dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Mapped LDAP Groups not working

Open andersoncruz opened this issue 3 years ago • 3 comments

I've assigned Mapped LDAP groups with DT groups and was expecting all users found in LDAP group would be automatically assigned but did not.

DT can find this group through search and assign it ( at least visual ) but does not work in practice.

Current Behavior:

Users can authenticate through LDAP and groups can be configured into DT groups but is not recognized that a user belongs to a LDAP group and gain the same permissions in DT group.

Steps to Reproduce:

Configure LDAP into DT and assign Mapped LDAP Groups to any DT group. Try to use an user inside that group and check if this user gains the same permissions of his LDAP group.

Expected Behavior:

All users inside LDAP group assigned in DT group have permissions automatically when login.

Environment:

  • Dependency-Track Version: 4.5.0
  • Distribution: Docker ( bundled )
  • BOM Format & Version:
  • Database Server: PostgreSQL
  • Browser: Chrome/Firefox

Additional Details:

Is that possible to generate a log right after associating LDAP group with DT group, showing every user inside this group that will receive the permissions? That would be very useful to track where the problem is.

andersoncruz avatar Sep 20 '22 06:09 andersoncruz

I've found that this works, but ONLY when a user 1st logs in.

If the LDAP user already exists and you change the Groups, then they do not get the new permissions.

BlythMeister avatar Oct 03 '22 08:10 BlythMeister

Hi, I found two parameters in https://dependencytrack.org/docker-compose.yml and https://github.com/DependencyTrack/dependency-track/blob/master/src/main/resources/application.properties#L236-L254 that are not documented on https://docs.dependencytrack.org/getting-started/ldap-configuration/:

# Optional
# Specifies if mapped LDAP accounts are automatically created upon successful
# authentication. When a user logs in with valid credentials but an account has
# not been previously provisioned, an authentication failure will be returned.
# This allows admins to control specifically which ldap users can access the
# system and which users cannot. When this value is set to true, a local ldap
# user will be created and mapped to the ldap account automatically. This
# automatic provisioning only affects authentication, not authorization.
alpine.ldap.user.provisioning=false

# Optional
# This option will ensure that team memberships for LDAP users are dynamic and
# synchronized with membership of LDAP groups. When a team is mapped to an LDAP
# group, all local LDAP users will automatically be assigned to the team if
# they are a member of the group the team is mapped to. If the user is later
# removed from the LDAP group, they will also be removed from the team. This
# option provides the ability to dynamically control user permissions via an
# external directory.
alpine.ldap.team.synchronization=false

For me everything works as expected when I set both to true.

Hope this helps. Cheers

nitschSB avatar Feb 23 '23 07:02 nitschSB

I have both of those (alpine.ldap.team.synchronization, alpine.ldap.user.provisioning) on true. A user logged in before the was assigned the correct role in LDAP/ad. After the role had been assigned, dependency track still showed him not being inside a group.

He was only correctly assigned after I deleted his user in dependency track, and he logged in again.

I cannot set ad roles, so I have difficulties testing/reproducing this.

mtsfoni avatar Aug 09 '24 09:08 mtsfoni