Unable to successfully config LDAP

YunoHost-Apps / wikijs_ynh

Modern and powerful wiki app package for YunoHost

https://wiki.js.org/

GNU Affero General Public License v3.0

18 stars 4 forks source link

Unable to successfully config LDAP #83

Closed bgpugh closed 4 years ago

bgpugh commented 4 years ago

As per email, created admin account and first page, then configured LDAP as the following:

Strategy Configuration
LDAP_URL: ldap://localhost:389
Admin Bind DN: uid=svc_wikijs_ldap,ou=users,dc=yunohost,dc=org
Admin Bind Credential: [redacted]
Search Base: ou=users,dc=yunohost,dc=org
Search Filter: (uid={{username}})

Registration
Allow self-registration: Yes
Assign to group: Guest

Whenever I try to log in, I get "Invalid email / username or password" and can't progress. I've tried turning on LDAP debug logging as per https://github.com/Requarks/wiki/issues/1239, but nothing is logged in the yunohost nginx logs.

I suspect this isn't enough to go on, but I'd be happy to try to gather any helpful logging if I can

yalh76 commented 4 years ago

Have you tried to login with the username instead of the full email address ?

bgpugh commented 4 years ago

Yup. That fails with “Missing or invalid email address from profile”

bgpugh commented 4 years ago

Interestingly, it looks like I can successfully log in to wiki.js with just the username & pass from another account in yunohost. The issue may be that having multiple email addresses (the default root@…, admin@…, etc) breaks the LDAP search?

yalh76 commented 4 years ago

Exactly, it's why the search filter is (uid={{username}}).

I will add that information in the mail

bgpugh commented 4 years ago

The issue reproduces with that search filter (see screenshot in first comment)

bgpugh commented 4 years ago

That is to say, logging in as my yunohost admin user fails when logging in via username (“Missing or invalid email address from profile”)

yalh76 commented 4 years ago

Yes, it's normal. If you logged first in wikijs with your yunohost admin user, wikijs created a local account for him. And I think you can't have the same username for a local account and an ldap account

bgpugh commented 4 years ago

I have two users in Yunohost/LDAP:

Alice (admin user) - email alice@example.com, but with aliases for admin@example.com, root@example.com, etc
Bob - email bob@example.com

In Wiki.js, if I go to Administration → Users, I have three:

Administrator - Local user that was created during setup. email does not match any address of any LDAP user, password does not match any LDAP user, name does not match any LDAP user
Guest - auto-created
Bob - this is the account I tested in https://github.com/YunoHost-Apps/wikijs_ynh/issues/83#issuecomment-573927494

The "Bob" account shows as "ldap" in the provider column. The other two are both "local"

The root issue for this bug is "I can't log in to wiki.js with Alice"

I'm totally guessing, but I'm it seems from the error message that when I get "Missing or invalid email address from profile" it might be due to having the email aliases set up?

yalh76 commented 4 years ago

Yes I also think that your issue comes from that Alice has several email addresses

bgpugh commented 4 years ago

So should I re-file the bug stating all of that in case we can create a better LDAP config to handle that case, or should I file a bug upstream to have wiki.js support LDAP accounts with multiple email addresses?

yalh76 commented 4 years ago

Well, If you can create two additional ldap users.

first one with one email address
second one withe two or more email addresses

And test if you can or not login with both accounts