Programmierus / ldap-mailcow

LDAP account synchronization and authentication for mailcow-dockerized
97 stars 37 forks source link

Error when using Zentyal as LDAP Provider #14

Open sfulham opened 3 years ago

sfulham commented 3 years ago

I use Zentyal as an LDAP/Active Directory server and I'm trying to get it to work with mailcow, but when I start the container, I get this error

mailcowcustomized_ldap-mailcow | Traceback (most recent call last):
mailcowcustomized_ldap-mailcow |   File "syncer.py", line 181, in <module>
mailcowcustomized_ldap-mailcow |     main()
mailcowcustomized_ldap-mailcow |   File "syncer.py", line 31, in main
mailcowcustomized_ldap-mailcow |     sync()
mailcowcustomized_ldap-mailcow |   File "syncer.py", line 52, in sync
mailcowcustomized_ldap-mailcow |     for (email, ldap_name, ldap_active) in ldap_results:
mailcowcustomized_ldap-mailcow |   File "syncer.py", line 46, in <lambda>
mailcowcustomized_ldap-mailcow |     x[1]['userPrincipalName'][0].decode(),
mailcowcustomized_ldap-mailcow | KeyError: 'userPrincipalName'

Any ideas on how to fix it?

My docker-compose.yml has this for the container

ldap-mailcow:
        image: programmierus/ldap-mailcow
        network_mode: host
        container_name: mailcowcustomized_ldap-mailcow
        depends_on:
            - nginx-mailcow
        volumes:
            - ./data/ldap:/db:rw
            - ./data/conf/dovecot:/conf/dovecot:rw
            - ./data/conf/sogo:/conf/sogo:rw
        environment:
            - LDAP-MAILCOW_LDAP_URI=ldap://imgldap.lan
            - LDAP-MAILCOW_LDAP_BASE_DN=DC=imgldap,DC=lan
            - LDAP-MAILCOW_LDAP_BIND_DN=CN=***** ******,CN=Users,DC=imgldap,DC=lan
            - LDAP-MAILCOW_LDAP_BIND_DN_PASSWORD=***********
            - LDAP-MAILCOW_API_HOST=https://****.*************.***.**
            - LDAP-MAILCOW_API_KEY=**********************
            - LDAP-MAILCOW_SYNC_INTERVAL=300
        dns:
            - 10.0.0.89

PS. I do know that the server works as I have it linked to my windows computer

Programmierus commented 3 years ago

From what I see it seems your LDAP provider doesn't return userPrincipalName as a possible key...

sfulham commented 3 years ago

Well, I've used zentyal with other programs such as gitlab before and it's worked so idk why it wouldn't work now

Programmierus commented 3 years ago

I've never used zentyal so I can't tell you exactly what it returns. Use some LDAP query tool and lookup what fields are being returned on user records and if userPrincipalName is sent. If not - amend syncer.py accordingly...

sfulham commented 3 years ago

So, I've run an ldap search on it and it seems to be fine,

dn: CN=*******,CN=Users,DC=internalmediagroup,DC=lan
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: systemQuotas
objectClass: organizationalPerson
objectClass: user
cn: *******
sn: *******
givenName: *******
instanceType: 4
whenCreated: 20210118014517.0Z
displayName: *******
uSNCreated: 3828
name: *******
objectGUID:: zcRuaPP+40yACi3IJRXIjw==
# Non-base64-encoded representation of the above value: {REPLACEMENT CHARACTER}{REPLACEMENT CHARACTER}nh{REPLACEMENT CHARACTER}{REPLACEMENT CHARACTER}{REPLACEMENT
#  CHARACTER}L{REPLACEMENT CHARACTER}{CARRIAGE RETURN}-{REPLACEMENT CHARACTER}%{NEGATIVE ACKNOWLEDGE}?
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA4SfQTdFiUyHkQxn5UAQAAA==
# Non-base64-encoded representation of the above value: {START OF HEADING}{ENQUIRY}{NULL}{NULL}{NULL}{NULL}{NULL}{ENQUIRY}{NEGATIVE
#  ACKNOWLEDGE}{NULL}{NULL}{NULL}{REPLACEMENT CHARACTER}'{REPLACEMENT CHARACTER}M{REPLACEMENT CHARACTER}bS!{REPLACEMENT CHARACTER}C{END OF MEDIUM}{REPLACEMENT
#  CHARACTER}P{END OF TRANSMISSION}{NULL}{NULL}
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: *******
sAMAccountType: 805306368
userPrincipalName: *******@INTERNALMEDIAGROUP.LAN
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=internalmediagroup,DC=lan
uidNumber: 65535
gidNumber: 2513
quota: 500
pwdLastSet: 132554079173018030
userAccountControl: 512
memberOf: CN=Domain Admins,CN=Users,DC=internalmediagroup,DC=lan
lastLogonTimestamp: 132554079275008500
homeDrive: H:
whenChanged: 20210118014530.0Z
homeDirectory: \\imgldapserver.INTERNALMEDIAGROUP.LAN\*******
uSNChanged: 3834
distinguishedName: CN=********,CN=Users,DC=internalmediagroup,DC=lan

P.S. Since I created the issue, I have changed the domain

sfulham commented 3 years ago

This is now the config

    ldap-mailcow:
        image: programmierus/ldap-mailcow
        network_mode: host
        container_name: mailcowcustomized_ldap-mailcow
        depends_on:
            - nginx-mailcow
        volumes:
            - ./data/ldap:/db:rw
            - ./data/conf/dovecot:/conf/dovecot:rw
            - ./data/conf/sogo:/conf/sogo:rw
        environment:
            - LDAP-MAILCOW_LDAP_URI=ldap://internalmediagroup.lan
            - LDAP-MAILCOW_LDAP_BASE_DN=CN=Users,DC=internalmediagroup,DC=lan
            - LDAP-MAILCOW_LDAP_BIND_DN=CN=*******,CN=Users,DC=internalmediagroup,DC=lan
            - LDAP-MAILCOW_LDAP_BIND_DN_PASSWORD=********
            - LDAP-MAILCOW_API_HOST=https://*******
            - LDAP-MAILCOW_API_KEY=******-******-******-******-******
            - LDAP-MAILCOW_SYNC_INTERVAL=300
        dns:
            - 10.0.0.89
sfulham commented 3 years ago

@Programmierus

Programmierus commented 3 years ago

I guess it's indeed related to #15.

We can make query fields configurable and add some sort of debug mode to research LDAP exchange.

You can submit your pull request. I am not sure when I'll have spare time to add this myself. It's not a bug.

sfulham commented 3 years ago

Well, it uses Samba as the server, not OpenLDAP and it does have the field there