search

Chocobozzz / PeerTube

ActivityPub-federated video streaming platform using P2P directly in your web browser
https://joinpeertube.org/
GNU Affero General Public License v3.0
13.09k stars 1.51k forks source link

Backend returned code 400, errorMessage is: Invalid grant: user credentials are invalid #6577

Closed getsueineko closed 2 months ago

getsueineko commented 2 months ago

Describe the current behavior

I'm trying to set up the LDAP plugin.

There is no documentation with examples, I couldn't find any examples online either. I have MS AD, domain example.local

Question in advance - should the registration permission setting be enabled in this case?

I got the error in the logs:

peertube-1  | [peertube.example.com:443 peertube-plugin-auth-ldap] 2024-09-04 14:46:24.888 warn: Cannot login john.smith@example.local in LDAP plugin. {
peertube-1  |   "err": "no such user: \"john.smith@example.local\""
peertube-1  | }
peertube-1  | [peertube.example.com:443] 2024-09-04 14:46:24.900 warn: Login error {
peertube-1  |   "err": {
peertube-1  |     "stack": "invalid_grant: Invalid grant: user credentials are invalid\n    at handlePasswordGrant (file:///app/dist/core/lib/auth/oauth.js:112:15)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async handleToken (file:///app/dist/core/controllers/api/users/token.js:32:23)",
peertube-1  |     "message": "Invalid grant: user credentials are invalid",
peertube-1  |     "statusCode": 400,
peertube-1  |     "status": 400,
peertube-1  |     "code": 400,
peertube-1  |     "name": "invalid_grant"
peertube-1  |   }
peertube-1  | }
peertube-1  | [peertube.example.com:443] 2024-09-04 14:46:24.901 info: 10.17.82.62 - - [04/Sep/2024:14:46:24 +0000] "POST /api/v1/users/token HTTP/1.0" 400 325 "https://peertube.example.com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
peertube-1  | [peertube.example.com:443] 2024-09-04 14:46:24.921 error: Client log: Backend returned code 400, errorMessage is: Invalid grant: user credentials are invalid {
peertube-1  |   "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36",
peertube-1  |   "meta": "{\"url\":\"https://peertube.example.com/api/v1/users/token\"}",
peertube-1  |   "url": "https://peertube.example.com/login"
peertube-1  | }
peertube-1  | [peertube.example.com:443] 2024-09-04 14:46:24.922 info: 10.17.82.62 - - [04/Sep/2024:14:46:24 +0000] "POST /api/v1/server/logs/client HTTP/1.0" 204 - "https://peertube.example.com/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"

Steps to reproduce

After looking at https://github.com/Chocobozzz/PeerTube/issues/2773 I made the following settings:

Auth weight
100

URL
Starting with ldap:// or ldaps://
ldap://example.local:389

Insecure TLS [Marked]

Path to LDAP Server Certificate Chain of Trust

Bind DN
CN=sv_peertube,OU=ServiceAcc,DC-example,DC=local

Bind Password
P@$$w0rd

Search base
DC=example,DC=local

Search filter
(|(mail={{mail}})(sAMAccountName={{username}}))

Mail property
mail

Mail property index
If you have many results for the email attribute, you may define the index of the result to pick:
0

Username property
sAMAccountName

Group base
Fill the following settings to map PeerTube roles to LDAP Groups. LDAP users without any valid LDAP group will be by default refused login. Leave empty to let LDAP users join with default User role.

Group filter
(member={{dn}})

Administrator group DN
CN=Peertube Administrators,OU=IT,OU=Peertube,DC=example,DC=local

Moderator group DN
CN=Peertube Moderators,OU=IT,OU=Peertube,DC=example,DC=local

User group DN
CN=Peertube Users,OU=IT,OU=Peertube,DC=example,DC=local

No group matched login [Marked]
If no LDAP Group has matched, join with default User role

Describe the expected behavior

I must enter with an AD user

Additional information

getsueineko commented 2 months ago

@Chocobozzz The problem is in the username format. If I use a john_smith, then everything is fine, but if we use a john.smith, then there will be an error. I think it is worth fixing in the next version of plugin.

Chocobozzz commented 2 months ago

Can you check if it works with the john.smith format using ldapsearch? (https://tylersguides.com/guides/search-active-directory-ldapsearch/)

getsueineko commented 2 months ago

Can you check if it works with the john.smith format using ldapsearch? (https://tylersguides.com/guides/search-active-directory-ldapsearch/)

I checked john_smith and john.smith and got property records from AD in both cases

Like:

ldapsearch -H ldap://dc.example.local -x -W -D "john.smith@example.local" -b "DC=example,DC=local" "(sAMAccountName=john.smith)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <DC=example,DC=local> with scope subtree
# filter: (sAMAccountName=john.smith)
# requesting: ALL
#

# john.smith, IT, example.local
dn: CN=john.smith,OU=IT,DC=example,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: john.smith
sn: john.smith
...

etc

ldidry commented 2 months ago

Do john.smith and john_smith belong to the same groups?

ldidry commented 2 months ago

Note: your search filter should be (|(mail={{username}})(sAMAccountName={{username}})) instead of (|(mail={{mail}})(sAMAccountName={{username}}))

getsueineko commented 2 months ago

Note: your search filter should be (|(mail={{username}})(sAMAccountName={{username}})) instead of (|(mail={{mail}})(sAMAccountName={{username}}))

Yes, you're right. It works like a charm. I was able to log in as john.smith. Thank you!