search

matrix-org / matrix-synapse-ldap3

An LDAP3 auth provider for Synapse
Apache License 2.0
128 stars 46 forks source link

AD Forest does not work #118

Closed celevra closed 3 years ago

celevra commented 3 years ago

Hi,

as described in the Docu my config is as follow:

password_providers:
    - module: "ldap_auth_provider.LdapAuthProvider"
      config:
        enabled: true
        mode: "search"
        uri: "ldap://dc.test.net:389"
        start_tls: false
        base: "dc=test,dc=net"
        active_directory: true
        default_domain: test.net
        attributes:
           uid: "userPrincipalName"
           mail: "mail"
           name: "givenName"
        bind_dn: "CN=ldap_lookup,OU=test.net,DC=test,DC=net"
        bind_password: "xxx"

login for users in the domain test.net are working as expected, but for users in test2.net no login is possible:

2021-06-10 08:12:22,883 - ldap_auth_provider - 425 - DEBUG - sentinel - Established LDAP connection in search mode: ldap://168.119.71.29:389 - cleartext - user: CN=ldap_lookup,OU=test.net,DC=test,DC=net - not lazy - unbound - closed - <no socket> - tls not started - not listening - SyncStrategy - internal decoder
2021-06-10 08:12:22,889 - ldap_auth_provider - 463 - DEBUG - sentinel - LDAP search filter: (&(userPrincipalName=ztest@test2.net))
2021-06-10 08:12:22,895 - ldap_auth_provider - 502 - INFO - sentinel - LDAP search returned no results for '[('userPrincipalName', 'ztest@test2.net')]'
2021-06-10 08:12:22,897 - ldap_auth_provider - 225 - DEBUG - sentinel - LDAP auth method authenticated search returned: False (conn: None) (response: None)
2021-06-10 08:12:22,898 - synapse.storage.database - 653 - WARNING - sentinel - Starting db txn 'get_user_id_by_threepid' from sentinel context
2021-06-10 08:12:22,898 - synapse.storage.database - 700 - WARNING - sentinel - Starting db connection from sentinel context: metrics will be lost
2021-06-10 08:12:22,902 - synapse.handlers.auth - 1015 - WARNING - sentinel - unknown 3pid identifier medium email, address 'ztest@test2.net'

the trust between the two domains is working an in windows its possible to search for ztest@test2.net, do i miss something?

celevra commented 3 years ago

the Problem is the base, we need a way for multiple base entries

clokep commented 3 years ago

I believe this was fixed by #93, but no release has been done since then.

nE0sIghT commented 3 years ago

I believe base: "dc=net" should work for you

celevra commented 3 years ago

my example was bad, sorry for that in real it is a .net and a .de domain

nE0sIghT commented 3 years ago

Then try base: "". BTW I think you issue not about AD Forest but about Forest trusts

celevra commented 3 years ago

with that i get an exeption:

2021-06-13 09:53:30,450 - ldap_auth_provider - 425 - DEBUG - sentinel - Established LDAP connection in search mode: ldap://127.0.0.1:389 - cleartext - user: CN=ldap_lookup,OU=test.net,DC=test,DC=net - not lazy - unbound - closed - <no socket> - tls not started - not listening - SyncStrategy - internal decoder
2021-06-13 09:53:30,457 - ldap_auth_provider - 463 - DEBUG - sentinel - LDAP search filter: (&(mail=ztest@test.de))
2021-06-13 09:53:30,464 - ldap_auth_provider - 516 - WARNING - sentinel - Error during LDAP authentication: LDAPNoSuchObjectResult - 32 - noSuchObject - None - 0000208D: NameErr: DSID-0310021B, problem 2001 (NO_OBJECT), data 0, best match of:
        ''
 - searchResDone - None
2021-06-13 09:53:30,464 - ldap_auth_provider - 253 - WARNING - sentinel - Error during ldap authentication: LDAPNoSuchObjectResult - 32 - noSuchObject - None - 0000208D: NameErr: DSID-0310021B, problem 2001 (NO_OBJECT), data 0, best match of:
        ''
 - searchResDone - None
2021-06-13 09:53:30,465 - synapse.http.server - 93 - ERROR - sentinel - Failed handle request via 'LoginRestServlet': <XForwardedForRequest at 0x7fc8c1dd6040 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.0' site='8008'>
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/synapse/http/server.py", line 258, in _async_render_wrapper
    callback_return = await self._async_render(request)
  File "/usr/local/lib/python3.8/site-packages/synapse/http/server.py", line 446, in _async_render
    callback_return = await raw_callback_return
  File "/usr/local/lib/python3.8/site-packages/synapse/rest/client/v1/login.py", line 161, in on_POST
    result = await self._do_other_login(login_submission)
  File "/usr/local/lib/python3.8/site-packages/synapse/rest/client/v1/login.py", line 222, in _do_other_login
    canonical_user_id, callback = await self.auth_handler.validate_login(
  File "/usr/local/lib/python3.8/site-packages/synapse/handlers/auth.py", line 1004, in validate_login
    ) = await self.check_password_provider_3pid(medium, address, password)
  File "/usr/local/lib/python3.8/site-packages/synapse/handlers/auth.py", line 1165, in check_password_provider_3pid
    result = await provider.check_3pid_auth(medium, address, password)
  File "/usr/local/lib/python3.8/site-packages/synapse/handlers/auth.py", line 1777, in check_3pid_auth
    result = await g(medium, address, password)
  File "/usr/local/lib/python3.8/site-packages/twisted/internet/defer.py", line 1443, in _inlineCallbacks
    result = current_context.run(result.throwExceptionIntoGenerator, g)
  File "/usr/local/lib/python3.8/site-packages/twisted/python/failure.py", line 500, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/usr/local/lib/python3.8/site-packages/ldap_auth_provider.py", line 221, in check_3pid_auth
    result, conn, response = yield self._ldap_authenticated_search(
  File "/usr/local/lib/python3.8/site-packages/twisted/internet/defer.py", line 1443, in _inlineCallbacks
    result = current_context.run(result.throwExceptionIntoGenerator, g)
  File "/usr/local/lib/python3.8/site-packages/twisted/python/failure.py", line 500, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/usr/local/lib/python3.8/site-packages/ldap_auth_provider.py", line 467, in _ldap_authenticated_search
    yield threads.deferToThread(
  File "/usr/local/lib/python3.8/site-packages/twisted/python/threadpool.py", line 238, in inContext
    result = inContext.theWork()  # type: ignore[attr-defined]
  File "/usr/local/lib/python3.8/site-packages/twisted/python/threadpool.py", line 254, in <lambda>
    inContext.theWork = lambda: context.call(  # type: ignore[attr-defined]
  File "/usr/local/lib/python3.8/site-packages/twisted/python/context.py", line 118, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python3.8/site-packages/twisted/python/context.py", line 83, in callWithContext
    return func(*args, **kw)
  File "/usr/local/lib/python3.8/site-packages/ldap3/core/connection.py", line 853, in search
    response = self.post_send_search(self.send('searchRequest', request, controls))
  File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 178, in post_send_search
    responses, result = self.get_response(message_id)
  File "/usr/local/lib/python3.8/site-packages/ldap3/strategy/base.py", line 403, in get_response
    raise LDAPOperationResult(result=result['result'], description=result['description'], dn=result['dn'], message=result['message'], response_type=result['type'])
ldap3.core.exceptions.LDAPNoSuchObjectResult: LDAPNoSuchObjectResult - 32 - noSuchObject - None - 0000208D: NameErr: DSID-0310021B, problem 2001 (NO_OBJECT), data 0, best match of:
        ''
 - searchResDone - None
2021-06-13 09:53:30,476 - synapse.http.site - 416 - WARNING - sentinel - Failed to stop metrics: AttributeError("'_Sentinel' object has no attribute 'get_resource_usage'")
nE0sIghT commented 3 years ago

You are using old 0.1.4 version of ldap_auth_provider.
Try latest version from master branch.

celevra commented 3 years ago

i'm using the synapse docker container, do you know the exact path where i have to copy the files?

nE0sIghT commented 3 years ago

You should build new docker image based on latest Synapse one.
I don't remember exact path - just search for it in container - you need to replace just one file.

celevra commented 3 years ago

now it looks way better but it seems like it is appending the default domain:

2021-06-13 10:21:48,137 - ldap_auth_provider - 498 - DEBUG - sentinel - Established LDAP connection in simple bind mode: ldap://127.0.0.1:389 - cleartext - user: CN=ldap_lookup,OU=test.net,DC=test,DC=net - not lazy - unbound - closed - <no socket> - tls not started - not listening - SyncStrategy - internal decoder
2021-06-13 10:21:48,144 - ldap_auth_provider - 514 - DEBUG - sentinel - LDAP Bind successful in simple bind mode.
2021-06-13 10:21:48,144 - ldap_auth_provider - 468 - INFO - sentinel - Obtained root domain "test.net"
2021-06-13 10:21:48,144 - ldap_auth_provider - 134 - DEBUG - sentinel - Attempting LDAP connection with ['ldap://127.0.01:389']
2021-06-13 10:21:48,145 - ldap_auth_provider - 498 - DEBUG - sentinel - Established LDAP connection in simple bind mode: ldap://127.0.0.1:389 - cleartext - user: CN=ldap_lookup,OU=test.net,DC=test,DC=net - not lazy - unbound - closed - <no socket> - tls not started - not listening - SyncStrategy - internal decoder
2021-06-13 10:21:48,148 - ldap_auth_provider - 514 - DEBUG - sentinel - LDAP Bind successful in simple bind mode.
2021-06-13 10:21:48,148 - ldap_auth_provider - 576 - DEBUG - sentinel - LDAP search filter: (&(userPrincipalName=ztest@test.de.test.net))
2021-06-13 10:21:48,150 - ldap_auth_provider - 615 - INFO - sentinel - LDAP search returned no results for '[('userPrincipalName', 'ztest@test.de.test.net')]'
2021-06-13 10:21:48,150 - ldap_auth_provider - 161 - DEBUG - sentinel - LDAP auth method authenticated search returned: False (conn: None)
2021-06-13 10:21:48,150 - synapse.storage.database - 653 - WARNING - sentinel - Starting db txn 'get_users_by_id_case_insensitive' from sentinel context
2021-06-13 10:21:48,150 - synapse.storage.database - 700 - WARNING - sentinel - Starting db connection from sentinel context: metrics will be lost
2021-06-13 10:21:48,151 - synapse.handlers.auth - 880 - WARNING - sentinel - Attempted to login as @test.de\ztest:matrix.test.net but they do not exist
2021-06-13 10:21:48,152 - synapse.http.site - 416 - WARNING - sentinel - Failed to stop metrics: AttributeError("'_Sentinel' object has no attribute 'get_resource_usage'")

i've tried to login with test.de\ztest

and it searches for ztest@test.de.test.net

celevra commented 3 years ago

image

in the Readme is a Default domain main.example.com

then there is "Users of other domains in example.com forest can login with domain\login"

that is what i have done: test.de\ztest domain\user

but the libary puts .test.net at the end, that is wrong

nE0sIghT commented 3 years ago

ztest/test.de should work for you.
But again - your configuration is not AD Forest, but 2 trusted Forests. AD Forest configuration was not made with such assumption in mind.

celevra commented 3 years ago

hm, jep it is a two way trust between two domains i can login on both sides with users from the other side.

The search is now working but i didn't find the user, in other ldap tools i need to provide multiple base path's Is it possible to add 2 searches? if i add the config two times i get connection refused

nE0sIghT commented 3 years ago

I do not think your issue is in search base.
You can try to specify empty search base in other tools - I think it should work.

Do you using global catalog port?

celevra commented 3 years ago

i ended with two - module: "ldap_auth_provider.LdapAuthProvider" entries, one for the one domain, one for the other one, that works

richvdh commented 3 years ago

fixed by #93