Fixes #9494 - Introduce RFC4519 group membership for posix ldap #10527
Conversation
| @@ -30,6 +30,7 @@ | |||
| <%= text_f f, :base_dn, :label => _("Base DN"), :size => "col-md-8", :label_help => base_dn_help_data[@auth_source_ldap.server_type], :data => { :help => base_dn_help_data } %> | |||
| <%= text_f f, :groups_base, :label => _("Groups base DN"), :size => "col-md-8", :label_help => groups_base_dn_help_data[@auth_source_ldap.server_type], :data => { :help => groups_base_dn_help_data } %> | |||
| <%= checkbox_f f, :use_netgroups, :help_inline => _("Use NIS netgroups instead of posix groups."), :label_help => _('By default we map user groups to standard LDAP Group objects. FreeIPA and POSIX LDAP server types supports alternative way of grouping users through Netgroups. Enable this checkbox if using Netgroups is preferred instead of standard groups.') %> | |||
| <%= checkbox_f f, :use_rfc4519_group_membership, :label => _('Use RFC4519 group membership'), :help_inline => _("Use group membership as defined in RFC4519 using groupOfNames and groupOfUniqueNames in addition to posix groups."), :label_help => _('By default we map user groups to standard LDAP Group objects using the memberuid attribute. POSIX LDAP servers may support an alternative way of modelling group membership using groupOfNames - member and groupOfUniqueNames - uniqueMember attributes. Enable this checkbox if your LDAP server uses this instead of plain POSIX groups per RFC2307.') %> | |||
There was a problem hiding this comment.
I have a few nitpicky suggestions to improve readability:
| <%= checkbox_f f, :use_rfc4519_group_membership, :label => _('Use RFC4519 group membership'), :help_inline => _("Use group membership as defined in RFC4519 using groupOfNames and groupOfUniqueNames in addition to posix groups."), :label_help => _('By default we map user groups to standard LDAP Group objects using the memberuid attribute. POSIX LDAP servers may support an alternative way of modelling group membership using groupOfNames - member and groupOfUniqueNames - uniqueMember attributes. Enable this checkbox if your LDAP server uses this instead of plain POSIX groups per RFC2307.') %> | |
| <%= checkbox_f f, :use_rfc4519_group_membership, :label => _('Use RFC4519 group membership'), :help_inline => _("Use group membership based on the groupOfNames and groupOfUniqueNames attributes as defined in RFC4519 in addition to POSIX groups."), :label_help => _('By default we use the memberuid attribute to map user groups to standard LDAP Group objects. Some POSIX LDAP servers support an alternative way of using the groupOfNames - member and groupOfUniqueNames - uniqueMember attributes to model group membership. Enable this checkbox if your LDAP server uses this instead of plain POSIX groups per RFC2307.') %> |
However, mostly it would be great if there was a way to make the label more informative. Use RFC4519 group membership references the RFC code but the details of that might be unknown to users. The best I could come up with is this:
| <%= checkbox_f f, :use_rfc4519_group_membership, :label => _('Use RFC4519 group membership'), :help_inline => _("Use group membership as defined in RFC4519 using groupOfNames and groupOfUniqueNames in addition to posix groups."), :label_help => _('By default we map user groups to standard LDAP Group objects using the memberuid attribute. POSIX LDAP servers may support an alternative way of modelling group membership using groupOfNames - member and groupOfUniqueNames - uniqueMember attributes. Enable this checkbox if your LDAP server uses this instead of plain POSIX groups per RFC2307.') %> | |
| <%= checkbox_f f, :use_rfc4519_group_membership, :label => _('Use alternative group membership based on RFC4519'), :help_inline => _("Use group membership based on the groupOfNames and groupOfUniqueNames attributes as defined in RFC4519 in addition to POSIX groups."), :label_help => _('By default we use the memberuid attribute to map user groups to standard LDAP Group objects. Some POSIX LDAP servers support an alternative way of using the groupOfNames - member and groupOfUniqueNames - uniqueMember attributes to model group membership. Enable this checkbox if your LDAP server uses this instead of plain POSIX groups per RFC2307.') %> |
which at least explains that this is an alternative to the default but if there was a way to succinctly explain the actual behavior (what will actually happen if users select that checkbox), that would be great. It might be tricky so if you can't, that's okay, and I'd still consider this an improvement.
There was a problem hiding this comment.
However, mostly it would be great if there was a way to make the label more informative.
The ui doesn't seem to like long labels too much, but we could go with that. Personally I'd prefer a shorter label with more elaborate inline help, would that work?
There was a problem hiding this comment.
I'd vote for smaller label with additional information included in inline help.
There was a problem hiding this comment.
I left the label as-is, but changed the inline help and tooltip according to the suggestions
There was a problem hiding this comment.
Looking at the options: can NIS netgroups and RFC4519 groups be used at the same time? Feels like it should be a drop down now with 3 options:
- RFC2307 POSIX groups
- RFC4519 groupOfNames and groupOfUniqueNames
- NIS netgroups
There was a problem hiding this comment.
can NIS netgroups and RFC4519 groups be used at the same time?
Not really, or at least not with how ldap_fluff is currently written. That would mean that for certain types, there would be a dropdown with only two options which isn't ideal, but probably still better than checkboxes which override each other. Maybe radio buttons would work? I'll see what I can do
There was a problem hiding this comment.
I think from a usability perspective that's better than cleaning up the user, possibly reverting their (incorrect) choice.
There was a problem hiding this comment.
Thanks, @adamruzicka, personally I like the approach. Just to understand the bigger picture: this new flag is to fix a bug, but is that bug common? I mean, if that bug is just a corner case, then it should be false by default, but if it's a quite common bug (more and more users leverage features of RFC4519) then maybe we should enable it by default?
P.S. I'd approve after ldap_fluff bump and green tests.
adamruzicka
force-pushed
the
ldap-rfc4519
branch
from
42a6274 to
0abfc10
Compare
I'm afraid I can't reliably answer that. It is an issue for people running 389DS (or derivatives). In theory it shouldn't hurt to leave this turned on, but I'd still rather stay on the safe side |
adamruzicka
force-pushed
the
ldap-rfc4519
branch
from
0abfc10 to
8c2e32b
Compare
|
/packit build |
|
Well, it was worth a try. Anyway the packaging pr for bumping the version of ldap_fluff was merged ~an hour ago |
|
@adamruzicka I kicked off https://ci.theforeman.org/job/foreman-nightly-rpm-pipeline/2697/ -- once that passed you should have 0.9.0 available for packit |
|
/packit build |
|
it built 🎉 |
|
No actual changes done, just squashed the commits. |
| @@ -46,6 +46,7 @@ def show | |||
| param :tls, :bool | |||
| param :groups_base, String, :desc => N_("groups base DN") | |||
| param :use_netgroups, :bool, :desc => N_("use NIS netgroups instead of posix groups, applicable only when server_type is posix or free_ipa") | |||
| param :use_rfc4519_group_membership, :bool, :desc => N_("use RFC4519 group membership in addition to posix groups, applicable only when server_type is posix") | |||
There was a problem hiding this comment.
this will require an update to the ansible module too: https://github.com/theforeman/foreman-ansible-modules/blob/ae6b518157a3e099293450f33ead460fd5f195c8/plugins/modules/auth_source_ldap.py#L218
| if (window.location.pathname.match('auth_source_ldaps/i')) { | ||
| if (window.location.pathname.match(/auth_source_ldaps/i)) { |
There was a problem hiding this comment.
Wonder if this ever worked
> window.location.pathname
'/auth_source_ldaps/new'
> window.location.pathname.match('auth_source_ldaps/i')
null
> window.location.pathname.match(/auth_source_ldaps/i)
['auth_source_ldaps', index: 1, input: '/auth_source_ldaps/new', groups: undefined]
Requires theforeman/ldap_fluff#88
Steps to reproduce
If everything works, the user should still be in the external group.
TODO: