search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
4.17k stars 559 forks source link

Cant login to meshcentral (ldap) after update node to nodesource repository #5630

Open rpppng opened 10 months ago

rpppng commented 10 months ago

Cant login to meshcentral after update nodejs from ubuntu repo to new version node by deb.nodesource.com

My config was: Ubuntu 22.04 Nodejs 12.22.9 from ubuntu rep mongodb

steps: 1) remove nodejs 12 2) add deb.nodesource repository 3) install nodejs 20 after that my ldap users cant login to meshcentral seems like a incorrect password when i start "node meshcentral --user xxxxxx" it's working

then i remove nodejs 20, remove nodesource repository then install nodejs 12.22.9 again and meshcentral working my users (ldap) can authenticate

how can i fix this?

arduin0guru commented 10 months ago

Restore from backup !

rpppng commented 10 months ago

What do I need to restore from the backup?

Problem is that on the new version of Node, authorization using ldap does not work. And I need to understand how to solve this problem. So for update MeshCentral i need these steps: 1) add repository nodesource 2) update nodejs 3) update the meshcentral 4) remove repository nodesource 5) reinstall nodejs from official ubuntu repository

si458 commented 10 months ago

You haven't followed the bug report template so it's missing information off to help other with ur issue

what does ur config.json look like? If you can run meshcentral OK, then go into the console tab in my server tab, then run info and let us have the output? Are u sure it's using the correct node version? node --version How do you startup meshcentral? Via normal node or systemctl? Have u checked the system.d file is pointing to the correct node version?

rpppng commented 10 months ago 
{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
  "settings": {
    "MongoDb": "mongodb://127.0.0.1:27017/meshcentral",
    "cert": "ext-ra.c-lan.ru",
    "WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "port": 64443,
    "_agentPort": 64443,
    "aliasPort": 443,
    "AgentPong": 300,
    "_TlsOffload": false,
    "_TlsOffload": "127.0.0.1,172.17.0.0/24,172.18.0.0/24",
    "TrustedProxy": "127.0.0.1,172.17.0.0/24,172.18.0.0/24",
    "redirPort": 64080,
    "_redirAliasPort": 80,
    "ignoreAgentHashCheck": true,
    "_deviceSearchBarGroupName": true,
    "userAllowedIP": "127.0.0.1,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8",
    "_userAllowedIP": "127.0.0.1,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,89.189.176.195,37.195.148.101"
  },
  "domains": {
    "": {
      "_title": "MyServer",
      "_title2": "Servername",
      "_minify": true,
      "_newAccounts": true,
      "_userNameIsEmail": true,
      "deviceSearchBarGroupName": true,
      "deviceSearchBarServerAndClientName": true,
      "CertUrl": "https://ext-ra.c-lan.ru:443",
      "ManageAllDeviceGroups": [ "bayburin","novikov_mm" ],
      "auth": "ldap",
      "ldapOptions": {
        "url": "ldaps://srv-dc-01.kisnsk.local:636/",
        "bindDN": "CN=outsource-ad,OU=Почтовые УЗ и группы распространения,OU=c-lan,DC=kisnsk,DC=local",
        "bindCredentials": "P@ssw0rd",
        "searchBase": "OU=Users,OU=Отдел аутсорсинга,OU=c-lan,DC=kisnsk,DC=local",
        "searchFilter": "(sAMAccountName={{username}})"
      },
      "ldapUserKey": "sAMAccountName",
      "passwordRequirements": {
        "_force2factor": true,
        "_email2factor": false
      }
    }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "myemail@mydomain.com",
    "names": "myserver.mydomain.com",
    "production": false
  },
  "_smtp": {
    "host": "mail.c-lan.ru",
    "port": 25,
    "from": "meshcentral@alertto2705.c-lan.ru",
    "_user": "meshcentral@alertto2705.c-lan.ru",
    "tls": false,
    "verifyEmail": false
  }
}

> info
{
    "meshVersion": "v1.1.16",
    "nodeVersion": "v12.22.9",
    "runMode": "WAN mode",
    "productionMode": true,
    "database": "MongoDB",
    "dbChangeStream": false,
    "dbBulkOperations": false,
    "platform": "linux",
    "arch": "x64",
    "pid": 2334,
    "uptime": 909966.463965662,
    "cpuUsage": {
        "user": 16600860531,
        "system": 1751752482
    },
    "memoryUsage": {
        "rss": 402051072,
        "heapTotal": 80588800,
        "heapUsed": 71285744,
        "external": 54821798,
        "arrayBuffers": 53307442
    },
    "warnings": [
        {
            "msg": "MeshCentral will require Node v16 or above in the future, your current version is v12.22.9."
        },
        {
            "msg": "Agent hash checking is being skipped, this is unsafe.",
            "id": 9
        }
    ]
}
# /etc/systemd/system/meshcentral.service
[Unit]
Description=MeshCentral Server

[Service]
Type=simple
LimitNOFILE=1000000
ExecStart=/usr/bin/node /home/kis/mc/node_modules/meshcentral/meshcentral
WorkingDirectory=/home/kis/mc
Environment=NODE_ENV=production
User=kis
Group=kis
Restart=always
# Restart service after 10 seconds if node service crashes
RestartSec=10
# Set port permissions capability
AmbientCapabilities=cap_net_bind_service

[Install]
WantedBy=multi-user.target

Now my node version is v12.22.9 because i revert it back. But when authorisation not working node --version output is v.20.x I can try again update node to v20 from deb.nodesource.com and show "info" output from server console. should i do it? btw, i have cyrillic in ldap options, mb something wrong with cyrillin in v20 node? but ok in v12

rpppng commented 6 months ago

I found what the problem is. It is not possible to perform authorization through ldaps, but it passes through ldap. Any ideas why authorization works correctly on the old version of NodeJS?

si458 commented 6 months ago

We have just discovered a bug with 1.1.22 with external authentication. Fix be merged soon, so try 1.1.21 for the time being. Also use node 18 or above! We no longer support < 16 due to a dependency update which now requires node 16 or above

Edit. You also don't say what meshcentral version you are using so how can we debug ur issue without knowing what version you are using

rpppng commented 6 months ago

The version of MeshaCentral was different (1.1.21 for example), I have been observing this problem for the last monthes and described the steps to reproduce it, among other things. on all versions there were problems with authorization via LDAP with node from nodesource repository. As soon as the node version returned to 12 (Ubuntu repository), authorization began to work. Yesterday I checked problem again after update mc to 1.1.22. With "--debug ldap" i saw problem is that the latest version is complaining about the certificate. ldap LDAP Error: Error: unable to verify the first certificate Then I edit config from ldaps 636 to ldap 389 and authorization worked fine.

I think it's not an MC problem, but maybe you can help with this.