jumpserver / jumpserver

An open-source PAM tool alternative to CyberArk. 广受欢迎的开源堡垒机。
https://jumpserver.com
GNU General Public License v3.0
25.4k stars 5.32k forks source link

[Bug] LDAP Connect. Server error occur, contact administrator #14358

Open bef0r3station opened 1 week ago

bef0r3station commented 1 week ago

Product Version

4.3.0

Product Edition

Installation Method

Environment Information

Cluster Jumpserver

  1. Redis+MySQL external
  2. Jumpserver Node 1
  3. Jumpserver Node 2
  4. MinIO
  5. Elasticsearch OS: CentOS 7

🐛 Bug Description

Hello. After installing the Jump server, synchronization with LDAP was performed on the first node. When trying to log in, the message "Server error occur, contact the administrator" appears on the second page, and the following is in the jumpserver.log

2024-10-21 23:45:19 [INFO] Authentication LDAP backend 2024-10-21 23:45:19 [ERRO] result(2) raised OPERATIONS_ERROR({'msgtype': 101, 'msgid': 2, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C090C77, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563'}) 2024-10-21 23:45:19 [WARN] password is mandatory in simple bind while authenticating example@example.com 2024-10-21 23:45:19 [ERRO] Internal Server Error: /core/auth/login/ Traceback (most recent call last): File "/opt/py3/lib/python3.11/site-packages/asgiref/sync.py", line 518, in thread_handler raise exc_info[1] File "/opt/py3/lib/python3.11/site-packages/django/core/handlers/exception.py", line 43, in inner response = await get_response(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/asgiref/sync.py", line 518, in thread_handler raise exc_info[1] File "/opt/py3/lib/python3.11/site-packages/django/core/handlers/base.py", line 253, in _get_response_async response = await wrapped_callback( ^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/asgiref/sync.py", line 468, in call ret = await asyncio.shield(exec_coro) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/asgiref/current_thread_executor.py", line 40, in run result = self.fn(*self.args, self.kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/asgiref/sync.py", line 522, in thread_handler return func(*args, *kwargs) ^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/django/views/generic/base.py", line 103, in view return self.dispatch(request, args, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/django/utils/decorators.py", line 46, in _wrapper return bound_method(*args, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/django/views/decorators/debug.py", line 92, in sensitive_post_parameters_wrapper return view(request, *args, *kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/django/utils/decorators.py", line 46, in _wrapper return bound_method(args, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/django/utils/decorators.py", line 134, in _wrapped_view response = view_func(request, *args, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/django/utils/decorators.py", line 46, in _wrapper return bound_method(*args, *kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/django/views/decorators/cache.py", line 62, in _wrapped_view_func response = view_func(request, args, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/django/views/generic/base.py", line 142, in dispatch return handler(request, args, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/django/views/generic/edit.py", line 153, in post return self.form_valid(form) ^^^^^^^^^^^^^^^^^^^^^ File "/opt/jumpserver/apps/authentication/views/login.py", line 251, in form_valid self.check_user_auth(form.cleaned_data) File "/opt/jumpserver/apps/authentication/mixins.py", line 470, in check_user_auth user = self._check_auth_user_is_valid(username, password, public_key) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/jumpserver/apps/authentication/mixins.py", line 438, in _check_auth_user_is_valid user = authenticate( ^^^^^^^^^^^^^ File "/opt/jumpserver/apps/authentication/mixins.py", line 72, in authenticate user = backend.authenticate(request, credentials) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/jumpserver/apps/authentication/backends/ldap.py", line 95, in authenticate user = self.authenticate_ldap_user(ldap_user, password) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/django_auth_ldap/backend.py", line 206, in authenticate_ldap_user return ldap_user.authenticate(password) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/django_auth_ldap/backend.py", line 348, in authenticate self._authenticate_user_dn(password) File "/opt/py3/lib/python3.11/site-packages/django_auth_ldap/backend.py", line 478, in _authenticate_user_dn if self.dn is None: ^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/django_auth_ldap/backend.py", line 443, in dn self._load_user_dn() File "/opt/py3/lib/python3.11/site-packages/django_auth_ldap/backend.py", line 514, in _load_user_dn self._user_dn = cache.get_or_set( ^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/django/core/cache/backends/base.py", line 228, in get_or_set default = default() ^^^^^^^^^ File "/opt/jumpserver/apps/authentication/backends/ldap.py", line 186, in _search_for_user_dn user_dn = self._search_for_user_dn_from_ldap_util() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/jumpserver/apps/authentication/backends/ldap.py", line 152, in _search_for_user_dn_from_ldap_util user_dn = util.search_for_user_dn(self._username) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/jumpserver/apps/settings/utils/ldap.py", line 217, in search_for_user_dn user_entries = self.search_user_entries(search_users=[username]) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/jumpserver/apps/common/utils/common.py", line 222, in wrapper result = func(args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^ File "/opt/jumpserver/apps/settings/utils/ldap.py", line 178, in search_user_entries self.search_user_entries_ou(search_ou) File "/opt/jumpserver/apps/settings/utils/ldap.py", line 151, in search_user_entries_ou self.connection.search( ^^^^^^^^^^^^^^^ File "/opt/jumpserver/apps/settings/utils/ldap.py", line 107, in connection conn.bind() File "/opt/py3/lib/python3.11/site-packages/ldap3/core/connection.py", line 604, in bind request = bind_operation(self.version, self.authentication, self.user, self.password, auto_encode=self.auto_encode) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/py3/lib/python3.11/site-packages/ldap3/operation/bind.py", line 59, in bind_operation raise LDAPPasswordIsMandatoryError('password is mandatory in simple bind') ldap3.core.exceptions.LDAPPasswordIsMandatoryError: password is mandatory in simple bind

logs synchronization was performed on port 389 and 636, but all attempts were unsuccessful. When synchronizing LDAP on the second node, this node works correctly, all problems are transferred to the first one, but yes, please tell me how to solve this problem?

Recurrence Steps

Synchronize one node, verify authentication on the second node

Expected Behavior

Internal server error, unsuccessful LDAP authentication

Additional Information

No response

Attempted Solutions

I tried to change port 636 and 389, replaced the user for reading the directory, as well as authentication

BaiJiangJie commented 6 days ago

Node1 and Node2 are using the same Redis setup, right?

First, could you please test the LDAP connection in the system settings of both Node1 and Node2 separately to check if the connection is successful?

bef0r3station commented 6 days ago

Yes, redis is one for two nodes. Synchronization is successful on both nodes. Where was the last time synchronization was performed - LDAP authentication works

BaiJiangJie commented 3 days ago
image

Will the test for connectivity be successful?

bef0r3station commented 3 days ago

Screenshot Hello! The connection is being established successfully

BaiJiangJie commented 2 days ago

Was the test login successful?

bef0r3station commented 2 days ago

The fact is that the test login is successful and the LDAP authentication is successful on the node on which I made a test connection to LDAP through the administrator's personal account. But the problem is that LDAP authentication stops working on the second node.

BaiJiangJie commented 2 days ago

Could you perform the above test verification on the second node?

bef0r3station commented 2 days ago

image

Yes, of course. The test passes, authentication is successful, but at the same time, an authentication problem is observed on the first node

BaiJiangJie commented 1 day ago

If login or test failures only occur occasionally, it’s very likely an issue with Redis.

I saw you mentioned above that you’re using an external Redis. What version is it?

bef0r3station commented 1 day ago

Hello. The problem repeats itself all the time. Redis version: 6.2.13

bef0r3station commented 1 day ago

I tried to update redis to version 7.2.5. It didn't help, the error is repeated

BaiJiangJie commented 5 hours ago

I can’t pinpoint the issue right now.

Can I connect to your computer remotely and help you check it using AnyDesk or a similar remote tool?

bef0r3station commented 5 hours ago

Hello! Yes, of course, I would be very grateful. When is it convenient for you to connect? I will provide access via AnyDesk

BaiJiangJie commented 5 hours ago

Now it's OK, do you have discord? Let's chat in Discord.

https://discord.gg/7jGSN9Tq

image

This is me.

bef0r3station commented 5 hours ago

Ok. One moment

BaiJiangJie commented 4 hours ago

Okay. You can add me as a friend on Discord.

bef0r3station commented 2 hours ago

I apologize. Some circumstances have arisen, I suggest postponing the solution of the problem indefinitely. Thanks for the feedback!