search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

LDAP reconcile w/ group memberships - no error during login or event log and stacktrace in console logs #1000

Open ruckc opened 3 years ago

ruckc commented 3 years ago

LDAP Reconcile Groups - no error during login or event log and stacktrace in console logs

Description

In trying to update groups during the login process, with the below reconcile lambda, we get the below stacktrace.

function reconcile(user, attrs) { 
   user.id = attrs.entryUUID;
   user.username = attrs.uid;
   user.email = attrs.mail;
   user.firstName = attrs.givenName;
   user.lastName = attrs.sn;
   user.fullName = attrs.cn;
   user.active = true;
   user.memberships = [
      {groupId: 'e4d592eb-006b-4aab-8d3c-c8eea7e0014d' }
   ];
}
2020-11-19 1:26:07.918 AM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
java.lang.NullPointerException: null
        at java.base/java.util.Objects.requireNonNull(Objects.java:222)
        at java.base/java.util.Optional.of(Optional.java:111)
        at java.base/java.util.stream.FindOps$FindSink$OfRef.get(FindOps.java:194)
        at java.base/java.util.stream.FindOps$FindSink$OfRef.get(FindOps.java:191)
        at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:543)
        at io.fusionauth.api.service.search.ElasticsearchSearchEngine.index(ElasticsearchSearchEngine.java:139)
        at io.fusionauth.api.service.group.DefaultGroupService.removeMember(DefaultGroupService.java:147)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at io.fusionauth.api.service.connector.BaseConnector.synchronizeExternalUser(BaseConnector.java:109)
        at io.fusionauth.api.service.connector.LDAPConnector.authenticate(LDAPConnector.java:75)
        at io.fusionauth.api.service.authentication.DefaultAuthenticationService._authenticate(DefaultAuthenticationService.java:125)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at io.fusionauth.api.service.authentication.DefaultAuthenticationService.authenticate(DefaultAuthenticationService.java:165)
        at io.fusionauth.app.action.api.LoginAction.lambda$post$1(LoginAction.java:126)
        at io.fusionauth.app.action.api.BaseLoginAction.callLogin(BaseLoginAction.java:165)
        at io.fusionauth.app.action.api.LoginAction.post(LoginAction.java:126)

Affects versions

1.21.0

Steps to reproduce

Steps to reproduce the behavior:

  1. Use the above lambda
  2. Login with ldap connector

Expected behavior

Groups should be added to user. Is there a method to search for groups? Or does the lambda need to know about the groupId's?

Related

mooreds commented 3 years ago

Thanks for the bug report.

There is no method to search for groups from inside a lambda. Outside you can get all groups or retrieve one group by id: https://fusionauth.io/docs/v1/tech/apis/groups/#retrieve-a-group

ruckc commented 3 years ago

FA allows the user to login. A group with that ID does exist. There is nothing in the event log (probably due to the stack trace). Nothing gets logged to the container stdout/stderr.

I was hoping there was a way to lookup groups inside FA so I don't need to hardcode them all in the lambda. I was mainly trying to sync LDAP Groups to FA groups for application roles.

robotdan commented 3 years ago

Currently you'll need to hard code group Ids, or send them over via LDAP.

We haven open issue for getting access to more things in the lambda. We'll likely add helper functions to allow access to these types of things. https://github.com/FusionAuth/fusionauth-issues/issues/229

ruckc commented 3 years ago

I can have them in LDAP, but i can't do additional queries to get extra attributes off the groups. Only the memberOf DN comes through.

-- Curtis Ruck

On Mon, Nov 23, 2020 at 1:19 PM Daniel DeGroff notifications@github.com wrote:

Currently you'll need to hard code group Ids, or send them over via LDAP.

We haven open issue for getting access to more things in the lambda. We'll likely add helper functions to allow access to these types of things. #229 https://github.com/FusionAuth/fusionauth-issues/issues/229

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/FusionAuth/fusionauth-issues/issues/1000#issuecomment-732339104, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAK4HYJHYHPXAFPKPVZJJWTSRKRR5ANCNFSM4T2YXGPA .

robotdan commented 2 years ago

In version 1.35.0 you can make an HTTP request in lambda, so you could make a FusionAuth API call to get group details. Would this work for this use case?