Details
-
Bug
-
Resolution: Fixed
-
Critical
-
6.5.0
-
Enterprise Edition 6.5.0 build 1949
-
Untriaged
-
Centos 64-bit
-
No
Description
1. Login directly to server that has ldap configured. UI shows - User does not have permission to log into the UI
[ns_server:debug,2019-01-03T01:26:12.290-08:00,ns_1@127.0.0.1:<0.4322.0>:ldap_util:eldap_search:108]LDAP search res [{base,"ou=users,dc=couchbase,dc=com"},
{attributes,["objectClass"]},
{scope,singleLevel},
{filter,
{extensibleMatch,
{timeout,5000}]: [{eldap_entry, "cn=ritam,ou=Users,dc=couchbase,dc=com", [\{"objectClass",["inetOrgPerson"]}]}]
[ns_server:debug,2019-01-03T01:26:12.290-08:00,ns_1@127.0.0.1:<0.4322.0>:ldap_auth:get_user_DN:45]Built LDAP DN "<ud>cn=ritam,ou=Users,dc=couchbase,dc=com</ud>" for username "<ud>ritam</ud>"
[ns_server:debug,2019-01-03T01:26:12.574-08:00,ns_1@127.0.0.1:<0.4322.0>:ldap_util:with_connection:31]Connected to LDAP server
[ns_server:debug,2019-01-03T01:26:12.847-08:00,ns_1@127.0.0.1:<0.4322.0>:ldap_util:with_authenticated_connection:61]Bind for dn "<ud>cn=ritam,ou=Users,dc=couchbase,dc=com</ud>": ok
[ns_server:debug,2019-01-03T01:26:12.847-08:00,ns_1@127.0.0.1:<0.4401.0>:menelaus_roles:build_compiled_roles:830]Compile roles for user {"<ud>ritam</ud>",external}
[ns_server:debug,2019-01-03T01:26:13.116-08:00,ns_1@127.0.0.1:<0.4403.0>:ldap_util:with_connection:31]Connected to LDAP server
[ns_server:debug,2019-01-03T01:26:13.385-08:00,ns_1@127.0.0.1:<0.4403.0>:ldap_util:with_authenticated_connection:61]Bind for dn "<ud>cn=manager,dc=couchbase,dc=com</ud>": ok
[ns_server:debug,2019-01-03T01:26:13.823-08:00,ns_1@127.0.0.1:<0.4403.0>:ldap_util:eldap_search:108]LDAP search res [{base,"ou=Groups,dc=couchbase,dc=com"},
{attributes,["objectClass"]},
{scope,singleLevel},
{filter,
{equalityMatch,
{'AttributeValueAssertion',"member", "cn=ritam,OU=users,dc=couchbase,dc=com"}}},
{timeout,5000}]: []
[ns_server:debug,2019-01-03T01:26:13.823-08:00,ns_1@127.0.0.1:<0.4403.0>:ldap_auth:user_groups:103]Groups search for "<ud>ritam</ud>": {ok,[]}
[ns_server:debug,2019-01-03T01:26:13.824-08:00,ns_1@127.0.0.1:ns_audit<0.392.0>:ns_audit:handle_call:114]Audit login_failure: [{real_userid,{[{domain,external},
{user,<<"<ud>ritam</ud>">>}]}},
{remote,{[{ip,<<"10.112.180.1">>},\{port,61799}]}},
{timestamp,<<"2019-01-03T01:26:13.824-08:00">>}]
2. Create an external user with name 'ritam'. UI shows - User does not have permission to log into the UI
[ns_server:debug,2019-01-03T01:29:01.046-08:00,ns_1@127.0.0.1:ns_audit<0.392.0>:ns_audit:handle_call:114]Audit login_failure: [{real_userid,{[{domain,external},
{user,<<"<ud>ritam</ud>">>}]}},
{remote,{[{ip,<<"10.112.180.1">>},\{port,61801}]}},
{timestamp,<<"2019-01-03T01:29:01.046-08:00">>}]
3. Try to login via user 'ritam' after some time, and user is able to Login. Note the role for the user is empty
[ns_server:debug,2019-01-03T01:31:58.162-08:00,ns_1@127.0.0.1:<0.13667.0>:ldap_util:with_connection:31]Connected to LDAP server
[ns_server:debug,2019-01-03T01:31:58.469-08:00,ns_1@127.0.0.1:<0.13667.0>:ldap_util:with_authenticated_connection:61]Bind for dn "<ud>cn=manager,dc=couchbase,dc=com</ud>": ok
[ns_server:debug,2019-01-03T01:31:58.777-08:00,ns_1@127.0.0.1:<0.13667.0>:ldap_util:eldap_search:108]LDAP search res [{base,"ou=users,dc=couchbase,dc=com"},
{attributes,["objectClass"]},
{scope,singleLevel},
{filter,
{extensibleMatch,
{'MatchingRuleAssertion',"caseExactMatch","uid", "ritam",asn1_DEFAULT}
}},
{timeout,5000}]: [
]}]
[ns_server:debug,2019-01-03T01:31:58.777-08:00,ns_1@127.0.0.1:<0.13667.0>:ldap_auth:get_user_DN:45]Built LDAP DN "<ud>cn=ritam,ou=Users,dc=couchbase,dc=com</ud>" for username "<ud>ritam</ud>"
[ns_server:debug,2019-01-03T01:31:59.044-08:00,ns_1@127.0.0.1:<0.13667.0>:ldap_util:with_connection:31]Connected to LDAP server
[ns_server:debug,2019-01-03T01:31:59.311-08:00,ns_1@127.0.0.1:<0.13667.0>:ldap_util:with_authenticated_connection:61]Bind for dn "<ud>cn=ritam,ou=Users,dc=couchbase,dc=com</ud>": ok
[ns_server:debug,2019-01-03T01:31:59.699-08:00,ns_1@127.0.0.1:<0.13700.0>:ldap_util:with_connection:31]Connected to LDAP server
[ns_server:debug,2019-01-03T01:31:59.967-08:00,ns_1@127.0.0.1:<0.13700.0>:ldap_util:with_authenticated_connection:61]Bind for dn "<ud>cn=manager,dc=couchbase,dc=com</ud>": ok
[ns_server:debug,2019-01-03T01:32:00.300-08:00,ns_1@127.0.0.1:<0.13700.0>:ldap_util:eldap_search:108]LDAP search res [{base,"ou=Groups,dc=couchbase,dc=com"},
{attributes,["objectClass"]},
{scope,singleLevel},
{filter,
{equalityMatch,
}},
{timeout,5000}]: []
[ns_server:debug,2019-01-03T01:32:00.300-08:00,ns_1@127.0.0.1:<0.13700.0>:ldap_auth:user_groups:103]Groups search for "<ud>ritam</ud>": {ok,[]}
[ns_server:debug,2019-01-03T01:32:00.301-08:00,ns_1@127.0.0.1:ns_audit<0.392.0>:ns_audit:handle_call:114]Audit login_success: [{roles,[<<"admin">>]},
{real_userid,{[
{user,<<"<ud>ritam</ud>">>}]}},
{sessionid,<<"c22144aa0ab4bf1c866cc70d43d1f9af">>},
{remote,{[{ip,<<"10.112.180.1">>},\{port,61825}]}},
{timestamp,<<"2019-01-03T01:32:00.301-08:00">>}]
4. Remove the user 'ritam' from external user, user is still able to Login
[ns_server:debug,2019-01-03T01:34:25.507-08:00,ns_1@127.0.0.1:ns_audit<0.392.0>:ns_audit:handle_call:114]Audit login_success: [{roles,[]},
{real_userid,{[{domain,external}
,
{user,<<"<ud>ritam</ud>">>}]}},
{sessionid,<<"3a01adea7df4701f2601ee5b12e80041">>},
{remote,{[
,{port,61896}]}},
{timestamp,<<"2019-01-03T01:34:25.507-08:00">>}]