diff --git a/pkg/api/ldap_debug.go b/pkg/api/ldap_debug.go index de87c128a89..b9064e9bb20 100644 --- a/pkg/api/ldap_debug.go +++ b/pkg/api/ldap_debug.go @@ -278,28 +278,33 @@ func (server *HTTPServer) GetUserFromLDAP(c *models.ReqContext) Response { orgRoles := []LDAPRoleDTO{} - // First, let's find the groupDN that we did match by inspecting the assigned user OrgRoles. - for _, group := range serverConfig.Groups { - orgRole, ok := user.OrgRoles[group.OrgId] - - if ok && orgRole == group.OrgRole { - r := &LDAPRoleDTO{GroupDN: group.GroupDN, OrgId: group.OrgId, OrgRole: group.OrgRole} - orgRoles = append(orgRoles, *r) + // Need to iterate based on the config groups as only the first match for an org is used + // We are showing all matches as that should help in understanding why one match wins out + // over another. + for _, configGroup := range serverConfig.Groups { + for _, userGroup := range user.Groups { + if configGroup.GroupDN == userGroup { + r := &LDAPRoleDTO{GroupDN: configGroup.GroupDN, OrgId: configGroup.OrgId, OrgRole: configGroup.OrgRole} + orgRoles = append(orgRoles, *r) + break + } } + //} } // Then, we find what we did not match by inspecting the list of groups returned from // LDAP against what we have already matched above. for _, userGroup := range user.Groups { - var matches int + var matched bool for _, orgRole := range orgRoles { if orgRole.GroupDN == userGroup { // we already matched it - matches++ + matched = true + break } } - if matches < 1 { + if !matched { r := &LDAPRoleDTO{GroupDN: userGroup} orgRoles = append(orgRoles, *r) } diff --git a/pkg/api/ldap_debug_test.go b/pkg/api/ldap_debug_test.go index b5815503f61..ce930b455e7 100644 --- a/pkg/api/ldap_debug_test.go +++ b/pkg/api/ldap_debug_test.go @@ -122,7 +122,7 @@ func TestGetUserFromLDAPApiEndpoint_OrgNotfound(t *testing.T) { OrgRole: models.ROLE_ADMIN, }, { - GroupDN: "cn=admins,ou=groups,dc=grafana2,dc=org", + GroupDN: "cn=admins,ou=groups,dc=grafana,dc=org", OrgId: 2, OrgRole: models.ROLE_VIEWER, }, @@ -148,7 +148,7 @@ func TestGetUserFromLDAPApiEndpoint_OrgNotfound(t *testing.T) { sc := getUserFromLDAPContext(t, "/api/admin/ldap/johndoe") - require.Equal(t, sc.resp.Code, http.StatusBadRequest) + require.Equal(t, http.StatusBadRequest, sc.resp.Code) expected := ` { @@ -183,6 +183,11 @@ func TestGetUserFromLDAPApiEndpoint(t *testing.T) { OrgId: 1, OrgRole: models.ROLE_ADMIN, }, + { + GroupDN: "cn=admins2,ou=groups,dc=grafana,dc=org", + OrgId: 1, + OrgRole: models.ROLE_ADMIN, + }, }, } @@ -240,6 +245,7 @@ func TestGetUserFromLDAPApiEndpoint_WithTeamHandler(t *testing.T) { Name: "John Doe", Email: "john.doe@example.com", Login: "johndoe", + Groups: []string{"cn=admins,ou=groups,dc=grafana,dc=org"}, OrgRoles: map[int64]models.RoleType{1: models.ROLE_ADMIN}, IsGrafanaAdmin: &isAdmin, } diff --git a/public/app/features/admin/ldap/LdapUserGroups.tsx b/public/app/features/admin/ldap/LdapUserGroups.tsx index a21cd4da876..be74a1cb3f7 100644 --- a/public/app/features/admin/ldap/LdapUserGroups.tsx +++ b/public/app/features/admin/ldap/LdapUserGroups.tsx @@ -17,7 +17,14 @@ export const LdapUserGroups: FC = ({ groups, showAttributeMapping }) => { {showAttributeMapping && LDAP Group} - Organisation + + Organization + + + + + + Role