Presto: LDAP auth not working if user belongs to multiple groups

Created on 2 Mar 2020  路  10Comments  路  Source: prestosql/presto

That was the configuration that works perfectly before migration to presto:330.

ldap.url=ldaps://server:636
ldap.user-bind-pattern=uid=${USER},ou=People,o=COMPANY

ldap.user-base-dn=ou=PRESTO,ou=Services,ou=Groups,o=COMPANY
ldap.group-auth-pattern=uniqueMember=uid=${USER},ou=People,o=COMPANY

On the newest version we are facing below error:
Error running command: Authentication failed: Access Denied: Multiple group membership results for user [XYZ] with different distinguished names

I have tried to change the pattern to sth like that:

(|(&(uniqueMember=uid=${USER},ou=People,o=COMPANY)(cn=group1))(&(uniqueMember=uid=${USER},ou=People,o=COMPANY)(cn=group2)))

But that give the same result. My question is:

what is the idea behind that change? Is there any workaround for that?

bug good first issue
Source
picture us3r
👀1

Most helpful comment

MemberOf - is not always an option that can be implemented (like in my case). I think it would be perfect if that functionality could be added again.

picture us3r on 3 Mar 2020
👍2

All 10 comments

seems to be introduced in release 329 (https://github.com/prestosql/presto/pull/1917) I can't see a reason to throw this error as its valid scenario

tooptoop4 picture tooptoop4 on 2 Mar 2020

The exception is thrown when user is found twice, with _different_ distinguished names.
https://github.com/prestosql/presto/blob/d6bd0af758d64f372f104f13b23bcd0f416f7049/presto-password-authenticators/src/main/java/io/prestosql/plugin/password/ldap/LdapAuthenticator.java#L215-L218

@us3r can you check how do the names differ when the exception is being raised?
You can find https://github.com/prestosql/presto/pull/2983 helpful.

findepi picture findepi on 2 Mar 2020

I will try to use your code ASAP, nevetheless from the ldapsearch:

dn: cn=group1,ou=PRESTO,ou=Services,ou=Groups,o=COMPANY
uniqueMember: uid=us3r,ou=People,o=COMPANY

dn: cn=group2, ou=PRESTO, ou=Services, ou=Groups, o=COMPANY
uniqueMember: uid=us3r,ou=People,o=COMPANY

so DN is exactly the same (uniqueMember).

us3r picture us3r on 2 Mar 2020

2983 is merged. @us3r can you possibly build from master, enable check DEBUG from io.prestosql.plugin.password.ldap context?

findepi picture findepi on 3 Mar 2020

DEBUG MESSAGE:

2020-03-03T12:46:14.361Z    DEBUG   http-worker-118 io.prestosql.plugin.password.ldap.LdapAuthenticator Multiple group membership results for user [us3r] with different distinguished names: [cn=group1,ou=PRESTO,ou=Services,ou=Groups,o=COMPANY], [cn=group2, ou=PRESTO, ou=Services, ou=Groups, o=COMPANY]

So it is returning DN of CN (groups). Just to dispel all doubts, this is my structure:

cn=group1,ou=PRESTO,ou=Services,ou=Groups,o=COMPANY
(...)
uniqueMember: uid=us3r,ou=People,o=COMPANY

cn=group2,ou=PRESTO,ou=Services,ou=Groups,o=COMPANY
(...)
uniqueMember: uid=us3r,ou=People,o=COMPANY

cn=groupX,ou=PRESTO,ou=Services,ou=Groups,o=COMPANY
uniqueMember: uid=userX,ou=People,o=COMPANY
(...)

and config:

password-authenticator.name=ldap

ldap.url=ldaps://COMPANY:636
ldap.user-bind-pattern=uid=${USER},ou=People,o=COMPANY

ldap.user-base-dn=ou=PRESTO,ou=Services,ou=Groups,o=COMPANY
ldap.group-auth-pattern=uniqueMember=uid=${USER},ou=People,o=COMPANY

I have tried also just for the test:

ldap.group-auth-pattern=(|(&(uniqueMember=uid=${USER},ou=People,o=COMPANY)(cn=group1))(&(uniqueMember=uid=${USER},ou=People,o=COMPANY)(cn=group2)))

If I will use this filter:

ldap.group-auth-pattern=(|(&(uniqueMember=uid=${USER},ou=People,o=COMPANY)(cn=group1))(&(uniqueMember=uid=${USER},ou=People,o=COMPANY)(cn=groupX)))

My account is a member of group1 and not groupX, then:

2020-03-03T13:07:23.902Z    DEBUG   http-worker-126 io.prestosql.plugin.password.ldap.LdapAuthenticator Password validation successful for user DN [uid=us3r,ou=People,o=COMPANY]
2020-03-03T13:07:23.950Z    DEBUG   http-worker-126 io.prestosql.plugin.password.ldap.LdapAuthenticator Group membership validated for user [us3r]
2020-03-03T13:07:23.951Z    DEBUG   http-worker-126 io.prestosql.plugin.password.ldap.LdapAuthenticator Authentication successful for user [us3r]
us3r picture us3r on 3 Mar 2020

the way it's designed, ldap.group-auth-pattern should search for users, who are allowed to connect, not for user-memberships.
So the question is whether we can rework the search pattern to adjust for that.

I also acknowledge that in 328 we allowed the ldap.group-auth-pattern to return multiple results, because we never used that for binding.
Technically, we can still allow that when ldap.user-bind-pattern is used, but we cannot allow that when ldap.bind-dn is used...
Unless we allow both ldap.bind-dn and ldap.user-bind-pattern (one for searching and one for password validation).

cc @sopel39 @anusudarsan

findepi picture findepi on 3 Mar 2020

MemberOf - is not always an option that can be implemented (like in my case). I think it would be perfect if that functionality could be added again.

us3r picture us3r on 3 Mar 2020
👍2

@us3r see if https://github.com/prestosql/presto/pull/3132 helps

tooptoop4 picture tooptoop4 on 17 Mar 2020

@tooptoop4 @us3r https://github.com/prestosql/presto/pull/3206 should be a simpler fix for this

sopel39 picture sopel39 on 23 Mar 2020

Fixed via: https://github.com/prestosql/presto/pull/3206

sopel39 picture sopel39 on 26 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bill-warshaw picture bill-warshaw  路  4Comments
yourmain picture yourmain  路  4Comments
jiangzhx picture jiangzhx  路  5Comments
lxynov picture lxynov  路  4Comments
byungnam picture byungnam  路  4Comments