Mailtrain-org / mailtrain

Self hosted newsletter app
GNU General Public License v3.0
5.53k stars 692 forks source link

LDAP not working wrong username or password #1131

Closed jonathanmmm closed 7 months ago

jonathanmmm commented 3 years ago

Hi,

I tried to follow what was set here: https://github.com/Mailtrain-org/mailtrain/issues/862

But sadly I could also not get it to work, hopefully somebody can help me, I am new to mailtrain.

I am using docker-compose, here the snippet that should be important. I am using openldap in another container and nginx for reverse proxy with https:

      - WITH_ZONE_MTA=false
      - WITH_LDAP=true
      - LDAP_HOST=openldap
      - LDAP_PORT=389
      - LDAP_SECURE=false
      - LDAP_BIND_USER=cn=readonlyuser,dc=my-domain,dc=com
      - LDAP_BIND_PASS=secretpasswordfortheREADONLYUSER
      - LDAP_FILTER=(|(objectclass=inetOrgPerson))
#      - LDAP_FILTER=(\&(\&(|(objectclass=inetOrgPerson)(objectclass=organizationalPerson))(|(memberof=cn=Newsletter-Managers,ou=gruppen,ou=mycompany,dc=my-domain,dc=com
#      - LDAP_FILTER=(&(&(|(objectclass=inetOrgPerson)(objectclass=organizationalPerson))(|(memberof=cn=Newsletter-Manager,ou=gruppen,ou=mycompany,dc=my-domain,dc=com
      - LDAP_BASEDN=dc=my-domain,dc=com
      - LDAP_UIDTAG=uid
    volumes:
      - ./mailtrain-data:/app/server/files
    networks:
      - redis-mongo-mt
      - mailtrain
      - openldap
      - mailtrtonginx

As you can see with the commented out part, I tried different thinks, like maybe & need to be escaped.

My users are inetOrgPerson and person and have uid as their username. It doesn't work. I have never logged in (no admin test or so, don't know if I need to that before). I am trying to login via the URL_BASE_TRUSTED specified domain.

I allways get wrong password or username and info HTTP GET /login?next=%2F 500 103.521 ms - - in docker-compose logs.

What should I do, for any help, I would be thankful :-)

codiflow commented 2 years ago

Just stumpled upon your issue but maybe I can help:

Did you install the passport-ldapjs or passport-ldapauth node modules manually? They are not installed per default (afaik refering to this issue https://github.com/Mailtrain-org/mailtrain/issues/862)

You can check this by getting the logs from your container using docker-compose logs -f from inside the folder where your docker-compose.yml is located.

jonathanmmm commented 2 years ago

Just stumpled upon your issue but maybe I can help:

Did you install the passport-ldapjs or passport-ldapauth node modules manually? They are not installed per default (afaik refering to this issue https://github.com/Mailtrain-org/mailtrain/issues/862)

You can check this by getting the logs from your container using docker-compose logs -f from inside the folder where your docker-compose.yml is located.

No, thanks, I could try that. But I would rather fix this in the Docker image or at least update the README. If there are docker ENVs for LDAP most people will think they don't need to install anything.

l4b4r4b4b4 commented 2 years ago

Well according to the logs of the Dockerfile, the ldap packages are installed. But with errors not finding PYTHON in path. @jonathanmmm Did you manage to get it working? And is it wanted behaviour, that the admin credentials set in docker-compose.yml are not valid when enabling LDAP authentication? Update 1 Well I managed to get authentication working. Every now authenticated user gets the global master role assigned. Hope there is a way to do some role mapping.

jonathanmmm commented 2 years ago

Well according to the logs of the Dockerfile, the ldap packages are installed. But with errors not finding PYTHON in path. @jonathanmmm Did you manage to get it working? And is it wanted behaviour, that the admin credentials set in docker-compose.yml are not valid when enabling LDAP authentication? Update 1 Well I managed to get authentication working. Every now authenticated user gets the global master role assigned. Hope there is a way to do some role mapping.

Haven't tried further. Could you post what your config/setup is?

codiflow commented 2 years ago

And is it wanted behaviour, that the admin credentials set in docker-compose.yml are not valid when enabling LDAP authentication?

Yes, if you are using LDAP auth the local auth is not working anymore (also the local admin account). To change that you have to temporarily deactivate ldap auth (WITH_LDAP=false) in your docker file, restart the container and authenticate using the local admin credentials.

Well I managed to get authentication working. Every now authenticated user gets the global master role assigned. Hope there is a way to do some role mapping.

You can also do that. You have to change the file production.yaml using docker exec -it mailtrain_mailtrain_1 /bin/bash to acchieve this.

The parameters are:

  newUserRole: master                                                                                                                    
  # Global namespace id                                                                                                                     
  newUserNamespaceId: 1

Just add them below the ldap section, save the file and restart the container.

I would not recommend to change them in the default.yaml where you can look at all available parameters.

l4b4r4b4b4 commented 2 years ago

@codiflow hmmm I tried that but for some reason after restart I gut a db connection timeout error. Will try again though! Thanks for the tip on how to assign users to namespaces! I build the mailtrain container from source, because I already implemented some modification on production.yml E.g. newUserRole. update I just saw what you mean with default.yml. What exactly do you mean by saying one is able to look at all parameters? And what is so bad about it? Update 2 Well ok, I can authenticate, but when changing back to ldap, that is all back to login :wink:

So I guess I will do it with Admin account setup in LDAP. Would like to have a backup admin account in case LDAP Service is down, without having to reconfig and restart the container :cry:

talheim-it commented 7 months ago

We are going to start with the development and testing of mailtrain v3 in the next weeks.

You are welcome to help us with the testing as soon as the first release candidate is available.