search

gillg / OctoPrint-LDAP

Octoprint LDAP auth plugin
GNU Affero General Public License v3.0
26 stars 22 forks source link

LDAP Group sync not working with ActiveDirectory #14

Closed dorianim closed 3 years ago

dorianim commented 3 years ago

Hi there,

I tried to set this plugin today. And I got the login to work properly :)

I am unable to sync groups, though. My settings are: Organizational Units: role-globaladministrator OU Filter: cn=%s OU Member Filter: member=%s

The DN of my user is: CN=global-admin,OU=Management,OU=GLOBAL,DC=linuxmuster,DC=lan The DN of my group is: CN=role-globaladministrator,OU=Groups,OU=GLOBAL,DC=linuxmuster,DC=lan Search Base is: DC=linuxmuster,DC=lan

When I try to log in, no groups are created. I also tried to crate the group ldap and a subgroup ldap_role-globaladministrator but that didn't work either. Am I missing something?

This is the log:

2021-02-26 13:50:38,026 - octoprint.server.util.sockjs - INFO - New connection from client: ::ffff:10.14.0.5
2021-02-26 13:50:41,471 - octoprint.server.heartbeat - INFO - Server heartbeat <3
2021-02-26 13:50:44,759 - octoprint.plugins.auth_ldap - INFO - Syncing LDAP groups to local groups based on auth_ldap settings
2021-02-26 13:50:44,862 - octoprint.plugins.auth_ldap - INFO - Syncing LDAP groups to local groups based on auth_ldap settings
2021-02-26 13:50:44,992 - octoprint.plugins.auth_ldap - INFO - Syncing LDAP groups to local groups based on auth_ldap settings
2021-02-26 13:50:45,268 - octoprint.access.users - INFO - Logged in user: global-admin
2021-02-26 13:50:45,271 - octoprint.server.api - INFO - Actively logging in user global-admin from ::ffff:10.14.0.5
2021-02-26 13:50:45,310 - octoprint.server.util.sockjs - INFO - Client connection closed: ::ffff:10.14.0.5
2021-02-26 13:50:45,333 - octoprint.server.util.flask - INFO - Passively logging in user global-admin from ::ffff:10.14.0.5
2021-02-26 13:50:45,335 - octoprint.access.users - INFO - Logged in user: global-admin
2021-02-26 13:50:45,394 - octoprint.server.util.flask - INFO - Passively logging in user global-admin from ::ffff:10.14.0.5
2021-02-26 13:50:45,396 - octoprint.access.users - INFO - Logged in user: global-admin
2021-02-26 13:50:45,434 - octoprint.server.util.sockjs - INFO - New connection from client: ::ffff:10.14.0.5
2021-02-26 13:50:45,453 - octoprint.server.util.sockjs - INFO - Client connection closed: ::ffff:10.14.0.5
2021-02-26 13:50:45,798 - octoprint.server.util.sockjs - INFO - New connection from client: ::ffff:10.14.0.5

Thanks in advance :)

dorianim commented 3 years ago

Alright, I did some troubleshooting, and it turns out that octoprint has to be restarted every time a new group is added. So for things to work, I had to:

  1. Login as the user
  2. restart OctoPrint
  3. The Groups are there :smile:

Now I have the opposite Problem though: all users are members of all groups and not just the ones they should be in ...

dorianim commented 3 years ago

I also found the cuase for that: Its looks like the result is not None over here: https://github.com/gillg/OctoPrint-LDAP/blob/01016c2ddeb622069688db88c4acedfdf33a8afa/octoprint_auth_ldap/ldap.py#L80 Even when the group is not found. Changing this line to
if result is not None and result[DISTINGUISHED_NAME] is not None:
Solved the issue :)

battis commented 3 years ago

Just tuning back into this. I'll incorporate this into the codebase. Thank you!