8000 Support rfc2307 memberUid in sync operations. by Firstyear · Pull Request #3466 · kanidm/kanidm · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Support rfc2307 memberUid in sync operations. #3466

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 14, 2025
Merged

Support rfc2307 memberUid in sync operations. #3466

merged 3 commits into from
Mar 14, 2025

Conversation

Firstyear
Copy link
Member

A lot of legacy directory servers will use rfc2307 schema where members of groups are stored as the uid instead of a dn. Within kani, we absolutely need this to be a dn, else we risk accidentally adding kanidm entries into ldap synced groups which isn't what we want.

If we have an rfc2307 schema, then we pre-resolve the uid to the member dn so that kanidm gets the correct information.

Fixes #3464

Checklist

  • This PR contains no AI generated code
  • book chapter included (if relevant)
  • design document included (if relevant)

@Firstyear
Support rfc2307 memberUid in sync operations.
b26e786 
A lot of legacy directory servers will use rfc2307 schema where
members of groups are stored as the uid instead of a dn. Within
kani, we absolutely need this to be a dn, else we risk accidentally
adding kanidm entries into ldap synced groups which isn't what we
want.

If we have an rfc2307 schema, then we pre-resolve the uid to the
member dn so that kanidm gets the correct information.
@Firstyear
Copy link
Member Author

@pmarr Are you able to test this branch with your ldap server to see if it helps you? I have done some testing, but would really want to hear back from you about it.

@pmarr
Copy link
pmarr commented Feb 26, 2025

Yes I can test later today or tomorrow. Is there an image tag I can pull somewhere or do I need to build the container locally off the 20250226-rfc2307-ldap branch?

@pmarr
Copy link
pmarr commented Feb 26, 2025
edited
Loading

After futzing around on the wrong branch for a bit, I've now successfully run make buildx/kanidmd and kanidm_tools from branch https://github.com/Firstyear/kanidm/tree/20250226-rfc2307-ldap

For example here is the kanidm_tools built against the correct git branch b26e786:

[linux/amd64] [3/3] STEP 14/14: LABEL "com.kanidm.git-commit"="b26e786099948b92fb4af61f967c4aa5efcf40ed" "com.kanidm.version"=""
[linux/amd64] [3/3] COMMIT kanidm/tools:devel
--> a8de9385acb8
Successfully tagged localhost/kanidm/tools:devel

And the server:

[linux/amd64] [3/3] STEP 12/13: CMD [ "/sbin/kanidmd", "server", "-c", "/data/server.toml"]
--> 61cc6f2b678c
[linux/amd64] [3/3] STEP 13/13: LABEL "com.kanidm.git-commit"="b26e786099948b92fb4af61f967c4aa5efcf40ed" "com.kanidm.version"=""
[linux/amd64] [3/3] COMMIT kanidm/server:devel

DISREGARD BELOW, SEE FOLLOWUP RESPONSE - forgot to set group_attr_schema = rfc2307
Using the built server and tools images, I still get externalID as the uid and not the full dn.

Example from the proto-dump:

    {
      "schemas": [
        "urn:ietf:params:scim:schemas:kanidm:sync:1:group",
        "urn:ietf:params:scim:schemas:kanidm:sync:1:posixgroup"
      ],
      "id": "fd779974-dabf-103c-81d5-c7b825f17e5b",
      "externalId": "cn=sa_group1,ou=Groups,dc=ldap,dc=example,dc=com",
      "gidnumber": 10001,
      "member": [
        {
          "external_id": "user1"
        }
      ],
      "name": "sa_group1"
    },

I still tried the sync and can see in the server debug the same error about converting external_id to reference

670fdd87-9530-4397-a9d7-c70d90c4484f DEBUG    │  │  │  ┝━ 🐛 [debug]: Schemas valid - Proceeding with entry fd779974-dabf-103c-81d5-c7b825f17e5b
670fdd87-9530-4397-a9d7-c70d90c4484f DEBUG    │  │  │  ┝━ 🐛 [debug]:  | requested_classes: {"group": SchemaClass { name: "group", uuid: 00000000-0000-0000-0000-ffff00000045, description: "Object representation of a group", sync_allowed: true, systemmay: [Description, GrantUiHint, Mail, Member], may: [], systemmust: [Name, Spn], must: [], systemsupplements: [], supplements: [], systemexcludes: [], excludes: [] }, "posixgroup": SchemaClass { name: "posixgroup", uuid: 00000000-0000-0000-0000-ffff00000058, description: "Object representation of a posix group, requires group", sync_allowed: true, systemmay: [], may: [], systemmust: [GidNumber], must: [], systemsupplements: ["group"], supplements: [], systemexcludes: [], excludes: [] }}
670fdd87-9530-4397-a9d7-c70d90c4484f DEBUG    │  │  │  ┝━ 🐛 [debug]:  | sync_owned_attrs: {Description, GidNumber, Mail, Member, Name, PasswordImport, TotpImport, UnixPasswordImport}
670fdd87-9530-4397-a9d7-c70d90c4484f DEBUG    │  │  │  ┝━ 🐛 [debug]: Could not convert external_id to reference - user1

I tried this sync against a fresh database. Please let me know if there is any other things you'd like me to try. I can look at the code changes some, but I'm not versed in rust.

@pmarr
Copy link
pmarr commented Feb 26, 2025
edited
Loading

I'm a dummy. Forgot to add the group_attr_schema = rfc2307 to the ldap-sync-config.
It works.

kanidm group get sa_group1
✔ Multiple authentication tokens exist. Please select one · admin@ldap.example.com
---
class: group
class: object
class: posixgroup
class: sync_object
gidnumber: 10001
member: user1@ldap.example.com
name: sa_group1
spn: sa_group1@ldap.example.com
uuid: fd779974-dabf-133c-81d5-c7b852f17e5b

I tested on uidMember that no longer exist or are in a different ou than we're syncing from. They correctly do not get added:

80280cc9-a8ab-4217-ad2c-2cd12cde8fa7 DEBUG    │  │  │  ┝━ 🐛 [debug]: Could not convert external_id to reference - uid=user2,ou=Users,ou=DisabledAccounts,dc=ldap,dc=example,dc=com

I do think this should be a WARN instead of a DEBUG. It was easy to miss the first time round when debugging why the groups had no members.

Thanks again. This provides a cleaner migration path forward for us.

@Firstyear
Copy link
Member Author

Thank you for testing this! Really appreciate your feedback on the process, it's making Kanidm better.

@Firstyear Firstyear marked this pull request as ready for review February 27, 2025 03:08
@Firstyear Firstyear requested a review from yaleman March 13, 2025 06:50
@github-project-automation github-project-automation bot moved this from 🆕 New to 🔖 Ready in Organising Everything Mar 14, 2025
@Firstyear Firstyear enabled auto-merge (squash) March 14, 2025 00:34
@Firstyear Firstyear merged commit e3243ce into kanidm:master Mar 14, 2025
21 checks passed
@github-project-automation github-project-automation bot moved this from 🔖 Ready to ✅ Done in Organising Everything Mar 14, 2025
@Firstyear Firstyear deleted the 20250226-rfc2307-ldap branch March 14, 2025 00:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yaleman yaleman yaleman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Organising Everything
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow ldap sync group_member_attr to support memberUid or warn if not using full DN
3 participants
@Firstyear @pmarr @yaleman
0