search

kamax-matrix / mxisd

Federated Matrix Identity Server
GNU Affero General Public License v3.0
224 stars 115 forks source link

Riot+Synapse+Mxisd+LDAP internal error #154

Closed procopsamuraev closed 5 years ago

procopsamuraev commented 5 years ago

Cant make work ldap+synapse+mxisd on local setup.

Installed synapse from pip version 0.99.3 on ubuntu server 18.04.2 manage to make work AD auth with config :

 - module: "ldap_auth_provider.LdapAuthProvider"
   config:
     enabled: true
     mode: "search"
     uri: "ldap://ldap.server:389"
     start_tls: false
     base: "dc=sg,dc=example,dc=one"
     attributes:
        uid: "sAMAccountName"
        mail: "mail"
        name: "givenName"
     # Search auth if anonymous search not enabled
     #bind_dn: "cn=ldapauth,dc=sg,dc=example,dc=one"
     bind_dn: "ldapauth@sg.example.one"
     bind_password: "somepassword"
     filter: "(objectClass=User)"

trying make ldap auth with mxisd installed mxisd from source version3.3.8.Final configure synapse: homeserver.yaml and installed rest auth. 

password_providers:
  - module: "rest_auth_provider.RestAuthProvider"
    config:
            endpoint: "http://0.0.0.0:8090"
trusted_third_party_id_servers:
  - im.sg.example.one

mxisd.yaml

ldap:
  enabled: true
  connection:
    host: 'ldap.server'
    port: 389
    tls: false
    bindDn: 'ldapauth@sg.fenix.one'
    bindPassword: 'somepassword'
    baseDNs:
      - 'dc=sg,dc=example,dc=one'
  filter: '(objectClass=User)'
  attribute:
    uid:
      type: 'uid'
      value: 'sAMAccountName'

dns:
  overwrite:
    homeserver:
      client:
        - name: 'im.sg.example.one'
          value: 'http://localhost:8008'

Logs:

homeserver.log
2019-04-10 12:31:18,876 - synapse.access.http.8008 - 233 - INFO - POST-9 - - - 8008 - Received request: POST /_matrix/client/r0/login
2019-04-10 12:31:18,877 - synapse.rest.client.v1.login - 176 - INFO - POST-9 - Got login request with identifier: {'type': 'm.id.user', 'user': 'testuser'}, medium: None, address: None, user: 'testuser'
2019-04-10 12:31:18,877 - rest_auth_provider - 46 - INFO - POST-9 - Got password check for @testuser:im.sg.example.one
2019-04-10 12:31:18,888 - synapse.http.server - 112 - ERROR - POST-9 - Failed handle request via 'LoginRestServlet': <XForwardedForRequest at 0x7f5bdf66f710 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.1' site=8008>
Traceback (most recent call last):
  File "/opt/matrix/synapse/env/lib/python3.6/site-packages/synapse/http/server.py", line 81, in wrapped_request_handler
    yield h(self, request)
  File "/opt/matrix/synapse/env/lib/python3.6/site-packages/synapse/http/server.py", line 316, in _async_render
    callback_return = yield callback(request, **kwargs)
  File "/opt/matrix/synapse/env/lib/python3.6/site-packages/synapse/rest/client/v1/login.py", line 149, in on_POST
    result = yield self._do_other_login(login_submission)
  File "/opt/matrix/synapse/env/lib/python3.6/site-packages/synapse/rest/client/v1/login.py", line 246, in _do_other_login
    login_submission,
  File "/opt/matrix/synapse/env/lib/python3.6/site-packages/synapse/handlers/auth.py", line 679, in validate_login
    qualified_user_id, password,
  File "/opt/matrix/synapse/env/lib/python3.6/site-packages/twisted/internet/defer.py", line 1418, in _inlineCallbacks
    result = g.send(result)
  File "/opt/matrix/synapse/env/lib/python3.6/site-packages/rest_auth_provider.py", line 49, in check_password
    r.raise_for_status()
  File "/opt/matrix/synapse/env/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 500 Server Error: Internal Server Error for url: http://localhost:8090/_matrix-internal/identity/v1/check_credentials
2019-04-10 12:31:18,890 - synapse.access.http.8008 - 302 - INFO - POST-9 - - - 8008 - {None} Processed request: 0.014sec/0.000sec (0.006sec, 0.000sec) (0.000sec/0.000sec/0) 55B 500 "POST /_matrix/client/r0/login HTTP/1.1" "mxisd" [0 dbevts]
mxisd.log
[XNIO-1 task-8] INFO io.kamax.mxisd.auth.AuthManager - Login request is User ID type
[XNIO-1 task-8] INFO io.kamax.mxisd.auth.AuthManager - No User ID rewrite rules to apply
[XNIO-1 task-8] INFO io.kamax.mxisd.auth.AuthManager - Proxy resolution: http://im.sg.example.one/_matrix/client/r0/login to http://localhost:8008/_matrix/client/r0/login
[XNIO-1 task-9] INFO io.kamax.mxisd.http.undertow.handler.auth.RestAuthHandler - Requested to check credentials for @testuser:im.sg.example.one
[XNIO-1 task-9] INFO io.kamax.mxisd.auth.AuthManager - Attempting authentication with store LdapAuthProvider
[XNIO-1 task-9] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - Performing auth for @testuser:im.sg.example.one
[XNIO-1 task-9] ERROR io.kamax.mxisd.http.undertow.handler.SaneHandler - Transaction #1554870624663 - ERR_04202 A value is missing on some RDN
[XNIO-1 task-9] INFO io.kamax.mxisd.http.undertow.handler.BasicHttpHandler - Request POST http://localhost:8090/_matrix-internal/identity/v1/check_credentials - Error M_UNKNOWN: An internal server error occured. If this error persists, please contact support with reference #1554870624663
maxidorius commented 5 years ago

So this is the actual error line in mxisd log:

[XNIO-1 task-9] ERROR io.kamax.mxisd.http.undertow.handler.SaneHandler - Transaction #1554870624663 - ERR_04202 A value is missing on some RDN

This is a LDAP error, and the specifics are:

ERR_04202 A value is missing on some RDN

I don't know what it means tho, but the issue is not with mxisd itself. Either the config you have given, or a specific configuration in your LDAP/AD.

procopsamuraev commented 5 years ago

Somehow change db to postgress solve the problem.

mjattiot commented 5 years ago

I have the same issue:

[XNIO-1 task-2] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - Performing auth for @mjattiot:opensense.spaces.dev.opensense.io
[XNIO-1 task-2] ERROR io.kamax.mxisd.http.undertow.handler.SaneHandler - Reference #1555421546384 - ERR_04202 A value is missing on some RDN
[XNIO-1 task-2] INFO io.kamax.mxisd.http.undertow.handler.BasicHttpHandler - Request POST http://matrix-identity:8090/_matrix-internal/identity/v1/check_credentials - Error M_UNKNOWN: An internal server error occured. If this error persists, please contact support with reference #1555421546384

I am using Google LDAP. My configuration is pretty simple:

ldap:
  enabled: true
  connection:
    host: 'ldap-proxy.core'
    port: 389
    bindDn: 'A_USER'
    bindPassword: 'A_PASSWORD'
    baseDNs: [ 'ou=Users,dc=opensense,dc=fr' ]
  attribute:
    uid:
      type: 'uid'
      value: 'uid'
    name: 'cn'
    threepid:
      email:
        - 'mail'

Any clue ? Could you point me to the code line where the LDAP request is handle ?

maxidorius commented 5 years ago

This is a configuration mismatch basically, some attributes are not properly set (Not possible to tell on config alone), and what you should look into is what is the cause of the following error on Google LDAP:

ERR_04202 A value is missing on some RDN

The code handling the login in LDAP is here. If we can figure out what the error actually means in your LDAP, I can fix on my end if there is something to fix.

This is the first time we come across this error and I have no means to replicate, so we'll need to work together on this one.

mjattiot commented 5 years ago

Thanks for your quick answer. How can I easily activate the debug mode in mxisd ? Can I add to the configuration file something like:

io.kamax.mxisd=debug

??

maxidorius commented 5 years ago

How did you install mxisd?

mjattiot commented 5 years ago

I am using the Dockerfile

maxidorius commented 5 years ago

It seems like we didn't give a mean to change the logging level for the Docker image, which is very annoying... I can fix but not before tomorrow at earliest.

mjattiot commented 5 years ago

It would be very keen from you !!

mjattiot commented 5 years ago

I found the issue. According to Google LDAP the bindDn should be in the form "my_user_name" without the "cn="

ldapsearch -H ldap://localhost:1234 -D 'myuser' -w mypassword -b "dc=opensense,dc=fr"

and it works with ldapsearch but throw ERR_04202 with mxisd.

I found out that the ldap client used by mxisd (LdapConnection.bind) currently only allows valid DN as name. So I requested Google LDAP by adding cn= in the bindDn, even if I am not respecting their official documentation and it worked both on ldapsearch and mxisd !!

ldapsearch -H ldap://localhost:1234 -D 'cn=myuser' -w mypassword -b "dc=opensense,dc=fr"
maxidorius commented 5 years ago

@mjattiot That's awesome news! Thank you for researching this. Could you show your new mxisd config just to be clear on what works, to have a reference item for anyone hit by this in the future?

mjattiot commented 5 years ago

Sure, here is my config file:

ldap:
  enabled: true
  connection:
    host: 'GOOGLE_LDAP_PROXY'
    port: 389
    tls: false
    bindDn: 'cn=USER_GENERATED_BY_GOOGLE_LDAP'
    bindPassword: 'PASSWORD_GENERATED_BY_GOOGLE_LDAP'
    baseDNs:
      - 'ou=Users,dc=opensense,dc=fr'
  attribute:
    uid:
      type: 'uid'
      value: 'uid'
    name: 'cn'
    threepid:
      email:
        - 'mail'

The bindDn should start with "cn=" even if stated otherwise by Google's documentation.

Please also note that because mxisd can't authenticate through a certificate, I setup a ldap proxy that initiate a TLS connection with a certificate to ldaps://ldap.google.com

maxidorius commented 5 years ago

Thank you for the follow up. Will close this now.