search

jsxc / xmpp-cloud-auth

:key: Authentication hub for Nextcloud+JSXC→Prosody, ejabberd, saslauthd, Postfix
https://www.jsxc.org
MIT License
60 stars 18 forks source link

xcauth.py tests correct but when try login from nextcloud - can't. #42

Closed Ciangi closed 5 years ago

Ciangi commented 6 years ago

As on the Topic.

What I noticed, i run prosody in console mode and it show me:

socket                                    debug server.lua: auto-starting ssl negotiation...
socket                                    debug server.lua: attempting to start tls on tcp{client}: 0x15fab68
socket                                    debug server.lua: accepted new client connection from 172.17.238.1:44740 to 5281
socket                                    debug server.lua: ssl handshake done
mod_bosh                                  debug Handling new request table: 0x160a1d0: <body xml:lang='en' xmpp:version='1.0' xmlns='http://jabber.org/protocol/httpbind' content='text/xml; charset=utf-8' to='mydomain.com' ver='1.6' rid='3480731015' wait='60' hold='1' xmlns:xmpp='urn:xmpp:xbosh'/>
----------
mod_bosh                                  debug BOSH body open (sid: <none>)
mod_bosh                                  debug BOSH client tried to connect to unknown host: mydomain.com
mod_bosh                                  debug Request destroyed: table: 0x1606a30
socket                                    debug server.lua: closed client handler and removed socket from list

I did everything step by step using this tutorial: https://github.com/jsxc/xmpp-cloud-auth/wiki

I really don't know what i'm doing wrong .... In my opinion maybe this url is wrong? "http://jabber.org/protocol/httpbind" shouldn't be https://mydomain.com/http-bind ?? But i added this url in prosody config ...

Thank you for help!!

P.S. when i start prosody i got:

 * Starting Prosody XMPP Server prosody                                                                                                        general             info        Hello and welcome to Prosody version 0.9.1
general             info        Prosody is using the select backend for connection handling
hostmanager         debug       Activated host: mydomain.com
mydomain.com:auth_external  info External auth with pty command /usr/lib/prosody-modules/xmpp-cloud-auth/xcauth.py
usermanager                        debug        host 'mydomain.com' now set to use user provider 'external'
portmanager                        debug        No active service for http, activating...
socket                             warn server.lua, [::]:5280: Address family not supported by protocol
portmanager                        error        Failed to open server port 5280 on ::, Address family not supported by protocol
socket                             debug        server.lua: new server listener on '[*]:5280'
portmanager                        debug        Added listening service http to [*]:5280
portmanager                        info Activated service 'http' on [*]:5280
portmanager                        debug        No active service for https, activating...
socket                             warn server.lua, [::]:5281: Address family not supported by protocol
portmanager                        error        Failed to open server port 5281 on ::, Address family not supported by protocol
socket                             debug        server.lua: new ssl server listener on '[*]:5281'
portmanager                        debug        Added listening service https to [*]:5281
portmanager                        info Activated service 'https' on [*]:5281
portmanager                        debug        No active service for s2s, activating...
socket                             warn server.lua, [::]:5269: Address family not supported by protocol
portmanager                        error        Failed to open server port 5269 on ::, Address family not supported by protocol
socket                             debug        server.lua: new server listener on '[*]:5269'
portmanager                        debug        Added listening service s2s to [*]:5269
portmanager                        info Activated service 's2s' on [*]:5269
portmanager                        debug        No active service for c2s, activating...
socket                             warn server.lua, [::]:5222: Address family not supported by protocol
portmanager                        error        Failed to open server port 5222 on ::, Address family not supported by protocol
socket                             debug        server.lua: new server listener on '[*]:5222'
portmanager                        debug        Added listening service c2s to [*]:5222
portmanager                        info Activated service 'c2s' on [*]:5222
portmanager                        debug        No active service for legacy_ssl, activating...
portmanager                        info Activated service 'legacy_ssl' on no ports
MarcelWaldvogel commented 6 years ago

Seems to be a Prosody configuration problem. Prosody doesn't know that it is responsible for mydomain.com. Did you update the VirtualHost line in prosody.cfg.lua?

The jabber.org URL is nothing to contact, but just an XML namespace (a unique identifier of how the protocol behaves; in this case, this enables BoSH requests).

If it does not work, could you please provide some configuration information (copies of the config files, versions of the OS/software used, …)

Ciangi commented 6 years ago

As I said, oh i didn't said that both nextcloud and prosody are docker containers. So, prosody based on: DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"

but maybe there is a problem with proxy? look that prosody open ocnnection for 172.17.238.1 but this is ip of the docker host, but when i try log in in nextcloud i dont know the ip 172.17.238.1. So if i good understand the prosody should open connection for my IP, not ip of the docker host right? But wait .... the heart of proxy is that i don't "know" the subnet.

the prosody.cfg.lua:


admins = { }

plugin_paths = { "/usr/lib/prosody-modules/xmpp-cloud-auth/prosody-modules" }

modules_enabled = {

    -- Generally required
        "roster"; -- Allow users to have a roster. Recommended ;)
        "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
        "tls"; -- Add support for secure TLS on c2s/s2s connections
        "dialback"; -- s2s dialback support
        "disco"; -- Service discovery

    -- Not essential, but recommended
        "private"; -- Private XML storage (for room bookmarks, etc.)
        "vcard"; -- Allow users to set vCards

    -- Nice to have
        "version"; -- Replies to server version requests
        "uptime"; -- Report how long server has been running
        "time"; -- Let others know the time here on this server
        "ping"; -- Replies to XMPP pings with pongs
        "pep"; -- Enables users to publish their mood, activity, playing music and more
    --  "register"; -- Allow users to register on this server using a client and change passwords

    -- Admin interfaces
        "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
        --"admin_telnet"; -- Opens telnet console interface on localhost port 5582

    -- HTTP modules
        "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
        --"http_files"; -- Serve static files from a directory over HTTP

    -- Other specific functionality
        "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
};

-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
};

cross_domain_bosh = true
consider_bosh_secure = true
-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = false;

daemonize = false;
pidfile = "/var/run/prosody/prosody.pid";

ssl = {
    key = "/etc/prosody/certs/ssl-cert-snakeoil.key";
    certificate = "/etc/prosody/certs/ssl-cert-snakeoil.pem";
}

c2s_require_encryption = true

s2s_secure_auth = true

authentication = "external"
external_auth_command = "/usr/lib/prosody-modules/xmpp-cloud-auth/xcauth.py"

log = {
    info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
    error = "/var/log/prosody/prosody.err";
    warn = "/var/log/prosody/prosody.warn";
    debug = "/var/log/prosody/prosody.debug";
    -- "*syslog"; -- Uncomment this for logging to syslog
    "*console"; -- Log to the console, useful for debugging with daemonize=false
}

VirtualHost "mydomain.com"
    enabled = true -- Remove this line to enable this host

cat /etc/xcauth.conf:


type=prosody

secret=MYSECRET

url=https://mydomain.com/apps/ojsxc/ajax/externalApi.php

timeout=5

log=/var/log/xcauth

cache-query-ttl=4h

cache-verification-ttl=1d

cache-unreachable-ttl=1w

debug
MarcelWaldvogel commented 6 years ago

Sorry, I do not know enough about Docker to help out here. But you need to make sure that XMPP requests (5222, 5269, 5280, 5281) to "mydomain.com" are directed to Prosody and HTTP(S) requests to Nextcloud (80, 443).

I also do not have any experience running on Ubuntu < 16.04. What is the Prosody version?

Can you try and connect to the XMPP server with another XMPP client? Or with telnet localhost 5280 in the XMPP container (and then paste the command you have been seeing in your log, where it tries to select the virtual host "mydomain.com")? If that does not work, you may need to consult Prosody configuration advice. (@DanScharon: Do you have any further ideas?)

<body xml:lang='en' xmpp:version='1.0' xmlns='http://jabber.org/protocol/httpbind' content='text/xml; charset=utf-8' to='mydomain.com' ver='1.6' rid='3480731015' wait='60' hold='1' xmlns:xmpp='urn:xmpp:xbosh'/>

Ciangi commented 6 years ago

Hello and welcome to Prosody version 0.9.1

but wait ... i only opened port 5281 because its a secure connection to XMPP server right? Should I open this others ports too?? isn't dangerous?

I will open this ports (5222, 5269, 5280) tomorrow and see the result, because i thought that i can just open port 5281 and it should works... ( Edit i opened them ).

I found the mistake what i did, sorry for that. The problem was that i was writing bad domain name .... because i create VirtualHost in prosody in smth like "sub.mydomain.com" and i tried to logon using "user@mydomain.com" but should use " user@sub.mydomain.com".

i also added from documentation of mod_bosh (https://prosody.im/doc/modules/mod_bosh)

trusted_proxies = { "172.17.238.1" }

But now problem is another....

(***)

socket                                    debug server.lua: auto-starting ssl negotiation...
socket                                    debug server.lua: attempting to start tls on tcp{client}: 0x10c4be8
socket                                    debug server.lua: accepted new client connection from 172.17.238.1:51998 to 5281
socket                                    debug server.lua: ssl handshake done
mod_bosh                                  debug Handling new request table: 0x10f0800: <body xml:lang='en' xmpp:version='1.0' xmlns='http://jabber.org/protocol/httpbind' content='text/xml; charset=utf-8' to='sub.mydomain.com' ver='1.6' rid='1305589663' wait='60' hold='1' xmlns:xmpp='urn:xmpp:xbosh'/>
----------
mod_bosh                                  debug BOSH body open (sid: <none>)
bosh7fca9e31-4235-4425-a2bc-0a21f7288035  debug BOSH session created for request from 10.8.13.6
mod_bosh                                  info  New BOSH session, assigned it sid '7fca9e31-4235-4425-a2bc-0a21f7288035'
mod_bosh                                  debug We have an open request, so sending on that
mod_bosh                                  debug Request destroyed: table: 0xf93a80
socket                                    debug server.lua: closed client handler and removed socket from list
mod_bosh                                  debug Session 7fca9e31-4235-4425-a2bc-0a21f7288035 has 0 out of 1 requests open
mod_bosh                                  debug and there are 0 things in the send_buffer:
socket                                    debug server.lua: auto-starting ssl negotiation...
socket                                    debug server.lua: attempting to start tls on tcp{client}: 0x11792e8
socket                                    debug server.lua: accepted new client connection from 172.17.238.1:52004 to 5281
socket                                    debug server.lua: ssl handshake done
mod_bosh                                  debug Handling new request table: 0xeae5f0: <body xmlns='http://jabber.org/protocol/httpbind' rid='1305589664' sid='7fca9e31-4235-4425-a2bc-0a21f7288035'><auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN'>YWRtaW5AY2xvdWQuc2NvcHRvbmljLmNvbQBhZG1pbgBQb2xza2ExMjMh</auth></body>
----------
mod_bosh                                  debug BOSH body open (sid: 7fca9e31-4235-4425-a2bc-0a21f7288035)
mod_bosh                                  debug BOSH stanza received: <auth mechanism='PLAIN' xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>

bosh7fca9e31-4235-4425-a2bc-0a21f7288035  debug Received[c2s_unauthed]: <auth mechanism='PLAIN' xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
sub.mydomain.com:auth_external         warn  Auth process exited unexpectedly with exit 1, restarting
sub.mydomain.com:auth_external         warn  Error while waiting for result from auth process: unknown error
sub.mydomain.com:saslauth              debug sasl reply: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/><text>Unable to authorize you with the authentication credentials you&apos;ve sent.</text></failure>
mod_bosh                                  debug We have an open request, so sending on that
mod_bosh                                  debug Request destroyed: table: 0x1031a30
bosh7fca9e31-4235-4425-a2bc-0a21f7288035  debug BOSH session marked as inactive (for 60s)
socket                                    debug server.lua: closed client handler and removed socket from list
mod_bosh                                  debug Session 7fca9e31-4235-4425-a2bc-0a21f7288035 has 0 out of 1 requests open
mod_bosh                                  debug and there are 0 things in the send_buffer:

if i goos understand it tells my that i wrote wrong username/password, but now it is impossible because i wrote exactly the same username/password in excauth.py and it tells me that its correct:

2018-01-05 00:09:10,860 DEBUG: Start external auth script 0.9.0+ for prosody with endpoint: https://sub.mydomain.com/apps/ojsxc/ajax/externalApi.php 2018-01-05 00:09:10,861 DEBUG: Could not decode token (maybe not a token?) 2018-01-05 00:09:10,865 DEBUG: Starting new HTTPS connection (1): sub.mydomain.com 2018-01-05 00:09:11,314 DEBUG: https://sub.mydomain.com:443 "POST /apps/ojsxc/ajax/externalApi.php HTTP/1.1" 200 43 2018-01-05 00:09:11,319 INFO: SUCCESS: Cloud says password for user@sub.mydomain.com is valid True

so in nextcloud i wrote user@sub.mydomain.com and my password and the output is like above (***). Do you know maybe where the problem is? Thank you very much for help.

Ciangi commented 6 years ago

I thought that maybe there is a problem with version of Prosody, so i installed the newest version and the logs are almost similar:

socket                             debug        server.lua: auto-starting ssl negotiation...
socket                             debug        server.lua: attempting to start tls on tcp{client}: 0x17c80e8
socket                             debug        server.lua: accepted new client connection from 172.17.238.1:58110 to 5281
socket                             debug        server.lua: ssl handshake done
http.server                        debug        Firing event: POST sub.mydomain.com/http-bind
mod_bosh                           debug        Handling new request table: 0x17de6f0: <body xml:lang='en' xmpp:version='1.0' xmlns='http://jabber.org/protocol/httpbind' content='text/xml; charset=utf-8' to='sub.mydomain.com' ver='1.6' rid='1711553331' wait='60' hold='1' xmlns:xmpp='urn:xmpp:xbosh'/>
----------
mod_bosh                           debug        BOSH body open (sid: <none>)
boshd7fe60cf-fd2f-4053-b2b4-43b23ec69691  debug BOSH session created for request from 10.8.13.6
mod_bosh                                  info  New BOSH session, assigned it sid 'd7fe60cf-fd2f-4053-b2b4-43b23ec69691'
mod_bosh                                  debug We have an open request, so sending on that
mod_bosh                                  debug Request destroyed: table: 0x17deb50
boshd7fe60cf-fd2f-4053-b2b4-43b23ec69691  debug BOSH session marked as inactive (for 60s)
socket                                    debug server.lua: closed client handler and removed socket from list
mod_bosh                                  debug Session d7fe60cf-fd2f-4053-b2b4-43b23ec69691 has 0 out of 1 requests open
mod_bosh                                  debug and there are 0 things in the send_buffer:
socket                                    debug server.lua: auto-starting ssl negotiation...
socket                                    debug server.lua: attempting to start tls on tcp{client}: 0x18985f8
socket                                    debug server.lua: accepted new client connection from 172.17.238.1:58118 to 5281
socket                                    debug server.lua: ssl handshake done
http.server                               debug Firing event: POST sub.mydomain.com/http-bind
mod_bosh                                  debug Handling new request table: 0x18a81b0: <body xmlns='http://jabber.org/protocol/httpbind' rid='1711553332' sid='d7fe60cf-fd2f-4053-b2b4-43b23ec69691'><auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN'>YWRtaW5AY2xvdWQuc2NvcHRvbmljLmNvbQBhZG1pbgBQb2xza2ExMjMh</auth></body>
----------
mod_bosh                                  debug BOSH body open (sid: d7fe60cf-fd2f-4053-b2b4-43b23ec69691)
mod_bosh                                  debug BOSH stanza received: <auth mechanism='PLAIN' xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>

boshd7fe60cf-fd2f-4053-b2b4-43b23ec69691  debug Received[c2s_unauthed]: <auth mechanism='PLAIN' xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
sub.mydomain.com:auth_external         debug Started auth process
sub.mydomain.com:auth_external         debug Response: Traceback (most recent call last):
sub.mydomain.com:auth_external         warn  Unable to interpret data from auth process, [34 bytes]
sub.mydomain.com:saslauth              debug sasl reply: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/><text>Unable to authorize you with the authentication credentials you&apos;ve sent.</text></failure>
mod_bosh                                  debug We have an open request, so sending on that
mod_bosh                                  debug Request destroyed: table: 0x18a3ee0
boshd7fe60cf-fd2f-4053-b2b4-43b23ec69691  debug BOSH session marked as inactive (for 60s)
socket                                    debug server.lua: closed client handler and removed socket from list
mod_bosh                                  debug Session d7fe60cf-fd2f-4053-b2b4-43b23ec69691 has 0 out of 1 requests open
mod_bosh                                  debug and there are 0 things in the send_buffer:

So, this error comes from https://github.com/dhotson/prosody-modules/blob/master/mod_auth_external/mod_auth_external.lua Line 102-103.....

i tried also install prosody on the same container where nextcloud is. no results...

but i noticed one thing:

when i configure nextcloud apache like:

    ProxyPass /http-bind/ http://localhost:5280/http-bind/
    ProxyPassReverse /http-bind/ http://localhost:5280/http-bind/
    ProxyPreserveHost On

then i got: image

but when i configure nextcloud apache like:

    ProxyPass /http-bind/ http://localhost:5280/http-bind/
    ProxyPassReverse /http-bind/ http://localhost:5280/http-bind/
    ProxyPreserveHost Off

i got:

image

and then the errors like the same:

localhost:auth_external warn Auth process exited unexpectedly with exit 1, restarting localhost:auth_external warn Error while waiting for result from auth process: unknown error

Ciangi commented 6 years ago

Hello @MarcelWaldvogel. Finally i installed ejabberd xmpp server and finally nextcloud see BOSH Server but: i can just login to chat only as admin. When i try to find my LDAP users it found them but only when i write their i dont know what is it in nextcloud but something like 5bsdfb54-2343-5490-8343-f72cdfsdfac56 not name.surname, and when i try to check password it every time says False i.e:

-I 5bsdfb54-2343-5490-8343-f72cdfsdfac5 domain.com    = True
-I name.surname domain.com  = False
-I admin domain.com = true
-A 5bsdfb54-2343-5490-8343-f72cdfsdfac5 domain.com password = False
-A 5bsdfb54-2343-5490-8343-f72cdfsdfac5@domain.com '' pasword = False
-A 5bsdfb54-2343-5490-8343-f72cdfsdfac5@domain.com domain.com password = False
-A admin domain.com password = True

Do you know maybe where is the problem? Thank you very much for help.

Ciangi commented 6 years ago

Finally, i manually changed in nextcloud database from "hash nextcloud name" to "ldap name" and now everything works.