Netbox: API Tokens for LDAP authenticated users don't get group permissions

Created on 11 Apr 2019 · 11Comments · Source: netbox-community/netbox

Environment

Python version: 3.6.8
NetBox version: 2.5.10

Steps to Reproduce

Setup LDAP authentication with users in security groups mapped to Netbox/Django groups (AUTH_LDAP_FIND_GROUP_PERMS set to true)
Create API token for LDAP user
Via API, try to create object that the LDAP user's group has permissions to create
Observe 403 no permission error

Expected Behavior

Object is created successfully

Observed Behavior

HTTP 403 error received.

This appears to be due to using AUTH_LDAP_FIND_GROUP_PERMS and mapping granular permissions to an LDAP user's group membership. Through the Netbox GUI everything works fine, but the API token doesn't get mapped dynamically to their assigned user group since the LDAP validation never takes place.

pending closure needs owner bug

Source

tyler-8

👍1

All 11 comments

I think this class is where the potential changes could happen https://github.com/digitalocean/netbox/blob/develop/netbox/netbox/api.py#L53. Just need to determine where in django_auth_ldap we'd need to hook in to. https://django-auth-ldap.readthedocs.io/en/latest/custombehavior.html

tyler-8 on 12 Apr 2019

👍1

Chiming in with a +1 here. We encountered this issue as well: we use LDAP integration and Active Directory groups to define three primary sets of users: global admins, read-only users, and read-write users. API tokens for global admins work fine but tokens for these other user types don't work and exhibit the behavior showed above (can create/update/delete objects through the web GUI but not through any token they have created).

arionl on 2 May 2019

👍1

Hello!

We have the same issue. After we moved from NetBox local permissions to LDAP group based permissions our API access tokens lost all permissions. We have to temporarily duplicate local permissions for remote users

akhmarov on 9 Sep 2019

Need someone familiar with LDAP authentication to own this. Otherwise it will be closed.

jeremystretch on 15 Oct 2019

I think view perimssions broke this as well for the same reasons as the original author wrote about, but now it dont even work to view any objects behind a View permission when you are using the dynamic mapping feature from LDAP.

The only current workaround we have is that for API tokens, we create a manual user and add the correct permissions to those accounts. Call it like server or integration accounts if you are wokring on a specific feature or integration with some external system, it is always better to have a unique and specific account that holds the API token for that integration. It is not a optimoal solution but it works as a workaround for now.

Grokzen on 17 Oct 2019

I think view perimssions broke this as well for the same reasons as the original author wrote about, but now it dont even work to view any objects behind a View permission when you are using the dynamic mapping feature from LDAP.

Double check that the casing of the group name in Netbox matches exactly to the casing in your AD/LDAP server. That was a weird side-effect we noticed after going to v2.6.X from v2.5.X.

tyler-8 on 17 Oct 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our contributing guide.

stale[bot] on 6 Dec 2019

This issue has been automatically closed due to lack of activity. In an effort to reduce noise, please do not comment any further. Note that the core maintainers may elect to reopen this issue at a later date if deemed necessary.

stale[bot] on 13 Dec 2019

Would someone mind sharing their LDAP-specific config please? I'm trying to recreate this issue but everything works as it should via the API just like the web UI with the following config. django-auth-ldap==2.0.0 with 389-ds-base 1.3.9.1-12.el7_7

import ldap
from django_auth_ldap.config import GroupOfNamesType, LDAPSearch

AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
AUTH_LDAP_GROUP_SEARCH = LDAPSearch('ou=Groups,dc=example,dc=com', ldap.SCOPE_SUBTREE, '(objectClass=posixGroup)')
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_MIRROR_GROUPS = True
AUTH_LDAP_USER_DN_TEMPLATE = 'cn=%(user)s,ou=People,dc=example,dc=com'
AUTH_LDAP_SERVER_URI = 'ldap://localhost:389/'

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    'is_active': 'cn=ggactive,ou=Groups,dc=example,dc=com',
    'is_staff': 'cn=ggreadwrite,ou=Groups,dc=example,dc=com',
    'is_superuser': 'cn=ggadmins,ou=Groups,dc=example,dc=com',
}

hSaria on 12 Jan 2020

@hSaria are you adding an LDAP-authenticated user to a Django group through Django admin or are you letting django-auth-ldap dynamically map the user to that group? I'll work on getting an export of my config here.

If I manually add a user to a group within Django admin, the API key works, but if the user is just getting permissions via LDAP group mapping, they do not.

tyler-8 on 13 Jan 2020

I'm not adding the LDAP-user to a Django group myself. From a fresh state (no groups, no users), here's what I do:

Login with the user which creates the user and any groups it belongs to
Using an admin account, I add some permissions to the remote group of the user (called ggreadonly which has no permissions by default), namely the permission to create an API token and the permission to create an IP
I create a key with the user account and then I create an IP using the following (token of the user)

curl -X POST "http://netbox/api/ipam/ip-addresses/" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: Token e7c480a7cc381dd09d923f0ef04f0c71efaa7b8a" \
-d '{ "address": "1.1.1.1/24"}'

hSaria on 13 Jan 2020

Was this page helpful?

0 / 5 - 0 ratings