Added: auth_ldap_skip_group_check when ldap_compare is not supported (l…

…ibrenms#13926) * Adding an option (auth_ldap_skip_group_check) to bypass ldap_compare if the server does not support the option * add auth_ldap_skip_group_check to config_definitions.json * update resources/lang/en/settings.php * add missing comma * rename auth_ldap_skip_group_check to auth_ldap_require_groupmembership and change logic Co-authored-by: Tony Murray <[email protected]>
nox-x · May 6, 2022 · c3cf527 · c3cf527
1 parent 9f388c9
commit c3cf527
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/LibreNMS/Authentication/LdapAuthorizer.php b/LibreNMS/Authentication/LdapAuthorizer.php
@@ -29,6 +29,12 @@ public function authenticate($credentials)
                 if ((Config::has('auth_ldap_binduser') || Config::has('auth_ldap_binddn')) && Config::has('auth_ldap_bindpassword')) {
                     $this->bind();
                 }
+
+                if (Config::get('auth_ldap_require_groupmembership') === false) {
+                    // skip group check if the server does not support ldap_compare (hint: google gsuite ldap)
+                    return true;
+                }
+
                 $ldap_groups = $this->getGroupList();
                 if (empty($ldap_groups)) {
                     // no groups, don't check membership

diff --git a/misc/config_definitions.json b/misc/config_definitions.json
@@ -578,6 +578,13 @@
             "order": 0,
             "type": "text"
         },
+        "auth_ldap_require_groupmembership": {
+            "default": true,
+            "group": "auth",
+            "section": "ldap",
+            "order": 4,
+            "type": "boolean"
+        },
         "auth_ldap_starttls": {
             "default": "disabled",
             "group": "auth",

diff --git a/resources/lang/en/settings.php b/resources/lang/en/settings.php
@@ -365,6 +365,10 @@
             'description' => 'Group access',
             'help' => 'Define groups that have access and level',
         ],
+        'auth_ldap_require_groupmembership' => [
+            'description' => 'LDAP Group membership verification',
+            'help' => 'Perform (or skip) ldap_compare when the provider allows (or does not) for the Compare action.',
+        ],
         'auth_ldap_port' => [
             'description' => 'LDAP port',
             'help' => 'Port to connect to servers on. For LDAP it should be 389, for LDAPS it should be 636',