Closed IamTaoChen closed 1 month ago
U didn't follow the bug template. What is ur config.json ?
I use OIDC and the /admins group is set as siteAdmin
{
"$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
"settings": {
"plugins": {
"enabled": false
},
"mongoDb": "mongodb://XXXX:XXXX@mongo:27017/meshcentral",
"mongoDbName": "",
"cert": "rd.demo8.org",
"_WANonly": true,
"_LANonly": true,
"sessionKey": "XXXXXX",
"port": 4430,
"aliasPort": 443,
"redirPort": 80,
"_redirAliasPort": 80,
"AgentPong": 300,
"TLSOffload": "127.0.0.1",
"SelfUpdate": false,
"AllowFraming": true,
"AllowLoginToken": true,
"WebRTC": false,
"wsCompression": true
},
"domains": {
"": {
"title": "XXXXX",
"title2": "RD",
"minify": true,
"ssh": true,
"newAccountsUserGroups":["users"],
"NewAccounts": true,
"localSessionRecording": false,
"userNameIsEmail": false,
"certUrl": "https://example.org:",
"showPasswordLogin": false,
"auth": "ldap",
"ldapOptions": {
"url": "ldaps://XXXXXX:636/",
"tlsOptions": {
"rejectUnauthorized": false
},
"bindDN": "XXXXX",
"bindCredentials": "XXXX",
"searchBase": "XXXXX",
"searchFilter": "(sAMAccountName={{username}})",
"reconnect": true
},
"LDAPUserKey": "sAMAccountName",
"ldapUserName": "displayName",
"LDAPUserGroups": "memberOf",
"LDAPSyncWithUserGroups": true,
"authStrategies": {
"oidc": {
"_authorizationURL": "https://XXXXXX.com/protocol/openid-connect/auth",
"callbackURL": "https://rd.example.com/oidc-callback",
"clientid": "XXXXX",
"clientsecret": "XXXXXX",
"issuer": "https://XXXXXX.com",
"_tokenURL": "https://XXXXXX.com/protocol/openid-connect/token",
"_userInfoURL": "https://XXXXXX.com/protocol/openid-connect/userinfo",
"_logouturl": "https://XXXXXX.com/protocol/openid-connect/logout",
"newAccounts": true,
"logouturl" : "https:/XXXXXX.com/protocol/openid-connect/logout",
"scope": [
"openid",
"profile",
"email",
"groups"
],
"groups": {
"required": [
"/admins",
"/members"
],
"siteadmin": [
"/admins"
],
"sync": {
"enabled": true
},
"claim": "groups"
}
}
}
}
},
"_letsencrypt": {
"__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>",
"_email": "myemail@mydomain.com",
"_names": "myserver.mydomain.com",
"production": false
},
"_smtp": {
"host": "xxxxx",
"port": 25,
"from": "xxxx",
"tls": false,
"user": "xxxxx",
"pass": "xxxxx"
}
}
You are mixing 2 authentication methods in ur config.json
You have auth: "ldap"
set AND authStrategies
set
You should only have one or the other!
So comment one to remove it _auth
or _authStrategies
Then restart meshcentral and try again
You are mixing 2 authentication methods in ur config.json You have
auth: "ldap"
set ANDauthStrategies
set You should only have one or the other! So comment one to remove it_auth
or_authStrategies
Then restart meshcentral and try again
it still doesn't work
@IamTaoChen well which one did you comment out?
whats ur config.json look like now?
you wont be able to create groups with ldap because you have set LDAPSyncWithUserGroups
@IamTaoChen well which one did you comment out? whats ur config.json look like now? you wont be able to create groups with ldap because you have set
LDAPSyncWithUserGroups
I only change the auth
"_auth": "ldap",
But I just tried to use 1.1.20
and it works.
the was changes in 1.1.21 and 1.1.22 with the OIDC (a community member changed code for things) so it might be something there is broken as the was a few other OIDC things that where broken and ive fixed recently.
so u use OIDC for the authentication and not LDAP?
whos the OIDC provider? (i use authentik for my testing) just want to clarify so i can try replicate it tomorrow for you
@IamTaoChen after a quick look at the new docs written by the community member
the sync: true
feature will copy the oidc groups over, which might be why you cant create any groups manually
https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options
@IamTaoChen after a quick look at the new docs written by the community member the
sync: true
feature will copy the oidc groups over, which might be why you cant create any groups manually https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options
The reason I want to try to create a group manually is the groups didn't sync from OIDC groups, even I can see the group information was extracted by the MeshCentral.
the was changes in 1.1.21 and 1.1.22 with the OIDC (a community member changed code for things) so it might be something there is broken as the was a few other OIDC things that where broken and ive fixed recently.
so u use OIDC for the authentication and not LDAP?
whos the OIDC provider? (i use authentik for my testing) just want to clarify so i can try replicate it tomorrow for you
Yes, I use OIDC for authentication.
I use keycloak. MeshCentral can get the group infoemation
The reason I want to try to create a group manually is the groups didn't sync from OIDC groups, even I can see the group information was extracted by the MeshCentral.
Ah right so it's not syncing the groups for starters but then u can't create groups either! I will have a look when I get chance for u
ok ive just fixed a bug where using the oidc sync feature, it wasnt syncing the groups correctly if you didnt specify any https://github.com/Ylianst/MeshCentral/commit/5c13f178be800a1be21db05ace4cc0b36852f1b6 but i dont think that fixes ur issue, im still looking into it for you 👍
@IamTaoChen ok ive looked at this, because you have sync: true
basically you arent allowed to create groups,
this is because they need to stay in sync with your oidc provider,
and this happens everytime a user logs in
so the way to create a user group, is create a group in your backend oidc provider,
then add your users you want into them again in using your backend provider
then when a user of that group logs in,
it will download its groups, see the new group, then create the group in meshcentral and add all the others users in it
// Check if we are in a mode that does not allow manual user group creation
if (
(typeof domain.authstrategies == 'object') &&
(typeof domain.authstrategies['oidc'] == 'object') &&
(typeof domain.authstrategies['oidc'].groups == 'object') &&
((domain.authstrategies['oidc'].groups.sync == true) || ((typeof domain.authstrategies['oidc'].groups.sync == 'object') && (domain.authstrategies['oidc'].groups.sync.enabled == true)))
) {
err = "Not allowed in OIDC mode with user group sync.";
}
but the is a bug where you dont get notified in the web ui, so ill fix that for you.
@IamTaoChen ok ive looked at this, because you have
sync: true
basically you arent allowed to create groups, this is because they need to stay in sync with your oidc provider, and this happens everytime a user logs in so the way to create a user group, is create a group in your backend oidc provider, then add your users you want into them again in using your backend provider then when a user of that group logs in, it will download its groups, see the new group, then create the group in meshcentral and add all the others users in it// Check if we are in a mode that does not allow manual user group creation if ( (typeof domain.authstrategies == 'object') && (typeof domain.authstrategies['oidc'] == 'object') && (typeof domain.authstrategies['oidc'].groups == 'object') && ((domain.authstrategies['oidc'].groups.sync == true) || ((typeof domain.authstrategies['oidc'].groups.sync == 'object') && (domain.authstrategies['oidc'].groups.sync.enabled == true))) ) { err = "Not allowed in OIDC mode with user group sync."; }
but the is a bug where you dont get notified in the web ui, so ill fix that for you.
thanks, I'll test it
@IamTaoChen you might need to use the newest master
docker image again (built about 5mins ago)
the problem still exists.
The demo
user is in two groups /members
and /staff
. The /members
was synced by the 1.1.20
vesion and the /staff
is a new group I created at IdP.
And The demo
user is in the /members
, but /staff
was not created.(also, I cannot create a group manually)
ive just tested it here with my authentik, and it seemed to work? created new group and new user, added new user to new group, logged into mc with new user, new group shows up? even then i logged new user out, added new user into my ADMIN group for authentik, relogged user back in, ADMIN group now shows 2 users on mc (i had previosuly logged in the admin user to get this group created)
is ur config.json the same as above still? https://github.com/Ylianst/MeshCentral/issues/6104#issuecomment-2119260479
try the latest master
docker image from 2 mins ago
https://github.com/Ylianst/MeshCentral/pkgs/container/meshcentral/219060780?tag=master
It still doesn't work. this is my image.
docker image ls | grep meshcentral
ghcr.io/ylianst/meshcentral master 2fe1c56bb34f 16 minutes ago 910MB
ghcr.io/ylianst/meshcentral <none> 7df036099ce2 About an hour ago 910MB
ghcr.io/ylianst/meshcentral <none> cd77d6ba8458 2 days ago 910MB
ghcr.io/ylianst/meshcentral latest 7dab3f2d7509 8 weeks ago 905MB
ghcr.io/ylianst/meshcentral 1.1.20 da14354298e0 3 months ago 896MB
docker pull ghcr.io/ylianst/meshcentral:master
master: Pulling from ylianst/meshcentral
Digest: sha256:1e8e0d7a97c6f0a30e0b9223322bc6ecdd09def4de3d0bee48fd52344513106e
Status: Image is up to date for ghcr.io/ylianst/meshcentral:master
ghcr.io/ylianst/meshcentral:master
Yes, I didn't change the config.json
which can work with 1.1.20
. The user can be added into the existing group, but Meshcentral doesn't create now group
how cloud I log more information?
node node_modules/meshcentral --debug web,authlog
and with docker you set
environment:
- ARGS=--debug web,authlog
✔ Container meshcentral Started 10.9s
meshcentral | Missing Modules: passport, openid-client, connect-flash
meshcentral | Installing modules [ 'passport', 'openid-client', 'connect-flash' ]
meshcentral | NPM Command Line: /usr/bin/node /usr/bin/npm install --save-exact --no-audit --omit=optional --no-fund passport openid-client connect-flash
meshcentral | MeshCentral HTTP redirection server running on port 80.
meshcentral | AUTHLOG: Server listening on 0.0.0.0 port 80.
meshcentral | MeshCentral v1.1.22, Hybrid (LAN + WAN) mode, Production mode.
meshcentral | MeshCentral Intel(R) AMT server running on example.com:4433.
meshcentral | AUTHLOG: Server listening on 0.0.0.0 port 4433.
meshcentral | AUTHLOG: OIDC: Setting up strategy for domain:
meshcentral | AUTHLOG: OIDC: OLD CONFIG: Moving old config to new location. strategy.clientid => strategy.client.client_id
meshcentral | AUTHLOG: OIDC: OLD CONFIG: Moving old config to new location. strategy.clientsecret => strategy.client.client_secret
meshcentral | AUTHLOG: OIDC: OLD CONFIG: Moving old config to new location. strategy.callbackurl => strategy.client.redirect_uri
meshcentral | AUTHLOG: OIDC: Discovering Issuer Endpoints: https://auth.demo8.org/realms/iobs
meshcentral | Loaded web certificate from "https://example.com:", host: "example.com"
meshcentral | SHA384 cert hash: 960e0e2645760b375cfca551691d822c022b8d5c8a7679fa7b6fa709d5ebad250408a5aa8b0c1f73cfb6f6e94efa17a2
meshcentral | AUTHLOG: OIDC: Setup Complete
meshcentral | AUTHLOG: Setting up authentication strategies login and callback URLs for root domain.
meshcentral | AUTHLOG: OIDC: Authorization URL: /auth-oidc
meshcentral | AUTHLOG: OIDC: Callback URL: /oidc-callback
meshcentral | MeshCentral HTTP server running on port 4430, alias port 443.
meshcentral | WEB: handleRootRequestEx: success.
meshcentral | WEB: handleRootRequestEx: success.
meshcentral | WEB: handleRootRequestEx: success.
meshcentral | WEB: handleRootRequestEx: success.
meshcentral | WEB: handleRootRequestLogin()
meshcentral | WEB: 404 Error /loading=lazy
meshcentral | AUTHLOG: User Authorized: {"strategy":"oidc","sid":"~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21","name":"示 演","email":"demo@ds.iobs","emailVerified":true,"groups":["/staff","/members"],"preset":null}
meshcentral | AUTHLOG: OIDC: GROUPS: USER: "~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21" Found 2 memberships: ["/staff", "/members"]
meshcentral | AUTHLOG: OIDC: GROUPS: USER: "~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21" Membership to required group found: "/members"
meshcentral | AUTHLOG: OIDC: LOGIN SUCCESS: USER: "~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21"
meshcentral | AUTHLOG: OIDC: User Authenticated: {"_id":"user//~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21","type":"user","name":"示 演","email":"demo@ds.iobs","creation":1716144528,"login":1716144528,"access":1716311879,"domain":"","emailVerified":true,"links":{"ugrp//VC70XOLJi$$RyDMIcO3czsYnChE2ZVixNeh2ySS4UHh4S0GACzBIr7ADq0TLwL0A":{"rights":1}},"subscriptions":["user//~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21","server-allusers","ugrp//VC70XOLJi$$RyDMIcO3czsYnChE2ZVixNeh2ySS4UHh4S0GACzBIr7ADq0TLwL0A"]}
meshcentral | WEB: handleRootRequestEx: success.
meshcentral | WEB: handleRootRequestEx: success.
@IamTaoChen your config.json is incorrect! doh! just spotted!, the sync section should look like this
"groups": {
"sync": true
}
https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options
so in your case
"groups": {
"required": [
"/admins",
"/members"
],
"siteadmin": [
"/admins"
],
"sync": true,
"claim": "groups"
}
@IamTaoChen your config.json is incorrect! doh! just spotted!, the sync section should look like this
"groups": { "sync": true }
https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options
so in your case
"groups": { "required": [ "/admins", "/members" ], "siteadmin": [ "/admins" ], "sync": true, "claim": "groups" }
It works.
Sorry, I misunderstood this part. But it's wired that it works at before version.
@IamTaoChen yes thats because the person who wrote the new oidc code, the code was years behind.
so when it was merged by @Ylianst things goofed up.
also the is a migrate script in to convert old oidc config to new one, but im guessing the sync: { enabled:true}
isnt included!
i will sort that out now!
ok done migrate groups.sync.enabled
(spelt the commit message wrong like but hey ho) https://github.com/Ylianst/MeshCentral/commit/bc6451fee5e3575295961ee2fd5781e5c3d35438
are you ok to close this issue now? as the original issue has been resolved you cant create groups when using oidc and sync
Describe the bug
when I create a new group nothing happens..
Screenshots
Server Software (please complete the following information):