[8.0.0] Unable to add ldap users

[tuxmaster5000]

Expected behavior

After enable ldap, that I can add users that don't use an local password.

Actual behavior

When I create an new user, no option is shown to use ldap instead of local password.

But this should be shown after enable ldap reading: https://docs.greenbone.net/GSM-Manual/gos-4/en/gui_administration.html#ldap

Steps to reproduce

1. Enable ldap in the gsa web front end
2. Try to add an new user

GVM versions

gsa: (gsad --version) Greenbone Security Assistant 8.0.0~git

gvm: (gvmd --version) Greenbone Vulnerability Manager 8.0.0 Manager DB revision 205

openvas-scanner: (openvassd --version) OpenVAS Scanner 6.0.0

gvm-libs: gvm-libs-10.0.0

Environment

Operating system: CentOS 7.6

Installation method / source: (packages, source installation) From git build as rpm

[bjoernricks]

Sorry I can't reproduce your issue with current gsa-8.0 branch.

[tuxmaster5000]

Also let run gsa in debug mode, I don't see any errors. How can I test to add an ldap user via command line?

[swaterkamp]

Did you actually enable LDAP via the LDAP page's checkbox, or did you "just" enable the LDAP-option in general to show up in the GUI? I have to admit, that I did that at first and thought I could replicate your issue. After actually enabling it with the checkbox, my setup looks just like bjoernricks's.

[tuxmaster5000]

I only enable it her:

[brandenwagner]

I am having the same issue. Ubuntu 18.04. Everything looks like its working. It accepts the LDAP config, but no option for the users... am I missing something?

[bjoernricks]

Hi,

could you check if you gvm-libs are build with and linked against libldap

ldd $INSTALL_PREFIX/lib/libgvm_util.so|grep -i ldap

Where $INSTALL_PREFIX is /usr for ubuntu packages.

The output should be something like

libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007fd43a12c000)

[tuxmaster5000]

In my case yes:

ldd /usr/lib64/libgvm_util.so.10 | grep ldap libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007ff6c8108000)

[brandenwagner]

Running ldd /usr/lib/x86_64-linux-gnu/libgvm_util.so.10.0.0 | grep -i ldap or ldd /usr/sbin/gvmd | grep -i ldap ldd /usr/sbin/gsad | grep -i ldap All result in libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007f3189abb000)

Is it possible the connection is being rejected and so it doesn't show up? Is there a way I can test the connection (from gvm)?

[bjoernricks]

Is it possible the connection is being rejected and so it doesn't show up?

I don't have a running LDAP server and the option is shown.

[bjoernricks]

Could you login into gsa and run gmp.user.currentAuthSettings().then(resp => console.log(resp.data)) afterwards in the browser console (should be ctrl+shift+k in firefox and ctrl+shift+i in chrome)?

[bjoernricks]

it should print something like

Settings {_settings: {…}}
  _settings:
    method:file: {enable: 1, order: "1"}
    method:ldap_connect: {enable: 1, order: "0", ldaphost: "127.0.0.1", authdn: "userid=%s,dc=example,dc=org", allow-plaintext: "0"}
    __proto__: Object
  __proto__: Object

[tuxmaster5000]

I will read this in the console:

{ "_settings": { "method:file": { "enable": 1, "order": "1" }, "method:ldap_connect": { "enable": 1, "order": "0", "ldaphost": "XXXXX", "authdn": "XXXXXXX\%s", "allow-plaintext": "0", "cacert": "XXXX", "certificateInfo": { "time_status": "valid", "activation_time": "2015-04-27T13:51:15+02:00", "expiration_time": "2020-04-27T14:01:15+02:00", "md5_fingerprint": "XXXX", "issuer": "CN=XXX" } }, "method:radius_connect": { "enable": 0, "radiushost": "127.0.0.1", "radiuskey": "testing123" } } }

I have replaced the security part of it with XXX.

[bjoernricks]

And

gmp.user.currentAuthSettings().then(resp => console.log(resp.data.get('method:ldap_connect').enable === 1))

?

[brandenwagner]

From gmp.user.currentAuthSettings().then(resp => console.log(resp.data))

settings:
method:file:
enable: 1
order: "1"
__proto__: Object
method:ldap_connect:
allow-plaintext: "0"
authdn: "sAMAccountName=%s,dc=DC01,dc=EXAMPLE,dc=com"
cacert: "CERTIFICATE"
certificateInfo:
activation_time: "2015-01-02T15:52:32-05:00"
expiration_time: "2025-01-02T16:02:30-05:00"
issuer: "DC=com,DC=EXAMPLE,DC=DC01,CN=EXAMPLE-CA"
md5_fingerprint: "FINGERPRINT"
time_status: "valid"
__proto__: Object
enable: 1
ldaphost: "MYDC"
order: "0"

And gmp.user.currentAuthSettings().then(resp => console.log(resp.data.get('method:ldap_connect').enable === 1)) returns true

[tuxmaster5000]

I get also true back calling "gmp.user.currentAuthSettings().then(resp => console.log(resp.data.get('method:ldap_connect').enable === 1))"

[bjoernricks]

I get also true back calling "gmp.user.currentAuthSettings().then(resp => console.log(resp.data.get('method:ldap_connect').enable === 1))"

I really don't know why the ldap option isn't shown for you. This is exactly the check for displaying the option.

[bjoernricks]

Could you apply the following patch and check the output at the new user dialog?

diff --git a/gsa/src/web/pages/users/dialog.js b/gsa/src/web/pages/users/dialog.js
index 0f375d0c1..c990a2dff 100644
--- a/gsa/src/web/pages/users/dialog.js
+++ b/gsa/src/web/pages/users/dialog.js
@@ -161,6 +161,12 @@ class Dialog extends React.Component {
             return (
               <React.Fragment>
                 <Layout flex="column">
+                  <FormGroup title="LDAP Setting">
+                    {settings.get('method:ldap_connect').enable}{' '}
+                    {settings.get('method:ldap_connect').enable === YES_VALUE
+                      ? 'true'
+                      : 'false'}
+                  </FormGroup>
                   <FormGroup title={_('Login Name')}>
                     <TextField
                       name="name"

[tuxmaster5000]

I can't find the needed source block. Neither in the git nor the 8.0.0 release. The block tarting with "class Dialog extends React.Component" looks at both versions:

class Dialog extends React.Component { constructor(...args) { super(...args);

[bjoernricks]

See https://github.com/greenbone/gsa/blob/gsa-8.0/gsa/src/web/pages/users/dialog.js#L163

Just copy the patch into a file at the root dir of the git clone and run

patch -p1 < patch.diff

[tuxmaster5000]

Yes, now the options is shown, but looks very strange. When I click on the user, ldap and the command is removed. And when the user than try's to log in, it also fails. Running gsa in debug mode, no ldap query is seen.

[bjoernricks]

And when the user than try's to log in, it also fails. Running gsa in debug mode, no ldap query is seen.

Either gsa nor gsad is doing the ldap authentication. gvmd is responsible for the authentication of the user.

Yes, now the options is shown, but looks very strange.

My patch only did add some html for debug output. I didn't expect that the option is shown now... This is really weird. Could you double check if the option is not shown again after removing the patch?

When I click on the user, ldap and the command is removed.

It don't get that. What is happening exactly?

[tuxmaster5000]

For the first question you have right, it was my mistake. gvmd does the job.(Login is possible, my ldap filter was wrong) Yes, remove the patch, than the old dailog is shown, like in the first post. An adding an new LDAP user is impossible. For your last question I have added the ldap user and then clicked on edit. Now the comment field was willed with the first name.

Back what I have done to test it:

1. use the 8.0.0 sources
2. use the gsa/src/web/pages/users/dialog.js file from git master
3. apply your patch.

[bjoernricks]

Yes, remove the patch, than the old dailog is shown, like in the first post. An adding an new LDAP user is impossible.

Still very weird. Actually my patch didn't change the code. Maybe it's caused by some javascript over-optimization.

Now the comment field was willed with the first name.

Yeah. It's caused by your browser and auto-filling of forms :unamused:

[tuxmaster5000]

So today I tested some scenarios. And the final state is the following:

• add an ldap user using 8.0.0 will fails like in post https://github.com/greenbone/gsa/issues/1339#issue-438627763
• Using gsa/src/web/pages/users/dialog.js from git master, will allow add new ldap users and they can log in.
• But the edit function looks broken.

After create the user and click on edit the follow dialog is shown: As you can see, the log in type is jumping from ldap to password.

[bjoernricks]

Hi,

src/web/pages/users/dialog.js is not different in master and gsa-8.0 branch. If

gmp.user.currentAuthSettings().then(resp => console.log(resp.data.get('method:ldap_connect').enable === 1))

is true for you with the gsa-8.0 branch it must also work in the dialog.

[tuxmaster5000]

Very strange, from the git master and git tag version(8.0.0) I see an big diff.

[bjoernricks]

Very strange, from the git master and git tag version(8.0.0) I see an big diff.

Yes of course both branches differ but it's completely unrelated. See

git diff upstream/gsa-8.0 upstream/master -- gsa/src/web/pages/users/dialog.js

[bjoernricks]

As I wrote, if this code here

gmp.user.currentAuthSettings().then(resp => console.log(resp.data.get('method:ldap_connect').enable === 1))

is true for you in the gsa-8.0 branch the option SHOULD be shown because that's what's being checked in the dialog too.

[cfi-gb]

Just a wild guess but have you considered some browser related issue here (Compatibility problem, Adblocker, ...).

Might worth to do a short check with a different browser or the same browser with plugins disabled.

[leManu]

Just upgraded to GVM-10 from previous version (GVM-9), now I am also unable to add LDAP authenticated users, the LDAP authentication option is missing in dialogs...

I have upgraded installation from source (git clone/git pull/git checkout vX.0.0) under Debian Stretch.

Before upgrading I was able to add LDAP auhenticated users (did it on january 2018).

Now LDAP authentication is still active, but option is missing from user add or user edit dialog, despite of gmp.user.currentAuthSettings().then(resp => console.log(resp.data.get('method:ldap_connect').enable === 1)) returns true in Firefox and Chromium.

[brandenwagner]

I think I found the issue but I'm not sure. It looks like there was some duplication in: gsa/src/web/pages/users/dialog.js. Lines 184-226 are very similar to Lines 227-279. I removed 184-226 and my issue went away.

[brandenwagner]

So I ran yarn build and copied the compiled js into production and it worked.

[bjoernricks]

As I already wrote

Maybe it's caused by some javascript over-optimization.

it is suspicious that we aren't able to reproduce the issue and

gmp.user.currentAuthSettings().then(resp => console.log(resp.data.get('method:ldap_connect').enable === 1))

is true for you.

[dgiorgio]

I am having the same problem, LDAP enabled, and the option does not appear in new users.

# gsad --version 
Greenbone Security Assistant 8.0.0~git-264234fc2-HEAD

# gvmd --version
Greenbone Vulnerability Manager 8.0.0
GIT revision 8b4149bb-HEAD

# openvassd --version
OpenVAS Scanner 6.0.0
GIT revision ca8979a-HEAD

[leManu]

I finally fixed my problem by getting the file gsa/gsa/src/web/pages/users/dialog.js from master branch (commit f3e055d) into my source tree.

I was using tag v8.0.0 to install gsad, not master branch.

After reinstalling, restarting gsad daemon and clearing browser cache, the option LDAP Authentication only is now present in user creation/edition dialog.

[bjoernricks]

Yes indeed https://github.com/greenbone/gsa/commit/f3e055d3a3ac85df21a10bb919d8e168d5ec4a28 is required to fix displaying the LDAP and RADIUS authentication selection in the user dialogs. So the tag v8.0.0 is broken in this regard.

Nevertheless the gsa-8.0 branch and also master do contain this fix already.

[dgiorgio]

I finally fixed my problem by getting the file gsa/gsa/src/web/pages/users/dialog.js from master branch (commit f3e055d) into my source tree.

I was using tag v8.0.0 to install gsad, not master branch.

After reinstalling, restarting gsad daemon and clearing browser cache, the option LDAP Authentication only is now present in user creation/edition dialog.

It worked.

[bjoernricks]

Hi,

I am still not able to reproduce your issues neither one of my co-workers. Nevertheless I've implemented some changes for the LDAP, Radius and User dialogs which may improve the situation.

Please try the GSA 8 branch https://github.com/greenbone/gsa/tree/gsa-8.0

[laszlovandenhoek]

FYI, I had this problem too with a version built from source. However, running ldd against libgvm_util as suggested by @bjoernricks showed that it had not been compiled with LDAP support. This was due to https://github.com/greenbone/gvm-libs/pull/249 - adding libldap2-dev to the build environment fixed it for me.

[mikch06]

Is there still not a solution for this problem?

[bjoernricks]

Is there still not a solution for this problem?

Did you try the 8.0.1 release and did check if gvm-libs is linked against libldap?

I can't do anything here because I am not able to reproduce the issue. It works as expected on all my machines.

[mikch06]

Not yet, we have to use the rpm package, so its not possible to recompile within our setup.

[cfi-gb]

You can check the libldap topic with a call like e.g.:

$ ldd $prefix/lib/libgvm_util.so | grep ldap

If you don't get a return back like e.g.:

    libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007f74df583000)

no LDAP support is available.

[mikch06]

I have the return back, everything is correct on the host. But i don't have the radio button option in the gui. Means, i have to wait for a new package release. But it's not that urgent. Thx for your help!!

[mickaelicoptere]

I have the return back, everything is correct on the host. But i don't have the radio button option in the gui. Means, i have to wait for a new package release. But it's not that urgent. Thx for your help!!

Same issue here

[cfi-gb]

According to two users in the following community forum:

https://community.greenbone.net/t/ldap-authentication-not-enable/4409/3 https://community.greenbone.net/t/enable-ldap-in-gsa-9-0-0/4386/4

this is already solved in the current gsa-9.0 branch (probably since #1437 and/or #1723)

Anyone able to confirm?

[tuxmaster5000]

Yes on the 9'er tree it will work.

[cpt-kernel-afk]

I still have the problem. At the LDAP settings the activation doesn't change. And I cant edit users to use LDAP. gsad --version Greenbone Security Assistant 9.0 gvmd --version Greenbone Vulnerability Manager 9.0.0 Manager DB revision 221 Copyright (C) 2010-2017 Greenbone Networks GmbH openvas --version OpenVAS 7.0.0 Most new code since 2005: (C) 2019 Greenbone Networks GmbH

[bjoernricks]

Could you please try the release branches https://github.com/greenbone/gsa/tree/gsa-9.0 and https://github.com/greenbone/gvmd/tree/gvmd-9.0 and test again? I am really sure this issue is fixed already.

[y0urself]

I will close this. For now. If it is still relevant for the latest version(s), please reopen/recreate.