search

Monogramm / taiga-contrib-ldap-auth-ext

:snake: :alembic: Extended Taiga plugin for LDAP authentication
http://taiga.io
GNU Affero General Public License v3.0
45 stars 15 forks source link

Taiga Authentication failing on META LDAP #38

Closed gabrieletassoni closed 2 years ago

gabrieletassoni commented 3 years ago

Describe the bug Hi, in my company we have a META LDAP DB which astracts two LDAP Directories, an AD and a LDAP directory. Using the LDAP_BIND_DN of the META DB, all the active directory users can login (and have the user created at first login). The USERS created into the LDAP won't. Other services in the network can use both type of users.

What can it be? Why the AD users can login?

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Login Page' on Taiga
  2. Put username and password of a user present in the meta LDAP
  3. The error is: According to the Taiga, your username/email or password are incorrect.

Moreover I made some shell debugging and the user which cannot login on Taiga, can BIND from the shell, here the tryouts:

$ldapwhoami -vvv -h -REDACTED- -p 389 -D uid=-REDACTED-,cn=local,ou=people,dc=bancolini,dc=meta -x -w '-REDACTED-'
ldap_initialize( ldap://-REDACTED-:389 )
dn:uid=-REDACTED-,cn=local,ou=people,dc=bancolini,dc=meta
Result: Success (0)

While the log of the LDAP server is:

601819a4 conn=1584 fd=12 ACCEPT from IP=-REDACTED-:54576 (IP=0.0.0.0:389)
601819a4 conn=1584 op=0 BIND dn="cn=binder,dc=bancolini,dc=meta" method=128
601819a4 conn=1584 op=0 BIND dn="cn=binder,dc=bancolini,dc=meta" mech=SIMPLE ssf=0
601819a4 conn=1584 op=0 RESULT tag=97 err=0 text=
601819a4 conn=1584 op=1 SRCH base="dc=bancolini,dc=meta" scope=2 deref=3 filter="(|(uid=-REDACTED-)(mail=-REDACTED-))"
601819a4 conn=1584 op=1 SRCH attr=uid mail displayName
601819a4 conn=1044 op=252 SRCH base="ou=people,dc=bancolini,dc=com" scope=2 deref=3 filter="(|(uid=-REDACTED-)(mail=-REDACTED-))"
601819a4 conn=1044 op=252 SRCH attr=uid mail displayName
601819a4 conn=1044 op=252 SEARCH RESULT tag=101 err=0 nentries=1 text=
601819a4 conn=1045 op=249 SRCH base="ou=groups,dc=bancolini,dc=com" scope=2 deref=3 filter="(|(uid=-REDACTED-)(mail=-REDACTED-))"
601819a4 conn=1045 op=249 SRCH attr=uid mail displayName
601819a4 conn=1584 op=1 meta_back_retry[3]: retrying URI="ldap://-REDACTED-:389" DN="cn=administrator,cn=users,dc=bancolini,dc=com".
601819a4 conn=1045 op=249 SEARCH RESULT tag=101 err=0 nentries=0 text=
601819a4 conn=1584 op=1 meta_back_retry[3]: meta_back_single_dobind=0
601819a4 conn=1584 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
601819a4 conn=1585 fd=25 ACCEPT from IP=-REDACTED-:54580 (IP=0.0.0.0:389)
601819a4 conn=1585 op=0 BIND dn="uid=-REDACTED-,cn=local,ou=people,dc=bancolini,dc=meta" method=128
601819a4 conn=1586 fd=27 ACCEPT from IP=-REDACTED-:54584 (IP=0.0.0.0:389)
601819a4 conn=1586 op=0 BIND dn="uid=-REDACTED-,ou=people,dc=bancolini,dc=com" method=128
601819a4 conn=1586 op=0 BIND dn="uid=-REDACTED-,ou=people,dc=bancolini,dc=com" mech=SIMPLE ssf=0
601819a4 conn=1585 op=0 BIND dn="uid=-REDACTED-,cn=local,ou=people,dc=bancolini,dc=meta" mech=SIMPLE ssf=0
601819a4 conn=1585 op=0 RESULT tag=97 err=0 text=
601819a4 conn=1586 op=0 RESULT tag=97 err=0 text=
601819a4 conn=1584 fd=12 closed (connection lost)
601819a4 conn=1585 fd=25 closed (connection lost)
601819a4 conn=1586 op=1 UNBIND
601819a4 conn=1586 fd=27 closed

If I understand right, it tries to use uid=-REDACTED-,cn=local,ou=people,dc=bancolini,dc=meta to BIND and check for the password, which in ldapsearch works.

Obvously also the uid=-REDACTED-,ou=people,dc=bancolini,dc=com I see in the log is accepted as BIND DN:

$ ldapwhoami -vvv -h -REDACTED- -p 389 -D uid=-REDACTED- -x -w '-REDACTED-'
ldap_initialize( ldap://-REDACTED-:389 )
dn:uid=-REDACTED-,dc=bancolini,dc=com
Result: Success (0)

The config of Taiga's settings.py is:

LDAP_SERVER = 'ldap://-REDACTED-'
LDAP_PORT = 389

# Flag to enable LDAP with STARTTLS before bind
LDAP_START_TLS = False

# Support of alternative LDAP ciphersuites
#from ldap3 import Tls
#import ssl

#LDAP_TLS_CERTS = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1, ciphers='RSA+3DES')

# Full DN of the service account use to connect to LDAP server and search for login user's account entry
# If LDAP_BIND_DN is not specified, or is blank, then an anonymous bind is attempated
LDAP_BIND_DN = 'cn=-REDACTED-,dc=bancolini,dc=meta'
LDAP_BIND_PASSWORD = '-REDACTED-'

# Starting point within LDAP structure to search for login user
LDAP_SEARCH_BASE = 'dc=bancolini,dc=meta'

# Additional search criteria to the filter (will be ANDed)
#LDAP_SEARCH_FILTER_ADDITIONAL = '(mail=*)'

# Names of attributes to get username, e-mail and full name values from
# These fields need to have a value in LDAP 
LDAP_USERNAME_ATTRIBUTE = 'uid'
LDAP_EMAIL_ATTRIBUTE = 'mail'
LDAP_FULL_NAME_ATTRIBUTE = 'displayName'

Expected behavior I expect to login with the LDAP users and not just with the AD, since the ldapwhoami works.

Thank you for the answer, bye, Gabriele

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

reinaldosaraiva commented 3 years ago

Hi, I was able to work through Active Directory, using the following environment variables below:

LDAP_USERNAME_ATTRIBUTE = 'sAMAccountName' https://github.com/reinaldosaraiva/taiga-contrib-ldap-auth-ext/blob/master/common.example.py

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.