search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
3.68k stars 511 forks source link

can not create group #6104

Closed IamTaoChen closed 1 month ago

IamTaoChen commented 1 month ago

Describe the bug

when I create a new group nothing happens..

Screenshots

image

Server Software (please complete the following information):

si458 commented 1 month ago

U didn't follow the bug template. What is ur config.json ?

IamTaoChen commented 1 month ago

I use OIDC and the /admins group is set as siteAdmin

{
    "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
    "settings": {
        "plugins": {
            "enabled": false
        },
        "mongoDb": "mongodb://XXXX:XXXX@mongo:27017/meshcentral",
        "mongoDbName": "",
        "cert": "rd.demo8.org",
        "_WANonly": true,
        "_LANonly": true,
        "sessionKey": "XXXXXX",
        "port": 4430,
        "aliasPort": 443,
        "redirPort": 80,
        "_redirAliasPort": 80,
        "AgentPong": 300,
        "TLSOffload": "127.0.0.1",
        "SelfUpdate": false,
        "AllowFraming": true,
        "AllowLoginToken": true,
        "WebRTC": false,
        "wsCompression": true
    },
    "domains": {
        "": {
            "title": "XXXXX",
            "title2": "RD",
            "minify": true,
            "ssh": true,
            "newAccountsUserGroups":["users"],
            "NewAccounts": true,
            "localSessionRecording": false,
            "userNameIsEmail": false,
            "certUrl": "https://example.org:",
            "showPasswordLogin": false,
            "auth": "ldap",
            "ldapOptions": {
                "url": "ldaps://XXXXXX:636/",
                "tlsOptions": {
                    "rejectUnauthorized": false
                },
                "bindDN": "XXXXX",
                "bindCredentials": "XXXX",
                "searchBase": "XXXXX",
                "searchFilter": "(sAMAccountName={{username}})",
                "reconnect": true
            },
            "LDAPUserKey": "sAMAccountName",
            "ldapUserName": "displayName",
            "LDAPUserGroups": "memberOf",
            "LDAPSyncWithUserGroups": true,
            "authStrategies": {
                "oidc": {
                    "_authorizationURL": "https://XXXXXX.com/protocol/openid-connect/auth",
                    "callbackURL": "https://rd.example.com/oidc-callback",
                    "clientid": "XXXXX",
                    "clientsecret": "XXXXXX",
                    "issuer": "https://XXXXXX.com",
                    "_tokenURL": "https://XXXXXX.com/protocol/openid-connect/token",
                    "_userInfoURL": "https://XXXXXX.com/protocol/openid-connect/userinfo",
                    "_logouturl": "https://XXXXXX.com/protocol/openid-connect/logout",
                    "newAccounts": true,
                    "logouturl" : "https:/XXXXXX.com/protocol/openid-connect/logout",
                    "scope": [
                        "openid",
                        "profile",
                        "email",
                        "groups"
                    ],
                    "groups": {
                        "required": [
                            "/admins",
                            "/members"
                        ],
                        "siteadmin": [
                            "/admins"
                        ],
                        "sync": {
                            "enabled": true
                        },
                        "claim": "groups"
                    }
                }
            }
        }
    },
    "_letsencrypt": {
        "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>",
        "_email": "myemail@mydomain.com",
        "_names": "myserver.mydomain.com",
        "production": false
    },
    "_smtp": {
        "host": "xxxxx",
        "port": 25,
        "from": "xxxx",
        "tls": false,
        "user": "xxxxx",
        "pass": "xxxxx"
    }
}
si458 commented 1 month ago

You are mixing 2 authentication methods in ur config.json You have auth: "ldap" set AND authStrategies set You should only have one or the other! So comment one to remove it _auth or _authStrategies Then restart meshcentral and try again

IamTaoChen commented 1 month ago

You are mixing 2 authentication methods in ur config.json You have auth: "ldap" set AND authStrategies set You should only have one or the other! So comment one to remove it _auth or _authStrategies Then restart meshcentral and try again

it still doesn't work

si458 commented 1 month ago

@IamTaoChen well which one did you comment out? whats ur config.json look like now? you wont be able to create groups with ldap because you have set LDAPSyncWithUserGroups

IamTaoChen commented 1 month ago

@IamTaoChen well which one did you comment out? whats ur config.json look like now? you wont be able to create groups with ldap because you have set LDAPSyncWithUserGroups

I only change the auth

"_auth": "ldap",

But I just tried to use 1.1.20 and it works.

si458 commented 1 month ago

the was changes in 1.1.21 and 1.1.22 with the OIDC (a community member changed code for things) so it might be something there is broken as the was a few other OIDC things that where broken and ive fixed recently.

so u use OIDC for the authentication and not LDAP?

whos the OIDC provider? (i use authentik for my testing) just want to clarify so i can try replicate it tomorrow for you

si458 commented 1 month ago

@IamTaoChen after a quick look at the new docs written by the community member the sync: true feature will copy the oidc groups over, which might be why you cant create any groups manually https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options

IamTaoChen commented 1 month ago

@IamTaoChen after a quick look at the new docs written by the community member the sync: true feature will copy the oidc groups over, which might be why you cant create any groups manually https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options

The reason I want to try to create a group manually is the groups didn't sync from OIDC groups, even I can see the group information was extracted by the MeshCentral.

IamTaoChen commented 1 month ago

the was changes in 1.1.21 and 1.1.22 with the OIDC (a community member changed code for things) so it might be something there is broken as the was a few other OIDC things that where broken and ive fixed recently.

so u use OIDC for the authentication and not LDAP?

whos the OIDC provider? (i use authentik for my testing) just want to clarify so i can try replicate it tomorrow for you

Yes, I use OIDC for authentication.

I use keycloak. MeshCentral can get the group infoemation

si458 commented 1 month ago

The reason I want to try to create a group manually is the groups didn't sync from OIDC groups, even I can see the group information was extracted by the MeshCentral.

Ah right so it's not syncing the groups for starters but then u can't create groups either! I will have a look when I get chance for u

si458 commented 1 month ago

ok ive just fixed a bug where using the oidc sync feature, it wasnt syncing the groups correctly if you didnt specify any https://github.com/Ylianst/MeshCentral/commit/5c13f178be800a1be21db05ace4cc0b36852f1b6 but i dont think that fixes ur issue, im still looking into it for you 👍

si458 commented 1 month ago

@IamTaoChen ok ive looked at this, because you have sync: true basically you arent allowed to create groups, this is because they need to stay in sync with your oidc provider, and this happens everytime a user logs in so the way to create a user group, is create a group in your backend oidc provider, then add your users you want into them again in using your backend provider then when a user of that group logs in, it will download its groups, see the new group, then create the group in meshcentral and add all the others users in it

// Check if we are in a mode that does not allow manual user group creation
if (
  (typeof domain.authstrategies == 'object') &&
  (typeof domain.authstrategies['oidc'] == 'object') &&
  (typeof domain.authstrategies['oidc'].groups == 'object') &&
  ((domain.authstrategies['oidc'].groups.sync == true) || ((typeof domain.authstrategies['oidc'].groups.sync == 'object') && (domain.authstrategies['oidc'].groups.sync.enabled == true)))
) {
  err = "Not allowed in OIDC mode with user group sync.";
}

but the is a bug where you dont get notified in the web ui, so ill fix that for you.

IamTaoChen commented 1 month ago

@IamTaoChen ok ive looked at this, because you have sync: true basically you arent allowed to create groups, this is because they need to stay in sync with your oidc provider, and this happens everytime a user logs in so the way to create a user group, is create a group in your backend oidc provider, then add your users you want into them again in using your backend provider then when a user of that group logs in, it will download its groups, see the new group, then create the group in meshcentral and add all the others users in it

// Check if we are in a mode that does not allow manual user group creation
if (
  (typeof domain.authstrategies == 'object') &&
  (typeof domain.authstrategies['oidc'] == 'object') &&
  (typeof domain.authstrategies['oidc'].groups == 'object') &&
  ((domain.authstrategies['oidc'].groups.sync == true) || ((typeof domain.authstrategies['oidc'].groups.sync == 'object') && (domain.authstrategies['oidc'].groups.sync.enabled == true)))
) {
  err = "Not allowed in OIDC mode with user group sync.";
}

but the is a bug where you dont get notified in the web ui, so ill fix that for you.

thanks, I'll test it

si458 commented 1 month ago

@IamTaoChen you might need to use the newest master docker image again (built about 5mins ago)

IamTaoChen commented 1 month ago

the problem still exists.

image image

The demo user is in two groups /members and /staff. The /members was synced by the 1.1.20vesion and the /staff is a new group I created at IdP.

And The demo user is in the /members, but /staff was not created.(also, I cannot create a group manually)

si458 commented 1 month ago

ive just tested it here with my authentik, and it seemed to work? created new group and new user, added new user to new group, logged into mc with new user, new group shows up? even then i logged new user out, added new user into my ADMIN group for authentik, relogged user back in, ADMIN group now shows 2 users on mc (i had previosuly logged in the admin user to get this group created)

is ur config.json the same as above still? https://github.com/Ylianst/MeshCentral/issues/6104#issuecomment-2119260479 try the latest master docker image from 2 mins ago https://github.com/Ylianst/MeshCentral/pkgs/container/meshcentral/219060780?tag=master

IamTaoChen commented 1 month ago

It still doesn't work. this is my image.

   docker image ls | grep meshcentral                                     
ghcr.io/ylianst/meshcentral                                         master            2fe1c56bb34f   16 minutes ago      910MB
ghcr.io/ylianst/meshcentral                                         <none>            7df036099ce2   About an hour ago   910MB
ghcr.io/ylianst/meshcentral                                         <none>            cd77d6ba8458   2 days ago          910MB
ghcr.io/ylianst/meshcentral                                         latest            7dab3f2d7509   8 weeks ago         905MB
ghcr.io/ylianst/meshcentral                                         1.1.20            da14354298e0   3 months ago        896MB
 docker pull ghcr.io/ylianst/meshcentral:master
master: Pulling from ylianst/meshcentral
Digest: sha256:1e8e0d7a97c6f0a30e0b9223322bc6ecdd09def4de3d0bee48fd52344513106e
Status: Image is up to date for ghcr.io/ylianst/meshcentral:master
ghcr.io/ylianst/meshcentral:master

Yes, I didn't change the config.json which can work with 1.1.20. The user can be added into the existing group, but Meshcentral doesn't create now group

IamTaoChen commented 1 month ago

how cloud I log more information?

si458 commented 1 month ago

node node_modules/meshcentral --debug web,authlog and with docker you set 

environment:
  - ARGS=--debug web,authlog
IamTaoChen commented 1 month ago 
✔ Container meshcentral  Started                                                                                                                    10.9s 
meshcentral  | Missing Modules: passport, openid-client, connect-flash
meshcentral  | Installing modules [ 'passport', 'openid-client', 'connect-flash' ]
meshcentral  | NPM Command Line: /usr/bin/node /usr/bin/npm install --save-exact --no-audit --omit=optional --no-fund passport openid-client connect-flash
meshcentral  | MeshCentral HTTP redirection server running on port 80.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 80.
meshcentral  | MeshCentral v1.1.22, Hybrid (LAN + WAN) mode, Production mode.
meshcentral  | MeshCentral Intel(R) AMT server running on example.com:4433.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 4433.
meshcentral  | AUTHLOG: OIDC: Setting up strategy for domain: 
meshcentral  | AUTHLOG: OIDC: OLD CONFIG: Moving old config to new location. strategy.clientid => strategy.client.client_id
meshcentral  | AUTHLOG: OIDC: OLD CONFIG: Moving old config to new location. strategy.clientsecret => strategy.client.client_secret
meshcentral  | AUTHLOG: OIDC: OLD CONFIG: Moving old config to new location. strategy.callbackurl => strategy.client.redirect_uri
meshcentral  | AUTHLOG: OIDC: Discovering Issuer Endpoints: https://auth.demo8.org/realms/iobs
meshcentral  | Loaded web certificate from "https://example.com:", host: "example.com"
meshcentral  |   SHA384 cert hash: 960e0e2645760b375cfca551691d822c022b8d5c8a7679fa7b6fa709d5ebad250408a5aa8b0c1f73cfb6f6e94efa17a2
meshcentral  | AUTHLOG: OIDC: Setup Complete
meshcentral  | AUTHLOG: Setting up authentication strategies login and callback URLs for root domain.
meshcentral  | AUTHLOG: OIDC: Authorization URL: /auth-oidc
meshcentral  | AUTHLOG: OIDC: Callback URL: /oidc-callback
meshcentral  | MeshCentral HTTP server running on port 4430, alias port 443.
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestLogin()
meshcentral  | WEB: 404 Error /loading=lazy
meshcentral  | AUTHLOG: User Authorized: {"strategy":"oidc","sid":"~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21","name":"示 演","email":"demo@ds.iobs","emailVerified":true,"groups":["/staff","/members"],"preset":null}
meshcentral  | AUTHLOG: OIDC: GROUPS: USER: "~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21" Found 2 memberships: ["/staff", "/members"]
meshcentral  | AUTHLOG: OIDC: GROUPS: USER: "~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21" Membership to required group found: "/members"
meshcentral  | AUTHLOG: OIDC: LOGIN SUCCESS: USER: "~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21"
meshcentral  | AUTHLOG: OIDC: User Authenticated: {"_id":"user//~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21","type":"user","name":"示 演","email":"demo@ds.iobs","creation":1716144528,"login":1716144528,"access":1716311879,"domain":"","emailVerified":true,"links":{"ugrp//VC70XOLJi$$RyDMIcO3czsYnChE2ZVixNeh2ySS4UHh4S0GACzBIr7ADq0TLwL0A":{"rights":1}},"subscriptions":["user//~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21","server-allusers","ugrp//VC70XOLJi$$RyDMIcO3czsYnChE2ZVixNeh2ySS4UHh4S0GACzBIr7ADq0TLwL0A"]}
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestEx: success.
si458 commented 1 month ago

@IamTaoChen your config.json is incorrect! doh! just spotted!, the sync section should look like this

"groups": {
  "sync": true
}

https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options

so in your case

"groups": {
  "required": [
    "/admins",
    "/members"
  ],
  "siteadmin": [
    "/admins"
  ],
  "sync": true,
  "claim": "groups"
}
IamTaoChen commented 1 month ago

@IamTaoChen your config.json is incorrect! doh! just spotted!, the sync section should look like this

"groups": {
  "sync": true
}

https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options

so in your case

"groups": {
  "required": [
    "/admins",
    "/members"
  ],
  "siteadmin": [
    "/admins"
  ],
  "sync": true,
  "claim": "groups"
}

It works.

Sorry, I misunderstood this part. But it's wired that it works at before version.

si458 commented 1 month ago

@IamTaoChen yes thats because the person who wrote the new oidc code, the code was years behind. so when it was merged by @Ylianst things goofed up. also the is a migrate script in to convert old oidc config to new one, but im guessing the sync: { enabled:true} isnt included! i will sort that out now!

si458 commented 1 month ago

ok done migrate groups.sync.enabled (spelt the commit message wrong like but hey ho) https://github.com/Ylianst/MeshCentral/commit/bc6451fee5e3575295961ee2fd5781e5c3d35438

si458 commented 1 month ago

are you ok to close this issue now? as the original issue has been resolved you cant create groups when using oidc and sync