Hi,
I am trying to get LDAP working in my LAVA instance, and have managed to get logging into it working. The issue comes when I try to use Django's MIRROR_GROUPS setting.
I am already aware that it is not built into LAVA to be configurable, and I have already taken steps to add the relevant lines in lava_server/settings/common.py to make it work (initialize to None, values.get() in the update method, then run eval on the value in the LDAP if section), but it still won't work. All other required settings are clearly working just fine, and I can even set USER_FLAGS_BY_GROUP just fine, but I would prefer to mirror certain groups that users are members of and assign permissions to the groups.
Do I need to pre-create the groups before logging in to LAVA or am I missing something else/doing something wrong?
Original common.py source: https://gitlab.com/lava/lava/-/blob/master/lava_server/settings/common.py
Michael,
Could you send your changes as a WIP PR on gitlab? This would help in the discussion.
Best Regards, Milosz
On Mon, Mar 3, 2025 at 2:32 AM Michael Peddie michael.peddie@gallagher.com wrote:
Hi,
I am trying to get LDAP working in my LAVA instance, and have managed to get logging into it working. The issue comes when I try to use Django's MIRROR_GROUPS setting.
I am already aware that it is not built into LAVA to be configurable, and I have already taken steps to add the relevant lines in lava_server/settings/common.py to make it work (initialize to None, values.get() in the update method, then run eval on the value in the LDAP if section), but it still won't work. All other required settings are clearly working just fine, and I can even set USER_FLAGS_BY_GROUP just fine, but I would prefer to mirror certain groups that users are members of and assign permissions to the groups.
Do I need to pre-create the groups before logging in to LAVA or am I missing something else/doing something wrong?
Original common.py source: https://gitlab.com/lava/lava/-/blob/master/lava_server/settings/common.py _______________________________________________ lava-users mailing list -- lava-users@lists.lavasoftware.org To unsubscribe send an email to lava-users-leave@lists.lavasoftware.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
Hi Milosz,
I don't think what I did is exactly what you asked for, but it shows exactly how I've done it and provides access to you. I created a fork and just added the lines in there, the links to each addition are: - init var to None https://gitlab.com/MichaelPed/lava/-/blob/master/lava_server/settings/common...
- get config value with values.get() https://gitlab.com/MichaelPed/lava/-/blob/master/lava_server/settings/common...
- run if and eval config value and set https://gitlab.com/MichaelPed/lava/-/blob/master/lava_server/settings/common...
Feel free to work with it as you like, I made no other changes elsewhere other than maybe a print in the addldapuser command code to see the value of settings.AUTH_LDAP_MIRROR_GROUPS (which showed it was correctly set everytime, as far as I could tell). If you need anything more from me, let me know and I will do my best.
Best regards, Michael
On Mon, Mar 3, 2025 at 7:07 PM Michael Peddie michael.peddie@gallagher.com wrote:
Hi Milosz,
I don't think what I did is exactly what you asked for, but it shows exactly how I've done it and provides access to you. I created a fork and just added the lines in there, the links to each addition are:
- init var to None
https://gitlab.com/MichaelPed/lava/-/blob/master/lava_server/settings/common...
- get config value with values.get()
https://gitlab.com/MichaelPed/lava/-/blob/master/lava_server/settings/common...
- run if and eval config value and set
https://gitlab.com/MichaelPed/lava/-/blob/master/lava_server/settings/common...
Feel free to work with it as you like, I made no other changes elsewhere other than maybe a print in the addldapuser command code to see the value of settings.AUTH_LDAP_MIRROR_GROUPS (which showed it was correctly set everytime, as far as I could tell). If you need anything more from me, let me know and I will do my best.
This is good enough.
If I read the docs correctly this setting should be either set to "True" or to a list of groups you want to mirror: https://django-auth-ldap.readthedocs.io/en/latest/reference.html#std-setting...
I think the last part of this patch isn't really needed (lines 533-536). If you have AUTH_LDAP_MIRROR_GROUPS in your settings as described here https://docs.lavasoftware.org/lava/authentication.html it should be sufficient. Note, that the groups are only updated when user is authenticated through LDAP.
I don't have access to LDAP at this moment, so I can't test it, but IMHO your patch looks OK and should work. Try removing the lines 533-536, restarting and re-logging.
I hope it helps.
Best Regards, Milosz
If I read the docs correctly this setting should be either set to "True" or to a list of groups you want to mirror: https://django-auth-ldap.readthedocs.io/en/latest/reference.html#std-setting...
I did just that. I have tried just setting it to true, using the simple names of the groups in a list, and using DN's for them in a list as well, and none of them worked.
I don't have access to LDAP at this moment, so I can't test it, but IMHO your patch looks OK and should work. Try removing the lines 533-536, restarting and re-logging.
It still didn't work, but there were no new errors after removing so thank you for that suggestion.
I get a NO_SUCH_OBJECT error whenever I log in, and the only thing matched is the dc part of a DN (e.g. DC=example,DC=com). group search and group type have been set since I otherwise wouldn't be able to use LDAP, which leaves me no other clue on how to get it to work.
I appreciate the help so far, if there is any clue to get it working in the future I would be happy to know.
Best regards, Michael
On Mon, Mar 3, 2025 at 9:00 PM Michael Peddie michael.peddie@gallagher.com wrote:
If I read the docs correctly this setting should be either set to "True" or to a list of groups you want to mirror: https://django-auth-ldap.readthedocs.io/en/latest/reference.html#std-setting...
I did just that. I have tried just setting it to true, using the simple names of the groups in a list, and using DN's for them in a list as well, and none of them worked.
I don't have access to LDAP at this moment, so I can't test it, but IMHO your patch looks OK and should work. Try removing the lines 533-536, restarting and re-logging.
It still didn't work, but there were no new errors after removing so thank you for that suggestion.
I get a NO_SUCH_OBJECT error whenever I log in, and the only thing matched is the dc part of a DN (e.g. DC=example,DC=com). group search and group type have been set since I otherwise wouldn't be able to use LDAP, which leaves me no other clue on how to get it to work.
I appreciate the help so far, if there is any clue to get it working in the future I would be happy to know.
I found this: https://www.forumsys.com/2022/05/10/online-ldap-test-server/ I'll try to setup a local lava server with LDAP auth tomorrow. I'm curious why it wouldn't work.
Best Regards, Milosz
Best regards, Michael _______________________________________________ lava-users mailing list -- lava-users@lists.lavasoftware.org To unsubscribe send an email to lava-users-leave@lists.lavasoftware.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
Hi Milosz,
I managed to figure out the issue. I apparently misconfigured my group search, I have fixed it and the errors have disappeared, but the groups are still not being mirrored, and I am investigating why. So far it seems as though it may be an issue in the way the LDAP I am using is configured, but I can't say for sure yet. Thank you for all the help so far.
Best regards, Michael
Hi all,
I have solved this issue. Aside from originally (incorrectly) configuring the AUTH_LDAP_GROUP_SEARCH to include the CN of my group, I needed to change the objectClass filter that is documented from the groupOfNames, that everything seems to say to use, to just group.
In the end my AUTH_LDAP_GROUP_SEARCH is now something like: LDAPSearch("OU=Groups,OU=co,DC=example,DC=com", ldap.SCOPE_SUBTREE, "(objectClass=group)")
I hope this helps anyone else who may have the issue now or in the future, this was a rough journey, thank you for the help Milosz.
Best regards, Michael
On Wed, Mar 5, 2025 at 9:42 PM Michael Peddie michael.peddie@gallagher.com wrote:
Hi all,
I have solved this issue. Aside from originally (incorrectly) configuring the AUTH_LDAP_GROUP_SEARCH to include the CN of my group, I needed to change the objectClass filter that is documented from the groupOfNames, that everything seems to say to use, to just group.
In the end my AUTH_LDAP_GROUP_SEARCH is now something like: LDAPSearch("OU=Groups,OU=co,DC=example,DC=com", ldap.SCOPE_SUBTREE, "(objectClass=group)")
I hope this helps anyone else who may have the issue now or in the future, this was a rough journey, thank you for the help Milosz.
Great news! I'm struggling with a deadline here and I didn't manage to get round to LDAP yet. Well done!
Best Regards, Milosz
lava-users@lists.lavasoftware.org
-
Michael Peddie -
Milosz Wasilewski