search

ma1uta / ma1sd

Federated Matrix Identity Server (formerly fork of kamax/mxisd)
GNU Affero General Public License v3.0
167 stars 55 forks source link

"Bind was found but type uid is not supported" - Looking up LDAP user names (lowercase/uppercase) #97

Open tgurr opened 3 years ago

tgurr commented 3 years ago

https://github.com/ma1uta/ma1sd/pull/71 is expected to fix this problem, however I'm still running into an issue. As can be seen in the logs the users are actually found but no result is given to Element due to the error message Bind was found but type uid is not supported.

In the logs when doing a search via Element I have:

Jun 22 14:33:17 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.directory.DirectoryManager - Performing search for 'xx00001'
Jun 22 14:33:17 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.directory.DirectoryManager - Original request URL: http://matrix.domain.local/_matrix/client/r0/user_directory/search
Jun 22 14:33:17 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.directory.DirectoryManager - Querying HS at http://localhost:8008/_matrix/client/r0/user_directory/search
Jun 22 14:33:17 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.directory.DirectoryManager - Found 0 match(es) in HS for 'xx00001'
Jun 22 14:33:17 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.directory.DirectoryManager - Using Directory provider LdapDirectoryProvider
Jun 22 14:33:17 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - Performing LDAP directory search on display name using 'xx00001'
Jun 22 14:33:18 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - Found possible match, DN: CN=lastname name,OU=corporate,DC=domain,DC=local
Jun 22 14:33:18 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - DN CN=lastname name,OU=corporate,DC=domain,DC=local is a valid match
Jun 22 14:33:18 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.backend.ldap.LdapBackend - UID XX00001 from LDAP has been changed to lowercase to match the Synapse specifications
Jun 22 14:33:18 matrixhost ma1sd[3476760]: [XNIO-1 task-1] WARN io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - Bind was found but type uid is not supported
Jun 22 14:33:18 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.directory.DirectoryManager - Display name: found 0 match(es) for 'xx00001'
Jun 22 14:33:18 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - Performing LDAP directory search on 3PIDs using 'xx00001'
Jun 22 14:33:18 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - Found possible match, DN: CN=lastname name,OU=corporate,DC=domain,DC=local
Jun 22 14:33:18 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - DN CN=lastname name,OU=corporate,DC=domain,DC=local is a valid match
Jun 22 14:33:18 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.backend.ldap.LdapBackend - UID XX00001 from LDAP has been changed to lowercase to match the Synapse specifications
Jun 22 14:33:18 matrixhost ma1sd[3476760]: [XNIO-1 task-1] WARN io.kamax.mxisd.backend.ldap.LdapDirectoryProvider - Bind was found but type uid is not supported
Jun 22 14:33:18 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.directory.DirectoryManager - Threepid: found 0 match(es) for 'xx00001'
Jun 22 14:33:18 matrixhost ma1sd[3476760]: [XNIO-1 task-1] INFO io.kamax.mxisd.directory.DirectoryManager - Total matches: 0 - limited? false

My ma1sd configuration has:

ldap:
  enabled: true
  lookup: true # hash lookup
  activeDirectory: true
  defaultDomain: 'domain.local'
  connection:
    host: 'addc1.domain.local'
    port: 389
    bindDn: 'CN=matrixldapuser,OU=services,OU=corporate,DC=domain,DC=local'
    bindPassword: 'xxxxxxx'
    baseDNs:
      - 'OU=corporate,DC=domain,DC=local'
  attribute:
    uid:
      type: 'uid' # or mxid
      value: 'sAMAccountName'
    name: 'displayName'
  identity:
    filter: '(objectClass=inetOrgPerson)'

If it's a configuration issue on my side it would be nice if someone could tell me what needs to be changed.

tgurr commented 3 years ago

To answer myself, removing activeDirectory: true appears to fix the problem.

q-wertz commented 2 years ago

Hi, sorry never saw this. I did the patch back then but still don't have Synapse in use...

I'm not very familiar with the code/all the specifications.

The error seems to happen in the search function here: https://github.com/ma1uta/ma1sd/blob/ae5864cd91f7db57c3a99b7847c3c327980e74e8/src/main/java/io/kamax/mxisd/backend/ldap/LdapDirectoryProvider.java#L76-L84 I think the exception is thrown in line 79 where something is broken when activeDirectory: true (in that case the a UPN object is used to get the localpart and this expects a @ in the UID -> not present -> throws the IllegalArgumentException).

But in that case there should be line 76 present in the logs so I cannot really follow :sweat_smile:

Could you maybe try to search login@domain and see if it also happens then?

tobast commented 2 months ago

I can confirm that the issue is still present (ma1sd version 2.5.0). Setting activeDirectory to false still seems to mitigate the issue.