Registering users on an SRE does not give them access to workspaces

craddm commented 1 month ago

:white_check_mark: Checklist

[x] I have searched open and closed issues for duplicates.
[x] This is a problem observed when deploying a Data Safe Haven.
[x] I can reproduce this with the latest version.
[x] I have read through the documentation.
[ ] This isn't an open-ended question (open a discussion if it is).

:computer: System information

Operating System: MacOS
Data Safe Haven version: develop b7f2c0c9dcb6ffda9cf2da205ec26bc225aded62

:no_entry_sign: Describe the problem

Registering an existing user to an SRE successfully adds them to the appropriate group on the Entr tenant, but they can't access any workspaces through the SRE.

dsh users register -u matt.craddock morcilla

They also don't show up as having access to the SRE when running dsh users list

:deciduous_tree: Log messages

Relevant log messages

```none (data-safe-haven) deploydsh@5c85686fc4dd:/workspaces/data-safe-haven$ dsh users register -u matt.craddock morcilla 2024-05-20 13:23:22 [ INFO] Reading project settings from '/home/deploydsh/.config/data_safe_haven/contexts.yaml'. context_settings.py:152 2024-05-20 13:23:24 [ INFO] Preparing to register 1 user(s) with SRE 'morcilla' users.py:109 2024-05-20 13:23:57 [ INFO] Added user 'matt.craddock' to group 'Data Safe Haven SRE morcilla Users'. graph_api.py:162 (data-safe-haven) deploydsh@5c85686fc4dd:/workspaces/data-safe-haven$ dsh users list 2024-05-20 13:33:12 [ INFO] Reading project settings from '/home/deploydsh/.config/data_safe_haven/contexts.yaml'. context_settings.py:152 2024-05-20 13:33:16 [ INFO] Azure user: mcraddock@turing.ac.uk (3f1a8e26-eae2-4539-952a-0a6184ec248a) azure_cli.py:71 2024-05-20 13:33:16 [ INFO] Azure tenant ID: 4395f4a7-e455-4f95-8a9f-1fbaef6384f9) azure_cli.py:72 2024-05-20 13:33:16 [ INFO] Is this the Azure account you expect? [y/n] (n): y 2024-05-20 13:33:18 [ INFO] Installing required Pulumi plugins project_manager.py:302 2024-05-20 13:33:18 [ INFO] Creating/loading stack shm-lincolnshire-sre-chorizo. project_manager.py:144 2024-05-20 13:33:20 [ INFO] Loaded stack shm-lincolnshire-sre-chorizo. project_manager.py:157 2024-05-20 13:33:21 [ ERROR] Could not load users for SRE 'chorizo'. user_handler.py:103 2024-05-20 13:33:21 [ INFO] Installing required Pulumi plugins project_manager.py:302 2024-05-20 13:33:21 [ INFO] Creating/loading stack shm-lincolnshire-sre-morcilla. project_manager.py:144 2024-05-20 13:33:23 [ INFO] Loaded stack shm-lincolnshire-sre-morcilla. project_manager.py:157 2024-05-20 13:34:40 [ INFO] Added temporary firewall rule for 193.60.220.253. azure_postgresql_database.py:191 2024-05-20 13:34:41 [ INFO] Running SQL script: list_users.mustache.sql. azure_postgresql_database.py:150 2024-05-20 13:34:41 [ INFO] Finished running 1 SQL scripts. azure_postgresql_database.py:158 2024-05-20 13:35:51 [ INFO] Removed all firewall rule(s) from shm-lincolnshire-sre-morcilla-db-server-guacamole. azure_postgresql_database.py:219 2024-05-20 13:35:52 [ INFO] ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓ user_handler.py:130 2024-05-20 13:35:52 [ INFO] ┃ username ┃ Entra ID ┃ SRE chorizo ┃ SRE user_handler.py:130 morcilla ┃ 2024-05-20 13:35:52 [ INFO] ┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━┩ user_handler.py:130 2024-05-20 13:35:52 [ INFO] │ aad.admin.emergency.access │ x │ │ │ user_handler.py:130 2024-05-20 13:35:52 [ INFO] │ aad.admin.james.robinson │ x │ │ │ user_handler.py:130 2024-05-20 13:35:52 [ INFO] │ aad.admin.jim.madge │ x │ │ │ user_handler.py:130 2024-05-20 13:35:52 [ INFO] │ aad.admin.matt.craddock │ x │ │ │ user_handler.py:130 2024-05-20 13:35:52 [ INFO] │ fay.kname │ x │ │ │ user_handler.py:130 2024-05-20 13:35:52 [ INFO] │ matt.craddock │ x │ │ │ user_handler.py:130 2024-05-20 13:35:52 [ INFO] └────────────────────────────┴──────────┴─────────────┴──────────────┘ user_handler.py:130 2024-05-20 13:35:52 [ INFO] ```

:recycle: To reproduce

jemrobinson commented 1 month ago

Could this be related to #1882? Have you redeployed since the fix was merged?

Look at the log messages section of that issue to see the various indications in different container logs that something wasn't working.

In this case, it's likely that guacamole-user-sync might show the problem, as it's likely that users aren't being synchronised from the identity server to the guacamole database.

craddm commented 1 month ago

Literally just deployed it. Will take a look.

craddm commented 1 month ago

jemrobinson commented 1 month ago

OK, that definitely looks like a config file error! You should be able to connect to the container instance (where it says "Connect" in this screenshot). N.B. this won't work from the Turing VPN as the relevant ports are blocked

You can get either /bin/bash or /bin/sh depending on what's available in the container. guacamole-user-sync is based on Debian:slim (https://github.com/alan-turing-institute/guacamole-user-sync/blob/main/Dockerfile) so may not have bash.

From the shell, you can look at the config file, which from here (https://github.com/alan-turing-institute/guacamole-user-sync/blob/main/synchronise/run) looks like it should be at /app/resources/pg-ldap-sync.yaml. Is there a formatting problem with this?

craddm commented 1 month ago

I don't know how to tell - here's the file

# cat /app/resources/pg-ldap-sync.yaml
# LDAP-synchronized groups/users are identified through their
# membership of ldap_user and ldap_group. These two roles must
# therefore be manually defined before running pg_ldap_sync.

# Connection parameters to LDAP server
# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
ldap_connection:
  host: identity.morcilla.blue.develop.turingsafehaven.ac.uk
  port: 1389
  auth:
    method: :anonymous

# Search parameters for LDAP users which should be synchronized
ldap_users:
  base: OU=users,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk
  # LDAP filter defining which LDAP users should be synchronized
  filter: (&(objectClass=posixAccount)(|(memberOf=CN=Data Safe Haven SRE morcilla Administrators,OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk)(memberOf=CN=Data Safe Haven SRE morcilla Privileged Users,OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk)(memberOf=CN=Data Safe Haven SRE morcilla Users,OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk)))
  # this attribute is used as PG role name
  name_attribute: oauth_username
  # lowercase name for use as PG role name
  lowercase_name: false

# Search parameters for LDAP groups which should be synchronized
ldap_groups:
  base: OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk
  # LDAP filter defining which LDAP groups should be synchronized
  filter: (&(objectClass=posixGroup)(|(CN=Data Safe Haven SRE morcilla Administrators)(CN=Data Safe Haven SRE morcilla Privileged Users)(CN=Data Safe Haven SRE morcilla Users)(memberOf=CN=Primary user groups for Data Safe Haven SRE morcilla Administrators,OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk)(memberOf=CN=Primary user groups for Data Safe Haven SRE morcilla Privileged Users,OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk)(memberOf=CN=Primary user groups for Data Safe Haven SRE morcilla Users,OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk)))
  # this attribute is used as PG role name
  name_attribute: cn
  # lowercase name for use as PG role name
  lowercase_name: false
  # this attribute must reference all member DNs of the given group
  member_attribute: member

# Connection parameters to PostgreSQL server
# see also: http://rubydoc.info/gems/pg/PG/Connection#initialize-instance_method
pg_connection:
  host: 10.2.1.36
  dbname: guacamole
  user: postgresadmin
  password: !#$Hfiquey<3z[_Uq3kw
  port: 5432

pg_users:
  # Filter for identifying LDAP generated users in the database.
  # This is the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_users')
  # Options for CREATE RULE statements
  create_options: LOGIN IN ROLE ldap_users

pg_groups:
  # Filter for identifying LDAP generated groups in the database.
  # This is the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups')
  # Options for CREATE RULE statements
  create_options: NOLOGIN IN ROLE ldap_groups
  grant_options:

jemrobinson commented 1 month ago

What is at line 41 column 13? I think it might be the first character of the password, which is an "!". Maybe this is causing the problem?

Edit: looks like a string that starts with "!" has special meaning in YAML (https://yaml.org/spec/1.2-old/spec.html#id2784064). Can you try editing that file and wrap the password string in double-quotes?

I'll get a fix added to guacamole-user-sync if that's the issue

jemrobinson commented 1 month ago

@craddm Should be fixed in main of guacamole-user-sync. Can you try changing the Docker image for guacamole-user-sync to main and redeploying? If it works, I'll make a new tag.

craddm commented 1 month ago

I also figured out it was the "!" that was the problem.

I've switched the Docker image to main and no longer see the same error in the logs. But the user syncing still doesn't work. I can't see any errors along the lines of those in #1882

jemrobinson commented 1 month ago

Can you post log excerpts from the logs that are shown in 1882?

craddm commented 1 month ago

guacamole-user-sync

2024-05-21T09:20:18+00:00 Running LDAP synchronisation...
I, [2024-05-21T09:20:19.841473 #27452]  INFO -- : user stat: create: 0 drop: 0 keep: 0
I, [2024-05-21T09:20:19.841537 #27452]  INFO -- : group stat: create: 0 drop: 0 keep: 0
I, [2024-05-21T09:20:19.841565 #27452]  INFO -- : membership stat: grant: 0 revoke: 0 keep: 0
2024-05-21T09:20:19+00:00 Updating database...
DO
DO
DO
DO
DO
psql:/app/resources/init_db.sql:99: NOTICE:  relation "guacamole_connection_group" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:102: NOTICE:  relation "guacamole_connection_group_parent_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:140: NOTICE:  relation "guacamole_connection" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:143: NOTICE:  relation "guacamole_connection_parent_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:163: NOTICE:  relation "guacamole_entity" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:213: NOTICE:  relation "guacamole_user" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:239: NOTICE:  relation "guacamole_user_group" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:262: NOTICE:  relation "guacamole_user_group_member" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:288: NOTICE:  relation "guacamole_sharing_profile" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:291: NOTICE:  relation "guacamole_sharing_profile_primary_connection_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:310: NOTICE:  relation "guacamole_connection_parameter" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:313: NOTICE:  relation "guacamole_connection_parameter_connection_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:334: NOTICE:  relation "guacamole_sharing_profile_parameter" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:337: NOTICE:  relation "guacamole_sharing_profile_parameter_sharing_profile_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:358: NOTICE:  relation "guacamole_user_attribute" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:361: NOTICE:  relation "guacamole_user_attribute_user_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:382: NOTICE:  relation "guacamole_user_group_attribute" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:385: NOTICE:  relation "guacamole_user_group_attribute_user_group_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:406: NOTICE:  relation "guacamole_connection_attribute" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:409: NOTICE:  relation "guacamole_connection_attribute_connection_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:430: NOTICE:  relation "guacamole_connection_group_attribute" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:433: NOTICE:  relation "guacamole_connection_group_attribute_connection_group_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:454: NOTICE:  relation "guacamole_sharing_profile_attribute" already exists, skipping
CREATE TABLE
CREATE INDEX
psql:/app/resources/init_db.sql:457: NOTICE:  relation "guacamole_sharing_profile_attribute_sharing_profile_id" already exists, skipping
psql:/app/resources/init_db.sql:480: NOTICE:  relation "guacamole_connection_permission" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:483: NOTICE:  relation "guacamole_connection_permission_connection_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:486: NOTICE:  relation "guacamole_connection_permission_entity_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:509: NOTICE:  relation "guacamole_connection_group_permission" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:512: NOTICE:  relation "guacamole_connection_group_permission_connection_group_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:515: NOTICE:  relation "guacamole_connection_group_permission_entity_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:538: NOTICE:  relation "guacamole_sharing_profile_permission" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:541: NOTICE:  relation "guacamole_sharing_profile_permission_sharing_profile_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:544: NOTICE:  relation "guacamole_sharing_profile_permission_entity_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:562: NOTICE:  relation "guacamole_system_permission" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:565: NOTICE:  relation "guacamole_system_permission_entity_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:589: NOTICE:  relation "guacamole_user_permission" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:592: NOTICE:  relation "guacamole_user_permission_affected_user_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:595: NOTICE:  relation "guacamole_user_permission_entity_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:619: NOTICE:  relation "guacamole_user_group_permission" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:622: NOTICE:  relation "guacamole_user_group_permission_affected_user_group_id" already exists, skipping
CREATE INDEX
CREATE INDEX
psql:/app/resources/init_db.sql:625: NOTICE:  relation "guacamole_user_group_permission_entity_id" already exists, skipping
psql:/app/resources/init_db.sql:660: NOTICE:  relation "guacamole_connection_history" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:663: NOTICE:  relation "guacamole_connection_history_user_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:666: NOTICE:  relation "guacamole_connection_history_connection_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:669: NOTICE:  relation "guacamole_connection_history_sharing_profile_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:672: NOTICE:  relation "guacamole_connection_history_start_date" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:675: NOTICE:  relation "guacamole_connection_history_end_date" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:678: NOTICE:  relation "guacamole_connection_history_connection_id_start_date" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:699: NOTICE:  relation "guacamole_user_history" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:702: NOTICE:  relation "guacamole_user_history_user_id" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:705: NOTICE:  relation "guacamole_user_history_start_date" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:708: NOTICE:  relation "guacamole_user_history_end_date" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:711: NOTICE:  relation "guacamole_user_history_user_id_start_date" already exists, skipping
CREATE INDEX
psql:/app/resources/init_db.sql:733: NOTICE:  relation "guacamole_user_password_history" already exists, skipping
CREATE TABLE
psql:/app/resources/init_db.sql:736: NOTICE:  relation "guacamole_user_password_history_user_id" already exists, skipping
CREATE INDEX
DO
DO
INSERT 0 0
INSERT 0 0
INSERT 0 0
INSERT 0 0
INSERT 0 0
2024-05-21T09:20:20+00:00 Finished database synchronisation

apricot

2024-05-21 09:25:01+0000 [ReadOnlyLDAPServer,598,10.2.2.4] Handling an LDAP search request.
2024-05-21 09:25:01+0000 [ReadOnlyLDAPServer,598,10.2.2.4] Starting an LDAP lookup for 'OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk'.
2024-05-21 09:25:01+0000 [ReadOnlyLDAPServer,598,10.2.2.4] S->C LDAPMessage(id=283, value=LDAPSearchResultDone(resultCode=0), controls=None)
2024-05-21 09:25:01+0000 [ReadOnlyLDAPServer,592,10.2.2.4] S<-C LDAPMessage(id=231, value=LDAPSearchRequest(baseObject=b'OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk', scope=2, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=b'objectClass'), assertionValue=BEROctetString(value=b'posixGroup')), LDAPFilter_or(value=[LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=b'CN'), assertionValue=BEROctetString(value=b'Data Safe Haven SRE morcilla Administrators')), LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=b'CN'), assertionValue=BEROctetString(value=b'Data Safe Haven SRE morcilla Privileged Users')), LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=b'CN'), assertionValue=BEROctetString(value=b'Data Safe Haven SRE morcilla Users')), LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=b'memberOf'), assertionValue=BEROctetString(value=b'CN=Primary user groups for Data Safe Haven SRE morcilla Administrators,OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk')), LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=b'memberOf'), assertionValue=BEROctetString(value=b'CN=Primary user groups for Data Safe Haven SRE morcilla Privileged Users,OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk')), LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=b'memberOf'), assertionValue=BEROctetString(value=b'CN=Primary user groups for Data Safe Haven SRE morcilla Users,OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk'))])]), LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=b'memberUid'), assertionValue=BEROctetString(value=b'root'))]), attributes=[b'cn', b'gidNumber']), controls=None)
2024-05-21 09:25:01+0000 [ReadOnlyLDAPServer,592,10.2.2.4] Handling an LDAP search request.
2024-05-21 09:25:01+0000 [ReadOnlyLDAPServer,592,10.2.2.4] Starting an LDAP lookup for 'OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk'.
2024-05-21 09:25:01+0000 [ReadOnlyLDAPServer,592,10.2.2.4] S->C LDAPMessage(id=231, value=LDAPSearchResultDone(resultCode=0), controls=None)

apricot connectivity

/app # nslookup graph.microsoft.com
Server:         192.168.0.4
Address:        192.168.0.4:53

Non-authoritative answer:
graph.microsoft.com     canonical name = ags.privatelink.msidentity.com
ags.privatelink.msidentity.com  canonical name = www.tm.prd.ags.akadns.net
Name:   www.tm.prd.ags.akadns.net
Address: 2603:1027:1:f8::80
Name:   www.tm.prd.ags.akadns.net
Address: 2603:1026:3000:f8::80
Name:   www.tm.prd.ags.akadns.net
Address: 2603:1027:1:e8::81
Name:   www.tm.prd.ags.akadns.net
Address: 2603:1027:1:e8::80
Name:   www.tm.prd.ags.akadns.net
Address: 2603:1026:3000:f0::80
Name:   www.tm.prd.ags.akadns.net
Address: 2603:1027:1:f0::80

Non-authoritative answer:
graph.microsoft.com     canonical name = ags.privatelink.msidentity.com
ags.privatelink.msidentity.com  canonical name = www.tm.prd.ags.trafficmanager.net
Name:   www.tm.prd.ags.trafficmanager.net
Address: 40.126.41.96
Name:   www.tm.prd.ags.trafficmanager.net
Address: 20.190.169.26
Name:   www.tm.prd.ags.trafficmanager.net
Address: 40.126.41.160
Name:   www.tm.prd.ags.trafficmanager.net
Address: 20.190.169.160
Name:   www.tm.prd.ags.trafficmanager.net
Address: 20.190.169.96
Name:   www.tm.prd.ags.trafficmanager.net
Address: 20.190.169.24

dns server

;; QUESTION SECTION:
;login.microsoftonline.com. IN   AAAA

;; ANSWER SECTION:
login.microsoftonline.com.  1789    IN  CNAME   login.mso.msidentity.com.
login.mso.msidentity.com.   94  IN  CNAME   ak.privatelink.msidentity.com.
ak.privatelink.msidentity.com.  62  IN  CNAME   www.tm.ak.prd.aadg.trafficmanager.net.
www.tm.ak.prd.aadg.trafficmanager.net.  65  IN  AAAA    2603:1026:3000:148::7
www.tm.ak.prd.aadg.trafficmanager.net.  65  IN  AAAA    2603:1027:1:158::2
www.tm.ak.prd.aadg.trafficmanager.net.  65  IN  AAAA    2603:1026:3000:150::8
www.tm.ak.prd.aadg.trafficmanager.net.  65  IN  AAAA    2603:1026:3000:150::6
www.tm.ak.prd.aadg.trafficmanager.net.  65  IN  AAAA    2603:1026:3000:148::12
www.tm.ak.prd.aadg.trafficmanager.net.  65  IN  AAAA    2603:1027:1:158::c
www.tm.ak.prd.aadg.trafficmanager.net.  65  IN  AAAA    2603:1026:3000:150::a
www.tm.ak.prd.aadg.trafficmanager.net.  65  IN  AAAA    2603:1026:3000:150::5

2024/05/21 09:29:56.339825 42#36381 [debug] dnsproxy: 168.63.129.16:53: response received over udp: "ok"
2024/05/21 09:29:56.340026 42#36381 [debug] dnsproxy: upstream 168.63.129.16:53 successfully finished exchange of ;login.microsoftonline.com.   IN   A; elapsed 2.891296ms
2024/05/21 09:29:56.340073 42#36381 [debug] dnsproxy: replying from upstream: rtt is 2.943864ms
2024/05/21 09:29:56.340108 42#36381 [debug] dnsforward: finished processing upstream
2024/05/21 09:29:56.340147 42#36381 [debug] dnsforward: started processing filtering after resp
2024/05/21 09:29:56.340375 42#36381 [debug] dnsforward: finished processing filtering after resp
2024/05/21 09:29:56.340609 42#36381 [debug] dnsforward: ipset: started processing
2024/05/21 09:29:56.340654 42#36381 [debug] dnsforward: ipset: finished processing
2024/05/21 09:29:56.340670 42#36381 [debug] dnsforward: started processing querylog and stats
2024/05/21 09:29:56.340853 42#36381 [debug] dnsforward: client ip for stats and querylog: 10.2.1.28
2024/05/21 09:29:56.341072 42#36381 [debug] dnsforward: finished processing querylog and stats
2024/05/21 09:29:56.341276 42#36381 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 9260
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0

jemrobinson commented 1 month ago

OK, so

I, [2024-05-21T09:20:19.841473 #27452]  INFO -- : user stat: create: 0 drop: 0 keep: 0
I, [2024-05-21T09:20:19.841537 #27452]  INFO -- : group stat: create: 0 drop: 0 keep: 0
I, [2024-05-21T09:20:19.841565 #27452]  INFO -- : membership stat: grant: 0 revoke: 0 keep: 0

is showing that guacamole-user-sync is not finding any users or groups in the LDAP server that meet the requirements of the LDAP filters. It looks like the request is getting to the identity server - is there anything to return?

craddm commented 1 month ago

I've a suspicion that this is because this a pre-existing user on the tenant, created from the DC deployed on the Powershell codebase, so the fields aren't populated the way the sync process expects. I'll try with a user created through pulumi.

craddm commented 1 month ago

No, still no connections showing in guacamole

jemrobinson commented 1 month ago

I've set up a local (Docker compose) instance of the identity server and I can confirm that your users aren't showing up as members of the right groups. I'll look into this further.

# fay.kname, users, blue.develop.turingsafehaven.ac.uk
dn: CN=fay.kname,OU=users,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,DC=uk
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: fay.kname
description: Fay Kname
displayName: Fay Kname
gidNumber: 2014
givenName: Fay
homeDirectory: /home/fay.kname
memberOf: CN=fay.kname,OU=groups,DC=blue,DC=develop,DC=turingsafehaven,DC=ac,D
 C=uk
oauth_id: b234b67f-f82a-4b28-93aa-8b5fc9a6e89c
oauth_username: fay.kname@blue.develop.turingsafehaven.ac.uk
sn: Kname
uid: fay.kname
uidNumber: 2014

OK - I've found the error. It's caused by groups having members who have been deleted. I'll work on a fix now.

alan-turing-institute / data-safe-haven