search

deis / controller

Deis Workflow Controller (API)
https://deis.com
MIT License
41 stars 53 forks source link

LDAP authentication requires a valid group filter and group basedn #1306

Open hankjacobs opened 7 years ago

hankjacobs commented 7 years ago

Hello,

I recently upgraded from 2.13.0 to 2.15.0. After upgrading, deis login (which is configured to use LDAP) started to fail with Error: Internal Server Error. This stack trace appeared in the logs of deis-controller:

ERROR:root:Uncaught Exception
Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 265, in _ldap_call
    result = func(*args,**kwargs)
ldap.FILTER_ERROR: {'desc': 'Bad search filter'}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/rest_framework/views.py", line 486, in dispatch
    response = handler(request, *args, **kwargs)
  File "/usr/local/lib/python3.5/dist-packages/rest_framework/authtoken/views.py", line 17, in post
    serializer.is_valid(raise_exception=True)
  File "/usr/local/lib/python3.5/dist-packages/rest_framework/serializers.py", line 237, in is_valid
    self._validated_data = self.run_validation(self.initial_data)
  File "/usr/local/lib/python3.5/dist-packages/rest_framework/serializers.py", line 435, in run_validation
    value = self.validate(value)
  File "/usr/local/lib/python3.5/dist-packages/rest_framework/authtoken/serializers.py", line 16, in validate
    user = authenticate(username=username, password=password)
  File "/usr/local/lib/python3.5/dist-packages/django/contrib/auth/__init__.py", line 100, in authenticate
    user = backend.authenticate(*args, **credentials)
  File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/backend.py", line 171, in authenticate
    user = ldap_user.authenticate(password)
  File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/backend.py", line 346, in authenticate
    self._get_or_create_user()
  File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/backend.py", line 574, in _get_or_create_user
    self._mirror_groups()
  File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/backend.py", line 704, in _mirror_groups
    target_group_names = frozenset(self._get_groups().get_group_names())
  File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/backend.py", line 827, in get_group_names
    group_infos = self._get_group_infos()
  File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/backend.py", line 875, in _get_group_infos
    self._group_search)
  File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/config.py", line 467, in user_groups
    groups = search.execute(ldap_user.connection)
  File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/config.py", line 168, in execute
    self.attrlist)
  File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 770, in search_s
    return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
  File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 763, in search_ext_s
    msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
  File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 759, in search_ext
    timeout,sizelimit,
  File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 273, in _ldap_call
    e.args[0]['info'] = strerror(e.args[0]['errno'])
KeyError: 'errno'
10.68.167.81 "POST /v2/auth/login/ HTTP/1.1" 500 25 "Deis Client v2.15.0"

I was able to determine that the issue had to do with LDAP_GROUP_BASEDN and LDAP_GROUP_FILTER being empty (as per the default settings). This had worked on 2.13.0 but broke on 2.15.0. Setting the above to a valid basedn and filter solved the issue but is unnecessary since we do not use groups.

Cryptophobia commented 6 years ago

This issue was moved to teamhephy/controller#19