search

matrix-org / matrix-synapse-ldap3

An LDAP3 auth provider for Synapse
Apache License 2.0
127 stars 46 forks source link

IndexError when accessing missing attribute for registration metadata #14

Open rafaelmr2 opened 7 years ago

rafaelmr2 commented 7 years ago

Hi, I upgrade recently to last version of matrix (0.18.5). Only who logins before upgrade using LDAP can login now in matrix. New users don't. My config and error below.

I change the config to new version:

homeserver.yaml

#ldap_config:
password_providers:
 - module: "ldap_auth_provider.LdapAuthProvider"
   config:
      enabled: true
      uri: "ldap://***.ufrj.br:389"
      start_tls: true
      base: "cn=users,cn=accounts,dc=***"
      attributes:
         uid: "uid"
         mail: "email"
         name: "displayName"
      bind_dn: "uid=matrix,cn=sysaccounts,cn=etc,dc=***"
      bind_password: "*****"
      filter: "(&(objectclass=person)(memberOf=cn=matrix,cn=groups,cn=accounts,dc=***))"

homeserver.log

2016-12-21 08:26:51,080 - synapse.access.https.8448 - 59 - INFO - POST-10721- 146.164.84.4 - 8448 - Received request: POST /_matrix/client/r0/login?
2016-12-21 08:26:51,095 - synapse.handlers.auth - 460 - WARNING - POST-10721- Attempted to login as @teste:matrix.id.ufrj.br but they do not exist
2016-12-21 08:26:51,100 - synapse.http.server - 139 - ERROR - POST-10721- Failed handle request synapse.http.server._async_render on <synapse.rest.ClientRestResource object at 0x38a2d90>: <SynapseRequest at 0x4bb9560 method=POST uri=/_matrix/client/r0/login? clientproto=HTTP/1.1 site=8448>
Traceback (most recent call last):
  File "/root/.synapse/lib/python2.7/site-packages/synapse/http/server.py", line 116, in wrapped_request_handler
    yield request_handler(self, request, request_metrics)
  File "/root/.synapse/lib/python2.7/site-packages/twisted/internet/defer.py", line 1297, in _inlineCallbacks
    result = result.throwExceptionIntoGenerator(g)
  File "/root/.synapse/lib/python2.7/site-packages/twisted/python/failure.py", line 389, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/root/.synapse/lib/python2.7/site-packages/synapse/http/server.py", line 255, in _async_render
    callback_return = yield callback(request, **kwargs)
  File "/root/.synapse/lib/python2.7/site-packages/twisted/internet/defer.py", line 1297, in _inlineCallbacks
    result = result.throwExceptionIntoGenerator(g)
  File "/root/.synapse/lib/python2.7/site-packages/twisted/python/failure.py", line 389, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/root/.synapse/lib/python2.7/site-packages/synapse/rest/client/v1/login.py", line 94, in on_POST
    result = yield self.do_password_login(login_submission)
  File "/root/.synapse/lib/python2.7/site-packages/twisted/internet/defer.py", line 1297, in _inlineCallbacks
    result = result.throwExceptionIntoGenerator(g)
  File "/root/.synapse/lib/python2.7/site-packages/twisted/python/failure.py", line 389, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/root/.synapse/lib/python2.7/site-packages/synapse/rest/client/v1/login.py", line 137, in do_password_login
    password=login_submission["password"],
  File "/root/.synapse/lib/python2.7/site-packages/twisted/internet/defer.py", line 1297, in _inlineCallbacks
    result = result.throwExceptionIntoGenerator(g)
  File "/root/.synapse/lib/python2.7/site-packages/twisted/python/failure.py", line 389, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/root/.synapse/lib/python2.7/site-packages/synapse/handlers/auth.py", line 491, in _check_password
    is_valid = yield provider.check_password(user_id, password)
  File "/root/.synapse/lib/python2.7/site-packages/twisted/internet/defer.py", line 1299, in _inlineCallbacks
    result = g.send(result)
  File "/root/.synapse/lib/python2.7/site-packages/ldap_auth_provider.py", line 178, in check_password
    mail = attrs[self.ldap_attributes['mail']][0]
IndexError: list index out of range

Thanks.

4nd3r commented 7 years ago

see last comments of #13

mweinelt commented 7 years ago

There seems to be an issue with looking up the email field(s).

Can you verify the user that triggered this exception actually has an email field?

rafaelmr2 commented 7 years ago

Yes, they have email field.

mweinelt commented 7 years ago

attrs is a dictionary, so is ldap_attributes, so the list attrs['email'] must be empty.

This would indicate there are no email values for the distinguished name.

rafaelmr2 commented 7 years ago

Whe don't register users without e-mail. Nobody can't login now, just who logins before upgrade.

jcgruenhage commented 7 years ago

I have the same problem. Here is my config:

    - module: "ldap_auth_provider.LdapAuthProvider"
      config:
        enabled: true
        uri: "ldap://gruenhageldap:389/"
        start_tls: false
        base: "ou=users,dc=gruenhage,dc=xyz"
        attributes:
           uid: "cn"
           mail: "mail"
           name: "cn"
        bind_dn: "cn=admin,dc=gruenhage,dc=xyz"
        bind_password: ***REMOVED***
        filter: "(objectClass=inetOrgPerson)"

Log:

2017-02-03 15:55:35,778 - synapse.access.http.8008 - 59 - INFO - OPTIONS-1374- 172.19.0.14 - 8008 - Received request: OPTIONS /_matrix/client/r0/login?
2017-02-03 15:55:35,778 - synapse.access.http.8008 - 91 - INFO - OPTIONS-1374- 172.19.0.14 - 8008 - {None} Processed request: 0ms (0ms, 0ms) (0ms/0) 22B 200 "OPTIONS /_matrix/client/r0/login? HTTP/1.1" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
2017-02-03 15:55:35,782 - synapse.access.http.8008 - 59 - INFO - POST-1375- 172.19.0.14 - 8008 - Received request: POST /_matrix/client/r0/login?
2017-02-03 15:55:35,783 - synapse.storage.txn - 223 - DEBUG - POST-1375- [TXN START] {get_users_by_id_case_insensitive-9f8}
2017-02-03 15:55:35,783 - synapse.storage.SQL - 85 - DEBUG - POST-1375- [SQL] {get_users_by_id_case_insensitive-9f8} SELECT name, password_hash FROM users WHERE lower(name) = lower(?)
2017-02-03 15:55:35,783 - synapse.storage.SQL - 92 - DEBUG - POST-1375- [SQL values] {get_users_by_id_case_insensitive-9f8} ('@jan.christian:gruenhage.xyz',)
2017-02-03 15:55:35,783 - synapse.storage.SQL - 109 - DEBUG - POST-1375- [SQL time] {get_users_by_id_case_insensitive-9f8} 0.398926
2017-02-03 15:55:35,784 - synapse.storage.txn - 279 - DEBUG - POST-1375- [TXN END] {get_users_by_id_case_insensitive-9f8} 1.103760
2017-02-03 15:55:35,784 - synapse.handlers.auth - 460 - WARNING - POST-1375- Attempted to login as @jan.christian:gruenhage.xyz but they do not exist
2017-02-03 15:55:35,784 - synapse.http.server - 123 - INFO - POST-1375- <SynapseRequest at 0x7f33140733b0 method=POST uri=/_matrix/client/r0/login? clientproto=HTTP/1.1 site=8008> SynapseError: 403 - Invalid password

I tried to login as @jan.christian:gruenhage.xyz, there is a user cn=jan.christian,ou=users,dc=gruenhage,dc=xyz, still the server says it does not exist.

rafaelmr2 commented 7 years ago

Hi, I upgraded to last version of synapse and I the bug has gone. It's working now. Thanks!!!

jcgruenhage commented 7 years ago

@rafaelmr2 19.1? I am on there too and I still have the bug.

rafaelmr2 commented 7 years ago

@jcgruenhage , yes, is this version (19.1). Anyone can login now.

chrissphinx commented 7 years ago

I think there is an issue here: https://github.com/matrix-org/matrix-synapse-ldap3/blob/7276440021f6fb2c877d7a7e46cfff1ed53ac608/ldap_auth_provider.py#L187 According to the error posted by @rafaelmr2, the exception that needs to be caught here is an IndexError not a KeyError because I believe the expression attrs[self.ldap_attributes['mail']] is evaluating to an empty array so indexing zero is failing.

I've made a modification on our server but am waiting to see if it fixes a certain member of ours' inability to log in, then I will try to submit a PR.

mweinelt commented 7 years ago

This was fixed in https://github.com/matrix-org/matrix-synapse-ldap3/commit/98ce626871ba2add8b100044e52eb7d5f0b829dd

Get 0.1.3 and try again.

chrissphinx commented 7 years ago

@mweinelt I'm on 0.1.3 according to pip list:

matrix-angular-sdk (0.6.8)
matrix-synapse (0.22.1)
matrix-synapse-ldap3 (0.1.3)
JoKeyser commented 6 years ago

@mweinelt I also still have the exact same error message like @chrissphinx asserts, and I'm using version 0.1.2-1 from Debian/testing which includes the mentioned patch (98ce626). @chrissphinx fix in PR #40 works for me, too.

One interesting observation is that after I logged in, remove the patch, and login again, it works without the patch; maybe that points to why some people complain and most(?) don't. Suspicious is also that synapse.handlers.auth - 488 - WARNING - - Attempted to login as @synapseuser:example.com but they do not exist is triggered even with the patch applied - and also only until the first successful login.

JoKeyser commented 6 years ago

Fyi, in my case, the Synapse ldap configuration is another way to fix it: I had mail: '' (errors above) and changing to mail: null fixed it. This also works for users without mail attribute in ldap. Just to be completely clear, here my full fixed ldap config in /etc/matrix-synapse/homeserver.yaml:

password_providers:
- module: ldap_auth_provider.LdapAuthProvider
  config:
    enabled: true
    uri: ldap://localhost:389
    start_tls: false
    base: ou=users,dc=thisbox
    attributes:
      uid: uid
      name: uid
      mail: null

Maybe that counts actually as user-error, but it may still be nice to be robust against it..?