Bug #55450 LDAP authentication not working for mapping roles in a user attribute
Submitted: 21 Jul 2010 17:12 Modified: 17 Aug 2010 10:47
Reporter: Leandro Morgado Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Server Severity:S3 (Non-critical)
Version:Monitor: 2.2.2.1730 OS:Any
Assigned to: Mark Matthews CPU Architecture:Any

[21 Jul 2010 17:12] Leandro Morgado
Description:
It seems like there is a possible regression bug from 2.2.1.1721 to 2.2.2.1730.

In 2.2.1.1721 I could map a LDAP user's role within a LDAP entry's attribute but could not do so using groups. This later scenario has been fixed in:

http://bugs.mysql.com/bug.php?id=54806

However, despite been able to user role mapping with groups now, I can no longer use user attributes. 

 

How to repeat:
Configure LDAP authentication in MEM such that the user's role is specified in User Role Attribute Name.

Map LDAP Roles to Application Roles = checked
User Role Attribute Name = valid name
Role Search Pattern = leave blank
Role Attribute Name = leave blank
Role Search Base = leave blank
Search entire subtree = unchecked

Suggested fix:
Allow both methods of role mapping to work
[21 Jul 2010 18:44] Leandro Morgado
Hi Marcos,

I have both versions running and tested map rolling as follows:

2.2.1.1721:

* LDAP user, precreated in MEM dashboard, no role mapping: works, fetched password only from LDAP
* LDAP user, non existent in MEM dashboard, role mapping with user attribute: works, fetched password and role from LDAP, automatically created an LDAP user in MEM dashboard upon first successful login
* LDAP user, non existent in MEM dashboard, role mapping with LDAP groups and uniqueMember={0}: failed with user/password error

2.2.2.1730:

* LDAP user, precreated in MEM dashboard, no role mapping: works, fetched password only from LDAP
* LDAP user, non existent in MEM dashboard, role mapping with user attribute: failed with user/password error
* LDAP user, non existent in MEM dashboard, role mapping with LDAP groups and uniqueMember={0}: works, fetched password and role from LDAP, automatically created an LDAP user in MEM dashboard upon first successful login
[17 Aug 2010 10:47] MC Brown
A note has been added to the 2.2.3 changelog: 

        Using LDAP authentication for mapping roles using user                                                                                             
        attributes would not authenticate correctly.