Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-2306

PSPNG membership add to group lowercases memberOf attribute in openldap

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Minor
    • None
    • 2.3.0, 2.4.0
    • provisioning
    • None
    • Grouper 2.3.0, Grouper 2.4.0, OpenLdap

    Description

      We are using OpenLdap in our environment, and are using the memberOf overlay to handle adding "memberOf" to the user record.

      When OpenLdap updates the 'member' attribute on the group, using the memberOf overlay, it replicates the 'DN' provided in the mod LDIF, rather than how the DN is actually defined in OpenLDAP.

      Example if the DN  of the group is defined as:

      cn=TestCase,ou=Groups,dc=somewhere,dc=edu

       

      and the modify LDIF contains the dn to be in all lowercase like

      cn=testcase,ou=groups,dc=somewhere,dc=edu, then

      the memberOf attribute on the user will look like

      memberOf=cn=testcase,ou=groups,dc=somewhere,dc=edu instead of cn=TestCase,ou=Groups,dc=somewhere,dc=edu

       

      Or in another absurd example for OpenLDAP , if the mod LDIF contains the dn to be modified like

      cn=tEsTcAsE,oU=gRoUpS,dC=sOmEwHeRe,dC=eDu,

      The memberOf attribute on the user will get replicated like

      memberOf=cn=tEsTcAsE,oU=gRoUpS,dC=sOmEwHeRe,dC=eDu instead of cn=TestCase,ou=Groups,dc=somewhere,dc=edu

       

      Technically, this isn't a problem, as ldap generally is case-insenstive.  However, we are making use of Grouper maintain ldap groups to control access to AWS roles via SAML auth via Shibboleth.  Unfortunately, AWS's implementation of 'Roles' is case sensitive, and if we had a role mapped to TestCase, and it came back as 'testcase' or 'tEsTcAsE',the authorization fails., and they don't get to log in.

       

      The edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner.scheduleGroupModification() method is currently lowercasing the DN in the creation of the ModifyRequest.

      Its calling "ldapGroup.getLdapObject().getDn()" to set the DN in the ModifyRequest object.

      The LdapObject.getDn() method currently lowercases the dn for ease of use, but is causing the openldap server to replicate the 'memberOf' group's dn value in lowercase instead of the case defined in Grouper.

      The ModifyRequest object should probably use the original case of the DN when modifying the DN rather than change the case to prevent the issue I described.  Simply changing the call to "ldapGroup.getLdapObject().getStringAttribute("dn")" should remediate the issue.  I've extended the LdapGroupProvisioner class with a custom class in our environment with this change and it takes care of the problem.  It would be nice to push it out everyone else.

       

       

       

      Attachments

        Activity

          People

            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            david.malia@at.internet2.edu David Malia
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: