kamax-matrix / mxisd

Federated Matrix Identity Server
GNU Affero General Public License v3.0
224 stars 114 forks source link

Error auth by AD.domain\username. The filter (AD.domain\username) is invalid. #179

Closed biolim closed 5 years ago

biolim commented 5 years ago
Jun  4 11:53:47 hz-matrix01 mxisd: [XNIO-1 task-12] INFO io.kamax.mxisd.auth.AuthManager - Login request is User ID type
Jun  4 11:53:47 hz-matrix01 mxisd: [XNIO-1 task-12] INFO io.kamax.mxisd.auth.AuthManager - No User ID rewrite rules to apply
Jun  4 11:53:47 hz-matrix01 mxisd: [XNIO-1 task-12] INFO io.kamax.mxisd.auth.AuthManager - Proxy resolution: http://site.domain.name/_matrix/client/r0/login to http://localhost:8008/_matrix/client/r0/login
Jun  4 11:53:47 hz-matrix01 mxisd: [XNIO-1 task-15] INFO io.kamax.mxisd.http.undertow.handler.auth.RestAuthHandler - Requested to check credentials for @AD.domain\username:site.domain.name
Jun  4 11:53:47 hz-matrix01 mxisd: [XNIO-1 task-15] INFO io.kamax.mxisd.auth.AuthManager - Attempting authentication with store LdapAuthProvider
Jun  4 11:53:47 hz-matrix01 mxisd: [XNIO-1 task-15] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - Performing auth for @AD.domain\username:site.domain.name
Jun  4 11:53:47 hz-matrix01 mxisd: [XNIO-1 task-15] ERROR io.kamax.mxisd.http.undertow.handler.SaneHandler - Transaction #1559663627156 - The filter (uid=AD.domain\username) is invalid.
Jun  4 11:53:47 hz-matrix01 mxisd: [XNIO-1 task-15] INFO io.kamax.mxisd.http.undertow.handler.BasicHttpHandler - Request POST http://127.0.0.1:8090/_matrix-internal/identity/v1/check_credentials - Error M_UNKNOWN: An internal server error occurred. Contact your administrator with reference Transaction #1559663627156
Jun  4 11:53:47 hz-matrix01 mxisd: [XNIO-1 task-12] INFO io.kamax.mxisd.auth.AuthManager - http status = 500 #
Jun  4 11:53:47 hz-matrix01 mxisd: [XNIO-1 task-15] ERROR io.kamax.mxisd.http.undertow.handler.SaneHandler - Transaction #1559663627156 - The filter (sAMAccountName=AD.domain\username) is invalid.
matrix:
  domain: 'matrix.domain.site'
key:
  path: '/var/lib/mxisd/keys'
storage:
  provider:
    sqlite:
      database: '/var/lib/mxisd/mxisd.db'
ldap:
  enabled: true
  connection:
    host: hostname
    port: 389
    bindDn: 'CN=MXISD,OU=SystemUsers,DC=domain,DC=local'
    bindPassword: 'HardPassword'
    baseDNs:
      - 'OU=admins,OU=SG,OU=!_Users,DC=domain,DC=local'
  attribute:
    uid:
      type: 'uid'
      value: 'uid'
    name: 'cn'
dns:
  overwrite:
    homeserver:
      client:
        - name: 'matrix.domain.site'
          value: 'http://localhost:8008'
maxidorius commented 5 years ago

Could you tell what is the issue here, putting aside the technical error? or the expect behaviour and of which component? This error can be dealt with many ways.

biolim commented 5 years ago

How to adjust authentication in ActiveDirectory for the user of AD.domain\username? It is perhaps necessary to adjust auth.rewrite.user AD.domain\username sAMAccountName=username

maxidorius commented 5 years ago

It depends, do you have multiple domains in your forest and did you configure mxisd to make forest lookup instead of domain lookup? And did you try just with the username maybe?

biolim commented 5 years ago

It's work change homeserver.yaml trusted_third_party_id_servers:

Whether it is possible to forbid polvatel to edit a profile?

Whether it is possible to adjust search in the wood, several domains: username: AD.domain\username

biolim commented 5 years ago

Whether it is possible to provide updating of a profile at change of data in ActiveDirectory (displayname, email, phone)?

maxidorius commented 5 years ago

If you feel the login issue has been resolved, close the issue please :)

Whether it is possible to forbid polvatel to edit a profile?

That is not in scope of Identity servers but Homeservers, or something like our mxgwd project (Note: it is alpha).

Whether it is possible to adjust search in the wood, several domains

No, The internal LDAP Identity store is designed to support a single domain per instance. If you have several domains, you will need to either 1) have several mxisd instances but search won't span across all instances or 2) wire your own logic using the REST or Exec Identity stores which allow you to do virtually anything you want.

Whether it is possible to provide updating of a profile at change of data in ActiveDirectory (displayname, email, phone)?

mxisd is not involved into Matrix user profile data, only providing the profile data from Identity store. Such update would be done by the Homeserver. In case of synapse, it is done by password providers at login only. I am not aware of any way to do what you want out of the blue short of having a custom software.