search

Crivaledaz / Mattermost-LDAP

This module provides an external LDAP authentication in Mattermost for the Team Edition (free).
MIT License
364 stars 71 forks source link

Not Reaching LDAP Login Page #33

Closed nrayburn-tech closed 5 years ago

nrayburn-tech commented 5 years ago

I am attempting to get active directory configured on Windows. When I click the "Gitlab" button to sign in with the active directory credentials, I am redirected a few times before I end up back to the original login page. I never get to the screen that asks for me to enter my active directory credentials. Based on the information from the Network tab in Chrome Developer Tools, this is the order in which requests are made.

  1. http://hostname:8065/oauth/gitlab/login (Status 302 Found)

  2. http://hostname:8065/oauth/authorize.php?response_type=code&client_id=7fdf48721184242c9bb1a2986a1d853b9342e2f56dc7dda5a700f4bdc7fbd55f&redirect_uri=http%3A%2F%hostname%3A8065%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJsb2dpbiIsInRva2VuIjoicmplaHNudHhmcXk5eTRrcnJ6a2Q4b285NzZrYTl0M215bWQxbXE1NnVhZjF3a3d0ZmVzbml0aHF5dzZiNWE5NCJ9

  3. http://hostname:8065/api/v4/config/client?format=old

  4. http://hostname:8065/api/v4/license/client?format=old (Status 304 Not Modified)

  5. http://hostname:8065/api/v4/plugins/webapp (Status 501 Not Implemented)

  6. http://hostname:8065/api/v4/users/logout

  7. ws://hostname:8065/api/v4/websocket (Status 101 Switching Protocols)

  8. http://hostname:8065/?redirect_to=%2Foauth%2Fauthorize.php

  9. http://hostname:8065/api/v4/config/client?format=old

  10. http://hostname:8065/api/v4/license/client?format=old (Status 304 Not Modified)

  11. http://hostname:8065/api/v4/plugins/webapp (Status 501 Not Implemented)

I listed response statuses for anything that was not 200.

ldap.php in the root folder does work properly from the command line for listing active directory users.

Can you provide any information on what might be causing this or how I could test it further?

Mattermost Team 5.11.0 MySQL 5.11 php 7.3.6 Windows Server 2012

Crivaledaz commented 5 years ago

Hi,

At first glance, you seem to never reach the oauth server, because all requests point to http://hostname:8065.

Normally, the connection sequence should be the following :

  1. You click on the Gitlab button from http://<mattermost-server>:8065/login
  2. You are redirected to the Oauth server with client parameters : http://<oauth-server>:80/oauth/authorize.php?response_type=code&client_id=<client-id-token>&redirect_uri=http%3A%2F%2F<mattermost-server>%3A8065%2Fsignup%2Fgitlab%2Fcomplete&state=<state-token>
  3. Since you are not logged, Oauth server redirects you to the login form : http://<oauth-server>:80/oauth/index.php
  4. After you filled the form with your credential and click connect, you come back to the authorization page : http://<oauth-server>:80/oauth/authorize.php?response_type=code&client_id=<client-id-token>&redirect_uri=http%3A%2F%2F<mattermost-server>%3A8065%2Fsignup%2Fgitlab%2Fcomplete&state=<state-token>
  5. You click authorize, and you are redirected to http://<mattermost-server>:8065/signup/gitlab/complete
  6. Finally, after few redirect, only on the Mattermost server, you are logged on Mattermost and you should see your channels.

In your case, in the step 2, Mattermost server redirects you to Mattermost server instead of the Oauth server. Thus, can you check your Gitlab config and adapt parameters with the Oauth server address, which should start with http://hostname:80 or just http://hostname if Mattermost-LDAP is installed on the same server.

I hope this is the solution to your problem, let me know.

Regards

nrayburn-tech commented 5 years ago

You are correct, the port number was the issue. Correcting the ports and the capitalization of the host names fixed this issue.

I am now receiving another error. If I should open another issue instead of continuing here, let me know. After clicking authorize, which should redirect me to http://hostname:8065/signup/gitlab/complete. I am sent to this http://hostname:8065/signup/gitlab/complete?code=ca9498964a68a68f0423593a73c11a9cdad2d5a2&state=eyJhY3Rpb24iOiJsb2dpbiIsInRva2VuIjoia3A5NGZxc2N5b2NhYXRxaWtjcWFnbWVtcWhoYmlwejhvYzNmYTEzcndraG5vbjM1dGthaTlzamR4YXdyMzl4bSJ9 with a status error 500. This is followed by http://hostname:8065/error?message=Bad+response+from+token+request&s=MEUCIGkaBkPbpGobBeRNSD7jKCgXoHmQGFOikGe-bu7hjAllAiEAnv8sbJ-SF-yk0-x-Syq2N-5f1jMfjgNL4B2s4rzGVIY=.

Do you have any ideas on what might be the issue? I have added any additional information that may be relevant below.

Mattermost and Mattermost-LDAP are installed on the same server.

"AuthEndpoint": "http://hostname/oauth/authorize.php", "TokenEndpoint": "http://hostname/oauth/token.php", "UserApiEndpoint": "http://hostname/oauth/resource.php"

My oauth.oauth_authorization_codes table is being filled. The active directory user that was used is in the oauth.users table. This user was never used to login to Mattermost and does not have a record in the mattermost.users table.

I do have this warning on the http://hostname/oauth/authorize.php page. Warning: count(): Parameter must be an array or an object that implements Countable in C:\Apache24\htdocs\oauth\OAuth2\Server.php on line 474

Edit: The mattermost.log file contains this line after attempting to authenticate. {"level":"error","ts":1561388643.2626805,"caller":"api4/oauth.go:493","msg":"AuthorizeOAuthUser: Bad response from token request, response_body= {\"error\":\"redirect_uri_mismatch\",\"error_description\":\"The redirect URI is missing or do not match\",\"error_uri\":\"http:\\/\\/tools.ietf.org\\/html\\/rfc6749#section-4.1.3\"}"}

As far as I can tell, all my URIs should be correct. Are there any other's beside the ones below? "SiteURL": "http://hostname:8065" "AuthEndpoint": "http://hostname/oauth/authorize.php" "TokenEndpoint": "http://hostname/oauth/token.php" "UserApiEndpoint": "http://hostname/oauth/resource.php" From the oauth database, oauth_authorization_codes.redirect_uri: http://hostname:8065/signup/gitlab/complete

What should the GitLab Site URL be? Mine has http://hostname:80/oauth/resource.php in the Mattermost UI.

Crivaledaz commented 5 years ago

Hi,

Have you try to proceed with curl to see what the oauth server answer ? Can you follow the step in the issue #5, and check if you obtain user data at the end of the process ?

Regards,

nrayburn-tech commented 5 years ago

I was able to get my LDAP configured after looking at the issue you recommended, as well as #27.

Curl showed me the problem, which led me to getting it fixed. Thank you for the plugin and your assistance here.