Cannot open "Backups" using an LDAP Account:


#1

Hello, i configured urbackup (version 2.3.7 on bionic) for LDAP Authentication what is working as expected, i can access every Top Menu expect “Backups”, selecting Backups gives me the following error:

Sorry, something went wrong or you do not have the required rights to access this file or folder.(token_not_in_session)

This seams to be a duplicate from:

I opend an new issue because the old one is ignored for nearly 2 years.

I use the following ACL for my Group:

LDAP/AD group rights map: CN=Backup Operators,CN=Builtin,DC=objectbay,DC=com==>all=all
LDAP/AD class rights map: user==>lastacts={AUTOCLIENTS},progress={AUTOCLIENTS},status={AUTOCLIENTS},stop_backup={AUTOCLIENTS},start_backup=all,browse_backups=tokens

I also tried:
CN=Backup Operators,CN=Builtin,DC=objectbay,DC=com==>all=all
LDAP/AD class rights map: user==>all=all

User is member ob the AD Group “Backup Operators” in Build in OU.

2 more Questions:

In the old post there is a hint to the “user_tokens” table in “backup_server.db”, why are there so many entries for one user, an you explain me the purpose of the Table? All AD users seam to be included in this table, no matter if they were logged in or not.

What does “{AUTOCLIENTS}” exactly mean in the above query?


#2

The mapping to administrator (“all=all”) failed and it falls back to normal user authentication. The {AUTOCLIENTS} means, it automatically shows all clients where the user was logged in (and shows the files which the user can access). If you look at the user_tokens table you should find the clients where a user was logged in.

You can check the query from e.g. via

curl -B "ldap://192.168.0.x/{GROUP_CLASS_QUERY_WITH_USERNAME_REPLACED}" -u "Administrator:password"

e.g.

curl -B "ldap://192.168.0.x/DC=objectbay,DC=com?memberOf,objectClass?sub?(sAMAccountName=Operator)" -u "Administrator:password"

There should be a line with memberOf: CN=Backup Operators,CN=Builtin,DC=objectbay,DC=com


#3

Sorry for my late reply. Group membership in Active Directory is correct, the CN used in my configuration is also correct. I can login to urbackup with my Domain Account, only selecting “Backups” brings an error, all other actions work as expected.

Ok, i understand the “{AUTOCLIENTS}” purpose, but how can i log in to a client if it shows only clients where i was logged in, does it mean “ssh” login? This wont be the case anytime. A user named “admin” like in urbackup also does not exist on the clients.

I can imagine that the installation token generated for a client is registered to the user who added the client to urbackup, this would explain that all clients are listed for “admin” because this was the only used user until now. If this is the case, is there a way to add a second token to give other users access to the client?

Not the best english :wink:


#4

Ok, can reproduce and see the issue. It’s mainly designed for Windows for now. If you login (locally or via remote terminal), it’ll create e.g. C:\Users\Username (and SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\{ACCOUNT_SID}). It’ll only list the clients with those folders in the backups list, not all clients where there is a file which the user can read with the LDAP permissions.

The issue is that this also happens if you have all=all permissions. This will get fixed with the next version.

I also haven’t tested this with Linux clients (so it probably won’t work). Maybe it’ll list all clients and maybe none…


#5

Thank you for explanation. I think it makes more sense to show all Clients, since Backup Operators are only a small group of people or maybe only one person. In most cases the Backup Operator has not access to all systems, but your logic would assume that Admins/Users from a system must take care of Backup in urbackup and so must have access to the admin interface.