Cloudstack doesn't validate the account type and Role during ldapCreateAccount

[kiranchavala]

problem

CloudStack doesn't validate the account type and Role during ldapCreateAccount

versions

Acs 4.20.1

The steps to reproduce the bug

Steps to reproduce the issue

1. Add a ldap configuration

2. Create domain

3. Link the domain to LDAP , set the account type to 2 which is domainAdmin

or execute the api

https://cloudstack.apache.org/api/apidocs-4.20/apis/linkDomainToLdap.html

(localcloud) 🐱 > link domaintoldap domainid=394cbde8-efe2-4ef2-bac0-fa5958fa4134 type=GROUP accounttype=2 ldapdomain=cn=dev-team,ou=Telco-Bng,dc=example,dc=in admin=admin
{
"LinkDomainToLdap": {
"accounttype": 2,
"domainid": "394cbde8-efe2-4ef2-bac0-fa5958fa4134",
"ldapdomain": "cn=qa-team,dc=example,dc=in",
"name": "cn=qa-team,dc=example,dc=in",
"type": "GROUP"
}
}

4. Check the database table

mysql> select * from ldap_trust_map;
+----+-----------+-------+-------------------------------------------+--------------+------------+
| id | domain_id | type  | name                                      | account_type | account_id |
+----+-----------+-------+-------------------------------------------+--------------+------------+
| 22 |        25 | GROUP | cn=dev-team,ou=Telco-Bng,dc=example,dc=in |            2 |          0 |

5. Create Ldap account

https://cloudstack.apache.org/api/apidocs-4.20/apis/ldapCreateAccount.html

select the roletype to user

6. Account is created with user role type

What to do about it?

CloudStack should validate the role and account type

[DaanHoogland]

@kiranchavala I do not understand what is wrong here…?

select the roletype to user

6. Account is created with user role type

this is what you selected right, why is this an issue?

[ingox]

The account type should have a better explanation what those are about.

[kiranchavala]

@DaanHoogland

Is there any relation between accountype and roleid when using the following api

https://cloudstack.apache.org/api/apidocs-4.20/apis/linkDomainToLdap.html

accounttype : Type of the account to auto import. Specify 0 for user and 2 for domain admin

https://cloudstack.apache.org/api/apidocs-4.20/apis/ldapCreateAccount.html

accounttype : Type of the account. Specify 0 for user, 1 for root admin, and 2 for domain admin

roleid : Creates the account under the specified role.

Currently, when using linkDomainToLdap API if I specify the accounttype as Domainid (2)

and later when I use ldapCreateAccount API , I should be able to select only the Domain admin Role as the accountype in linkDomaintoLdap was Domainadmin.

Currently I can select any role , there is no validation performed by Cloudstack

https://cloudstack.apache.org/api/apidocs-4.20/apis/listRoles.html
https://cloudstack.apache.org/api/apidocs-4.20/apis/listRolePermissions.html

[DaanHoogland]

@kiranchavala , this is asking for a refinement/new feature @kiranchavala there is no concept of dynamic roles in the integration with LDAP through autoimport (using linkDomainToLdap).

With autosync (using linkAccountToLdap), which is newer, different parameters are possible. Don’t confuse the two. These are not a single feature. These are two ways of integrating LDAP. Both prone to improvement.

[kiranchavala]

@DaanHoogland, similar issue on Discussion

#10380

[MI-DROZ]

@DaanHoogland, similar issue on Discussion

#10380

With this info it seems we should realize accountType is a legacy designation needed for backwards compatibility and became a bit redundant when dynamic roles were introduced. I have suggested a possible override mechanism in 10380 that may make roleid relevant when the account mapping occurs. In our particular situation linkAccountToLdap is not useful since we don't want users to see other users instances. See https://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html I wonder if you are in the same situation.

Even in the documentation they state: "Most installations need not surface the notion of Users; they just have one User per Account."
This makes the linkDomainToLdap feature more important when one is using the autoimport method for user creation.

[DaanHoogland]

@MI-DROZ , I feel you are kind of proposing a account level autosync, where the migration of LDAP users is not between accounts but between roles. This would make perfect sense to me. I do wonder though if people would want a mix between the two; sharing accounts but still have LDAP configure both account level and user level autosync. I am not uttering a preference and we can itterate to the best solution. For now I’d like to think about syncing roles for autoimported (and autodiabled) user-accounts.
cc @kiranchavala @ingox

[MI-DROZ]

@MI-DROZ ,
I feel you are kind of proposing a account level autosync, where the migration of LDAP users is not between accounts but between roles. This would make perfect sense to me.

Sort of. In my particular case I have a one to one relationship with accounts and users so I'm more concerned with dealing with the auto mapping when they first log on to a domain. Since roles are applied at the account level based on an AD group membership the function I'm using is the link domaintoldap feature. The link accounttoldap api already accepts "roleid=" so why not do the same on the domain level.

I do wonder though if people would want a mix between the two; sharing accounts but still have LDAP configure both account level and user level autosync.

I guess I could see the benefit of a user level role but I think as things stand right now roles are assigned to accounts and for my 1 to 1 mapping this is fine in my case, just looking for the auto role assignment to happen with the domain level mapping as well.