Closed celevra closed 3 years ago
the Problem is the base, we need a way for multiple base entries
I believe this was fixed by #93, but no release has been done since then.
I believe base: "dc=net"
should work for you
my example was bad, sorry for that in real it is a .net and a .de domain
Then try base: ""
.
BTW I think you issue not about AD Forest but about Forest trusts
with that i get an exeption:
2021-06-13 09:53:30,450 - ldap_auth_provider - 425 - DEBUG - sentinel - Established LDAP connection in search mode: ldap://127.0.0.1:389 - cleartext - user: CN=ldap_lookup,OU=test.net,DC=test,DC=net - not lazy - unbound - closed - <no socket> - tls not started - not listening - SyncStrategy - internal decoder
2021-06-13 09:53:30,457 - ldap_auth_provider - 463 - DEBUG - sentinel - LDAP search filter: (&(mail=ztest@test.de))
2021-06-13 09:53:30,464 - ldap_auth_provider - 516 - WARNING - sentinel - Error during LDAP authentication: LDAPNoSuchObjectResult - 32 - noSuchObject - None - 0000208D: NameErr: DSID-0310021B, problem 2001 (NO_OBJECT), data 0, best match of:
''
- searchResDone - None
2021-06-13 09:53:30,464 - ldap_auth_provider - 253 - WARNING - sentinel - Error during ldap authentication: LDAPNoSuchObjectResult - 32 - noSuchObject - None - 0000208D: NameErr: DSID-0310021B, problem 2001 (NO_OBJECT), data 0, best match of:
''
- searchResDone - None
2021-06-13 09:53:30,465 - synapse.http.server - 93 - ERROR - sentinel - Failed handle request via 'LoginRestServlet': <XForwardedForRequest at 0x7fc8c1dd6040 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.0' site='8008'>
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/synapse/http/server.py", line 258, in _async_render_wrapper
callback_return = await self._async_render(request)
File "/usr/local/lib/python3.8/site-packages/synapse/http/server.py", line 446, in _async_render
callback_return = await raw_callback_return
File "/usr/local/lib/python3.8/site-packages/synapse/rest/client/v1/login.py", line 161, in on_POST
result = await self._do_other_login(login_submission)
File "/usr/local/lib/python3.8/site-packages/synapse/rest/client/v1/login.py", line 222, in _do_other_login
canonical_user_id, callback = await self.auth_handler.validate_login(
File "/usr/local/lib/python3.8/site-packages/synapse/handlers/auth.py", line 1004, in validate_login
) = await self.check_password_provider_3pid(medium, address, password)
File "/usr/local/lib/python3.8/site-packages/synapse/handlers/auth.py", line 1165, in check_password_provider_3pid
result = await provider.check_3pid_auth(medium, address, password)
File "/usr/local/lib/python3.8/site-packages/synapse/handlers/auth.py", line 1777, in check_3pid_auth
result = await g(medium, address, password)
File "/usr/local/lib/python3.8/site-packages/twisted/internet/defer.py", line 1443, in _inlineCallbacks
result = current_context.run(result.throwExceptionIntoGenerator, g)
File "/usr/local/lib/python3.8/site-packages/twisted/python/failure.py", line 500, in throwExceptionIntoGenerator
return g.throw(self.type, self.value, self.tb)
File "/usr/local/lib/python3.8/site-packages/ldap_auth_provider.py", line 221, in check_3pid_auth
result, conn, response = yield self._ldap_authenticated_search(
File "/usr/local/lib/python3.8/site-packages/twisted/internet/defer.py", line 1443, in _inlineCallbacks
result = current_context.run(result.throwExceptionIntoGenerator, g)
File "/usr/local/lib/python3.8/site-packages/twisted/python/failure.py", line 500, in throwExceptionIntoGenerator
return g.throw(self.type, self.value, self.tb)
File "/usr/local/lib/python3.8/site-packages/ldap_auth_provider.py", line 467, in _ldap_authenticated_search
yield threads.deferToThread(
File "/usr/local/lib/python3.8/site-packages/twisted/python/threadpool.py", line 238, in inContext
result = inContext.theWork() # type: ignore[attr-defined]
File "/usr/local/lib/python3.8/site-packages/twisted/python/threadpool.py", line 254, in <lambda>
inContext.theWork = lambda: context.call( # type: ignore[attr-defined]
File "/usr/local/lib/python3.8/site-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/local/lib/python3.8/site-packages/twisted/python/context.py", line 83, in callWithContext
return func(*args, **kw)
File "/usr/local/lib/python3.8/site-packages/ldap3/core/connection.py", line 853, in search
response = self.post_send_search(self.send('searchRequest', request, controls))
File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 178, in post_send_search
responses, result = self.get_response(message_id)
File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/base.py", line 403, in get_response
raise LDAPOperationResult(result=result['result'], description=result['description'], dn=result['dn'], message=result['message'], response_type=result['type'])
ldap3.core.exceptions.LDAPNoSuchObjectResult: LDAPNoSuchObjectResult - 32 - noSuchObject - None - 0000208D: NameErr: DSID-0310021B, problem 2001 (NO_OBJECT), data 0, best match of:
''
- searchResDone - None
2021-06-13 09:53:30,476 - synapse.http.site - 416 - WARNING - sentinel - Failed to stop metrics: AttributeError("'_Sentinel' object has no attribute 'get_resource_usage'")
You are using old 0.1.4 version of ldap_auth_provider
.
Try latest version from master branch.
i'm using the synapse docker container, do you know the exact path where i have to copy the files?
You should build new docker image based on latest Synapse one.
I don't remember exact path - just search for it in container - you need to replace just one file.
now it looks way better but it seems like it is appending the default domain:
2021-06-13 10:21:48,137 - ldap_auth_provider - 498 - DEBUG - sentinel - Established LDAP connection in simple bind mode: ldap://127.0.0.1:389 - cleartext - user: CN=ldap_lookup,OU=test.net,DC=test,DC=net - not lazy - unbound - closed - <no socket> - tls not started - not listening - SyncStrategy - internal decoder
2021-06-13 10:21:48,144 - ldap_auth_provider - 514 - DEBUG - sentinel - LDAP Bind successful in simple bind mode.
2021-06-13 10:21:48,144 - ldap_auth_provider - 468 - INFO - sentinel - Obtained root domain "test.net"
2021-06-13 10:21:48,144 - ldap_auth_provider - 134 - DEBUG - sentinel - Attempting LDAP connection with ['ldap://127.0.01:389']
2021-06-13 10:21:48,145 - ldap_auth_provider - 498 - DEBUG - sentinel - Established LDAP connection in simple bind mode: ldap://127.0.0.1:389 - cleartext - user: CN=ldap_lookup,OU=test.net,DC=test,DC=net - not lazy - unbound - closed - <no socket> - tls not started - not listening - SyncStrategy - internal decoder
2021-06-13 10:21:48,148 - ldap_auth_provider - 514 - DEBUG - sentinel - LDAP Bind successful in simple bind mode.
2021-06-13 10:21:48,148 - ldap_auth_provider - 576 - DEBUG - sentinel - LDAP search filter: (&(userPrincipalName=ztest@test.de.test.net))
2021-06-13 10:21:48,150 - ldap_auth_provider - 615 - INFO - sentinel - LDAP search returned no results for '[('userPrincipalName', 'ztest@test.de.test.net')]'
2021-06-13 10:21:48,150 - ldap_auth_provider - 161 - DEBUG - sentinel - LDAP auth method authenticated search returned: False (conn: None)
2021-06-13 10:21:48,150 - synapse.storage.database - 653 - WARNING - sentinel - Starting db txn 'get_users_by_id_case_insensitive' from sentinel context
2021-06-13 10:21:48,150 - synapse.storage.database - 700 - WARNING - sentinel - Starting db connection from sentinel context: metrics will be lost
2021-06-13 10:21:48,151 - synapse.handlers.auth - 880 - WARNING - sentinel - Attempted to login as @test.de\ztest:matrix.test.net but they do not exist
2021-06-13 10:21:48,152 - synapse.http.site - 416 - WARNING - sentinel - Failed to stop metrics: AttributeError("'_Sentinel' object has no attribute 'get_resource_usage'")
i've tried to login with test.de\ztest
and it searches for ztest@test.de.test.net
in the Readme is a Default domain main.example.com
then there is "Users of other domains in example.com forest can login with domain\login"
that is what i have done: test.de\ztest domain\user
but the libary puts .test.net at the end, that is wrong
ztest/test.de
should work for you.
But again - your configuration is not AD Forest, but 2 trusted Forests. AD Forest configuration was not made with such assumption in mind.
hm, jep it is a two way trust between two domains i can login on both sides with users from the other side.
The search is now working but i didn't find the user, in other ldap tools i need to provide multiple base path's Is it possible to add 2 searches? if i add the config two times i get connection refused
I do not think your issue is in search base.
You can try to specify empty search base in other tools - I think it should work.
Do you using global catalog port?
i ended with two - module: "ldap_auth_provider.LdapAuthProvider" entries, one for the one domain, one for the other one, that works
fixed by #93
Hi,
as described in the Docu my config is as follow:
login for users in the domain test.net are working as expected, but for users in test2.net no login is possible:
the trust between the two domains is working an in windows its possible to search for ztest@test2.net, do i miss something?