] LDAP search success OU=GRP,OU=Data,DC=ericsson,DC=se (cn=*hello *) *** SCOPE: 2 *** ATTRIBUTES: cn
    User avatar
    Ruben (lmcrubs)2017-12-21 17:14
    I am referring to the 'Ajax script' that is then invoking ~/plugins/ldap/autocomplete.php on every letter you type
    See new attachment (No results found) and the Synchronize button disabled

    The string in that snapshot is a valid LDAP group

    Strange enough I have enabled the Log to debug as recommended and got the entry as follows

    2017-12-21T11:11:45-05:00 [4096] [debug] LDAP search success OU=GRP,OU=Data,DC=ericsson,DC=se (cn=*idm-openalmadmin*) *** SCOPE: 2 *** ATTRIBUTES: cn

    But still the same window with the (No results found) and the Synchronize button disabled
    User avatar
    Thomas Gerbet (tgerbet)2017-12-21 15:35
    Hello,

    I'm not sure to get to which validation you are referring to.

    Did you check the logfile with a sys_logger_level set to debug (this option is available in the local.inc). If not can you please enable it on your staging instance and check the logs again?
    User avatar
    Ruben (lmcrubs)2017-12-21 15:17
    Hello Thomas,

    It seems that there is more than one scenario:

    1) When project have never been synchronized before. Then whatever you put in the box, valid ldap or not, it results in ‘No results found’ and Synchronization button is never clickable.

    2) When the project was previously synchronized. Then the box is auto-populated with previous entry. Then Synchronization button is clickable. Trying to change the box with another string, results as above scenario 'No results found'

    No entries are found in the logfile (/var/log/tuleap/codendi_syslog)

    Same behavior is consistent in Prod and Staging servers
    Additionally manual ldap search, from command line works as expected, the ldap conf haven't changed from 9.14 to 9.15

    I still suspect something strange validation in the code at :
    ~/plugins/ldap/autocomplete.php

    Which was not there before. As a workaround I am thinking that it might be possible to disable that validation and enable the Synchronization button.
    User avatar
    Thomas Gerbet (tgerbet)2017-12-21 08:48
    Hello,

    So I have tried to reproduce the issue but it seems to work as expected on my end. I also took a look at the impacted code path but besides some minor changes in the format of data returned to your browser, the way the LDAP directory is queried has not been modified and no extra check seem to have been added.

    Can you check in your logfile (/var/log/tuleap/codendi_syslog) what happens when you look for a group? On a working instance you a trace looking like that:
    2017-12-21T08:35:02+01:00 [192] [debug] Bound to LDAP server: ldap://ldap
    2017-12-21T08:35:02+01:00 [192] [debug] LDAP search success ou=groups,dc=tuleap,dc=local (cn=*gro*) *** SCOPE: 2 *** ATTRIBUTES: cn
    2017-12-21T08:35:03+01:00 [131] [debug] Bound to LDAP server: ldap://ldap
    2017-12-21T08:35:03+01:00 [131] [debug] LDAP search success dc=tuleap,dc=local cn=group user1 *** SCOPE: 1 *** ATTRIBUTES:
    2017-12-21T08:35:03+01:00 [131] [debug] LDAP search success cn=group user1,ou=groups,dc=tuleap,dc=local objectClass=* *** SCOPE: 1 *** ATTRIBUTES: memberUid
    • Status changed from New to Acknowledged
    User avatar
    Patricia Carrasco (pcar)2017-12-20 21:57
    • CC list set to Stephan Bill (stephanbill), Emilio Palmiero (empa), Patricia Carrasco (pcar)