Open MasinAD opened 11 months ago
I'd say the bug is in ldapjs but I'm no ldapjs user. Maybe we can escalate the problem upstream somehow.
Can u share the output of a user from ldap? I use phpldapadmin for this If I remember when I was testing ldap, I had to set the groups to a number not the whole ad string (if that makes sense?)
I haven't installed phpldapadmin. But I can use ldapsearch. If this isn't enough I can try either Apache Directory Studio or JXplorer.
Here the actual LDAP LDIF for my account with some redactions:
root@meshcentral-my:~# ldapsearch -H ldap://10.0.3.128:389/ -D uid=system_ro,ou=Users,ou=System,dc=wikimedia,dc=de -W -b ou=People,dc=wikimedia,dc=de "(uid=maal)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=wikimedia,dc=de> with scope subtree
# filter: (uid=maal)
# requesting: ALL
#
# maal, People, wikimedia.de
dn: uid=maal,ou=People,dc=wikimedia,dc=de
objectClass: inetOrgPerson
uid: maal
displayName: Masin Al-Dujaili
givenName:: TWFzaW4g
sn: Al-Dujaili
jpegPhoto:: <snip>
mail: <valid e-mail address>
userPassword:: <redacted>
cn: Masin Al-Dujaili
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
And TIL operational attributes require this (observe the + sign at the end of the command):
root@meshcentral-my:~# ldapsearch -H ldap://10.0.3.128:389/ -D uid=system_ro,ou=Users,ou=System,dc=wikimedia,dc=de -W -b ou=People,dc=wikimedia,dc=de "(uid=maal)" +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=wikimedia,dc=de> with scope subtree
# filter: (uid=maal)
# requesting: +
#
# maal, People, wikimedia.de
dn: uid=maal,ou=People,dc=wikimedia,dc=de
structuralObjectClass: inetOrgPerson
entryUUID: 0657407a-ee26-103c-857c-f79dcc79eb63
creatorsName: cn=admin,dc=wikimedia,dc=de
createTimestamp: 20221101114236Z
memberOf: cn=administrators,ou=groups,dc=wikimedia,dc=de
memberOf: cn=domain users,ou=groups,dc=wikimedia,dc=de
memberOf: cn=it,ou=groups,dc=wikimedia,dc=de
memberOf: cn=mitarbeiter,ou=groups,dc=wikimedia,dc=de
memberOf: cn=gswiki-bureaucrat,ou=groups,dc=wikimedia,dc=de
memberOf: cn=gswiki-sysop,ou=groups,dc=wikimedia,dc=de
memberOf: cn=civicrm-importer,ou=Groups,dc=wikimedia,dc=de
entryCSN: 20230906115337.308671Z#000000#001#000000
modifyTimestamp: 20230906115337Z
modifiersName: cn=admin,dc=wikimedia,dc=de
entryDN: uid=maal,ou=People,dc=wikimedia,dc=de
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I have to correct myself: I can have the settings in there without the error but I can only login with ldapSiteAdminGroups
set though I don't know if it has any effect. With ldapUserRequiredGroupMembership
set I get "Access denied" in the login form. But in both cases that's only if I have not set
"ldapoptions": {
…
"groupSearchBase": "ou=Groups,dc=wikimedia,dc=de",
"groupSearchFilter": "(member={{dn}})",
"groupDnProperty": "{{dn}}"
}
So, there's some link to group search filters.
Well, I guess my admin rights got removed :-D, so it does not have any effect.
Describe the bug Setting values for
ldapUserRequiredGroupMembership
orldapSiteAdminGroups
makes logins fail. The log contains:To Reproduce Oh, what do I know? :-D
Steps to reproduce the behavior:
Maybe the
config.json
helps more than those steps.If I remove both settings attributes I can login.
Expected behavior
ldapUserRequiredGroupMembership
.ldapSiteAdminGroups
should automatically be admins.Server Software:
Additional context The necessary services for MySQL, OpenLDAP, MeshCentral and Nginx reverse proxy are in different containers in the same local subnet. This should not affect the login process.
I tried to pin down the cause of the problem and wrote a very simple copy of MeshCentral's LDAP login flow. This also errors out with:
Not stopping at ldapauth-fork I went down the ldapjs rabbit hole:
But this style of JavaScript is way beyond my abilities. It looks like the same error and I can trigger it when providing an empty search filter to ldapjs.client.search, not just no search filter but an empty string. I cannot tell if that's the cause of the problem for any of the other two errors.
assert.ok(len)
only appears innode_modules/asn1/lib/ber/writer.js
but I cannot tell if that's important.I tried console.log debugging in MeshCentral's webserver.js and found out that there are no group memberships stored in the ldap user object.
ldapsearch -H ldap://10.0.3.128:389/ -D uid=system_ro,ou=Users,ou=System,dc=wikimedia,dc=de -W -b ou=People,dc=wikimedia,dc=de "(uid=maal)"
does not return group memberships either but querying memberOf directly does:ldapsearch -H ldap://10.0.3.128:389/ -D uid=system_ro,ou=Users,ou=System,dc=wikimedia,dc=de -W -b ou=People,dc=wikimedia,dc=de "(uid=maal)" memberof
.Your config.json file