Issue with AUTH_ROLES_MAPPING in Superset LDAP Authentication

[amoi-amoi]

Bug description

Hello everyone,

I'm having trouble configuring AUTH_ROLES_MAPPING in Superset. I can successfully log in using my LDAP server credentials, but the user roles are not being mapped correctly.

If AUTH_USER_REGISTRATION_ROLE is set, all users are assigned that role, regardless of AUTH_ROLES_MAPPING.
If AUTH_USER_REGISTRATION_ROLE is not set, all users are assigned the public role.
It seems that AUTH_ROLES_MAPPING is not working as expected.

Here’s a summary of my setup:

Authentication works: Users can log in with LDAP credentials.
Role mapping does not work: Users are not assigned roles based on their LDAP groups.
This is the configuration I’m using for AUTH_ROLES_MAPPING:

AUTH_ROLES_MAPPING = {
"cn=superset_admin,ou=People,dc=my-domain,dc=com": ["Admin"],
"cn=superset_external,ou=People,dc=my-domain,dc=com": ["Alpha"],
"cn=superset_readonly,ou=People,dc=my-domain,dc=com": ["Admin"],
"cn=superset_sqllab,ou=People,dc=my-domain,dc=com": ["Alpha"]
}

I have also set the following parameter:

AUTH_LDAP_GROUP_FIELD = "memberUid"

I configured it as memberUid because, as shown in the attached screenshot, the user attribute appears to be memberUid instead of memberOf.

To provide more context, I’ve attached screenshots of both the user configuration and the group configuration from the LDAP server.

Has anyone encountered this issue before? Am I missing something in my configuration? Any help would be greatly appreciated!

Thanks in advance!

Screenshots/recordings

Superset version

4.1.1

Python version

Not applicable

Node version

I don't know

Browser

Not applicable

Additional context

I am running Superset on a Linux virtual machine

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot[bot]]

Hey there, @amoi-amoi! I'm here to help you with your Superset LDAP authentication issue. Let's work together to get this sorted out.

I found a similar unsolved discussion that might be relevant to your issue: Assign superset roles to Keycloak authenticated users using the AUTH_ROLES_MAPPING ^[1].

Regarding your issue with AUTH_ROLES_MAPPING, it seems like the mapping is not functioning as expected when using the memberUid attribute. Unfortunately, I couldn't find specific information on how Superset handles LDAP group membership when the AUTH_LDAP_GROUP_FIELD is set to memberUid. However, here are a few things you might want to check or try:

1. Verify LDAP Group Field: Ensure that the AUTH_LDAP_GROUP_FIELD is correctly set to the attribute that contains the group membership information. In your case, it is set to memberUid, which should match the attribute used in your LDAP server for group membership.

2. Check LDAP Group Membership: Confirm that the users are indeed members of the LDAP groups specified in your AUTH_ROLES_MAPPING. You can do this by querying your LDAP server to see if the memberUid attribute lists the correct users.

3. Superset Logs: Check the Superset logs for any errors or warnings related to LDAP authentication and role mapping. This might provide more insight into what is going wrong.

4. Configuration Consistency: Double-check your configuration for any typos or inconsistencies, especially in the distinguished names (DNs) used in AUTH_ROLES_MAPPING.

If these steps do not resolve the issue, you might need to explore further into the Superset codebase or consider reaching out to others who might have faced similar issues.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[dosubot[bot]]

I found a similar open issue that might be relevant to your problem. The suggested solution includes the following steps:

1. Verify that the AUTH_LDAP_GROUP_FIELD is correctly set to the attribute that contains the group membership information, which in your case is memberUid.
2. Confirm that the users are indeed members of the LDAP groups specified in your AUTH_ROLES_MAPPING by querying your LDAP server.
3. Check the Superset logs for any errors or warnings related to LDAP authentication and role mapping.
4. Double-check your configuration for any typos or inconsistencies, especially in the distinguished names (DNs) used in AUTH_ROLES_MAPPING.

You can find more details in the related issue ^[1].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[Anton-Kartashev]

Have a same problem. Superset version 3.0.0rc1 works fine before.

[AzharUddinSheikh]

Did anyone find the solution?