Combination of users per LDAP and Local Group Management leads inconsistent permissions and restrictions. #5335
Comments
|
Are you using PostgreSQL? |
|
Yes, we are running on Postgres. |
|
Thanks for reporting back! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Using LDAP to store users and passwords, but managing our Groups locally in ICINGA, may lead to an unexpected behaviour.
LDAP login is cases insensitive, while DB managed group access is not.
In this combination this leads to users getting wrong access. As Accesses connected to the User directly are treated case insensitve, while Group Memberships coming via the DB are treated as Case Sensitive.
To Reproduce
Setup a user Test using LDAP.
Assign Admin Role (without the unrestricted Access) directly to the user.
Limit access per Group Membership of user Test to a group including filter criteria for Hosts.
Login as test (Group Memberships is not applied, and hence filter criteria are missing).
Login as Test (Group Membership is correctly applied).
Expected behavior
It should not be possible to tweak your permissions by the way you write your login.
Your Environment
Icinga Web 2 Version | 2.12.2
The text was updated successfully, but these errors were encountered: