Closed Harimzial closed 10 months ago
colisee
commented
10 months ago Hi @Harimzial ,
Could you please confirm that LDAP is working for you, except for the synchronization of the groups? I mean, a user defined on your LDAP but not defined in librebooking is able to log.
If yes, then could you please tell me what you expect from the setting $conf['settings']['sync.groups'] = 'true'; ?
Harimzial
commented
10 months ago Hi @colisee ,
Yes it works perfectly, and it creates the LDAP user on Librebooking with all data i ask for (position, mail etc).
What i expect from this parameter is that when someone connects, he can automatically be assigned to the groups that he is part of on my IPA, and that exists in Librebooking already. At least that is what i understood this parameter can do.
Best!
colisee
commented
10 months ago I just setup an LDAP environment. I am able to login and I can see that the Ldap user is created in librebooking.
However, when I activate sync.groups I can no longer login. According to the logs (debug activated in config.php), it seems that the issue comes from the absence of the memberOf attribute inside my users records.
Do you have the same issue?
Regardless, could you share the relevant info extracted from docker logs <container> ?
Harimzial
commented
10 months ago Thanks a lot for trying !
I don't have the same comportment, with sync.groups i can still login without any issue. It is just that groups won´t synchronize despite existing with the same name in both environment.
I tried by connecting a new account to see the whole process in the logs but I didn't see anything out of ordinary. Neither any error. What refers the most to this issue is this part :
** ld 0x55f6acc67520 Outstanding Requests:
* msgid 5, origid 5, status InProgress
outstanding referrals 0, parent count 0
ld 0x55f6acc67520 request count 1 (abandoned 0)
** ld 0x55f6acc67520 Response Queue:
Empty
ld 0x55f6acc67520 response count 0
ldap_chkResponseList ld 0x55f6acc67520 msgid 5 all 1
ldap_chkResponseList returns ld 0x55f6acc67520 NULL
ldap_int_select
read1msg: ld 0x55f6acc67520 msgid 5 all 1
ldap_find_request_by_msgid: msgid 5, lr 0x55f6acc1cc20 lr->lr_refcnt = 1
read1msg: ld 0x55f6acc67520 msgid 5 message type bind
read1msg: ld 0x55f6acc67520 0 new referrals
read1msg: mark request completed, ld 0x55f6acc67520 msgid 5
request done: ld 0x55f6acc67520 msgid 5
res_errno: 0, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x55f6acc1cc20, lr 0x55f6acc1cc20
ldap_return_request: lrx->lr_msgid 5, lrx->lr_refcnt is now 0, lr is still present
ldap_free_request (origid 5, msgid 5)
ldap_free_request_int: lr 0x55f6acc1cc20 msgid 5 removed
ldap_do_free_request: asked to free lr 0x55f6acc1cc20 msgid 5 refcnt 0
ldap_parse_result
ldap_msgfree
ldap_search_ext
put_filter: "(uid=test-roombooking)"
put_filter: simple
**put_simple_filter: "uid=test-roombooking"
ldap_build_search_req ATTRS: sn givenname mail telephonenumber physicaldeliveryofficename title Groups memberof**
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x55f6acc67520 msgid 6
wait4msg ld 0x55f6acc67520 msgid 6 (infinite timeout)
wait4msg continue ld 0x55f6acc67520 msgid 6 all 1
** ld 0x55f6acc67520 Connections:
* host: ipa.networks.imdea.org port: 389 (default)
* from: IP=172.19.0.3:51234
refcnt: 2 status: ConnectedI'm trying to make an error appear somehow and I'll post it. If you find anything that would save me an headache aha.
Thanks a lot, all the best!
colisee
commented
10 months ago OK, I finally got an LDAP setup that delivers the memberof overlay and I get the same result as you. The group does not get populated when a user signs in.
Could you please set the following values inside file config.php :
$conf['settings']['logging']['folder'] = '/var/log/librebooking';
$conf['settings']['logging']['level'] = 'debug';
$conf['settings']['logging']['sql'] = 'false';Then log in with your user. Once on the homepage, please check the application logs with the command docker exec librebooking tail /var/log/librebooking/app.log and share your results. I'd like to compare them with what I get.
colisee
commented
10 months ago @Harimzial, @effgarces
I believe I found the reason why the LDAP group synching is not working. The issue comes from the upstream project.
Here is the group my user belongs to in LDAP:
cn=librebooking.users,ou=groups,dc=example,dc=org
And here is the group my user belongs to in librebooking:
librebooking.users
By the way, when you check the logs in librebooking, the program inverts the group and the user when it tells you that it is skipping the sync.
I will submit a PR to the upstream project in the coming days
colisee
commented
10 months ago @Harimzial @Harimzial
In the meantime, I can confirm a workaround.
You can rename your group, in librebooking, to match your lowercase LDAP dn.
In my case, I renamed my librebooking group librebooking.users to cn=librebooking.users,ou=groups,dc=example,dc=org and it worked, as you can see below:
To @effgarces Maybe this is the way it is supposed to work: a LDAP group must be named with the lowercase LDAP DN syntax... In this case, my PR would be much smaller and simpler. The wiki would need to be adapted, obviously.
Harimzial
commented
10 months ago Hi @colisee
Hope you had a nice weekend. Well done on finding the source, I was starting to look into that direction last Friday. But I had to learn a bit more about FreeIPA to find my groups lowercase LDAP dn, so for the record it is in this form :
cn=test,cn=groups,cn=accounts,dc=example,dc=org
The workaround will be very useful for now, thanks a lot! Makes it very non user-friendly, it would be interesting to have a "Displayed name" option for example.
I let you close this issue when you have feedback from the upstream then. I'll follow it too.
Thanks again for the help. Best.
colisee
commented
10 months ago Hi @Harimzial @effgarces
I made some code changes and this version lets me synchronize a group in librebooking that is named after the ldap common nome (in addition to the distinguished name). I am using the openldap server container from osixia for testing.
Before I make a pull-request to the upstream project, I'd appreciate if you could run the test on your side, with your ldap server.
For this, you will need to:
librebooking/librebooking:develop imageRegistration.txt file to your host and change the file extension name to phpRegistration.php file to your container /var/www/html/lib/Application/Authentication/Registration.php fileHarimzial
commented
10 months ago Hi @colisee
Thanks a lot for the work. I am using Free IPA. I've followed your steps and it worked perfectly ! It's removing the groups I am not in, and adding those I am in. Which is exactly what's needed.
If you need any further logs or information, let me know.
All the best!
colisee
commented
10 months ago Excellent! I Will push the PR later today.
Please, bear in mind that the fix will be available in the next librebooking/librebooking:develop image after the PR is merged into the upstream project.
I am now closing the issue.
Hey again!
I could configure most of LibreBooking to work the way i want with the security i want etc. The only issue I am left with before putting it to production would be to make the sync.groups of the LDAP Auth to work.
I have the same group names on my LDAP (FreeIPA) and LibreBooking, and people are connecting trough their LDAP accounts, but it won't sync any of the groups.
I tried to add memberof=Groups in attribute.mapping, but didn't changed anything. Is there something i could have forget ?
I'm not sure if anyone here can be of help, or if I should better go on the Librebooking/app board, but thanks in advance anyway!