Open rafaelmr2 opened 7 years ago
see last comments of #13
There seems to be an issue with looking up the email field(s).
Can you verify the user that triggered this exception actually has an email
field?
Yes, they have email field.
attrs
is a dictionary, so is ldap_attributes
, so the list attrs['email']
must be empty.
This would indicate there are no email
values for the distinguished name.
Whe don't register users without e-mail. Nobody can't login now, just who logins before upgrade.
I have the same problem. Here is my config:
- module: "ldap_auth_provider.LdapAuthProvider"
config:
enabled: true
uri: "ldap://gruenhageldap:389/"
start_tls: false
base: "ou=users,dc=gruenhage,dc=xyz"
attributes:
uid: "cn"
mail: "mail"
name: "cn"
bind_dn: "cn=admin,dc=gruenhage,dc=xyz"
bind_password: ***REMOVED***
filter: "(objectClass=inetOrgPerson)"
Log:
2017-02-03 15:55:35,778 - synapse.access.http.8008 - 59 - INFO - OPTIONS-1374- 172.19.0.14 - 8008 - Received request: OPTIONS /_matrix/client/r0/login?
2017-02-03 15:55:35,778 - synapse.access.http.8008 - 91 - INFO - OPTIONS-1374- 172.19.0.14 - 8008 - {None} Processed request: 0ms (0ms, 0ms) (0ms/0) 22B 200 "OPTIONS /_matrix/client/r0/login? HTTP/1.1" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
2017-02-03 15:55:35,782 - synapse.access.http.8008 - 59 - INFO - POST-1375- 172.19.0.14 - 8008 - Received request: POST /_matrix/client/r0/login?
2017-02-03 15:55:35,783 - synapse.storage.txn - 223 - DEBUG - POST-1375- [TXN START] {get_users_by_id_case_insensitive-9f8}
2017-02-03 15:55:35,783 - synapse.storage.SQL - 85 - DEBUG - POST-1375- [SQL] {get_users_by_id_case_insensitive-9f8} SELECT name, password_hash FROM users WHERE lower(name) = lower(?)
2017-02-03 15:55:35,783 - synapse.storage.SQL - 92 - DEBUG - POST-1375- [SQL values] {get_users_by_id_case_insensitive-9f8} ('@jan.christian:gruenhage.xyz',)
2017-02-03 15:55:35,783 - synapse.storage.SQL - 109 - DEBUG - POST-1375- [SQL time] {get_users_by_id_case_insensitive-9f8} 0.398926
2017-02-03 15:55:35,784 - synapse.storage.txn - 279 - DEBUG - POST-1375- [TXN END] {get_users_by_id_case_insensitive-9f8} 1.103760
2017-02-03 15:55:35,784 - synapse.handlers.auth - 460 - WARNING - POST-1375- Attempted to login as @jan.christian:gruenhage.xyz but they do not exist
2017-02-03 15:55:35,784 - synapse.http.server - 123 - INFO - POST-1375- <SynapseRequest at 0x7f33140733b0 method=POST uri=/_matrix/client/r0/login? clientproto=HTTP/1.1 site=8008> SynapseError: 403 - Invalid password
I tried to login as @jan.christian:gruenhage.xyz, there is a user cn=jan.christian,ou=users,dc=gruenhage,dc=xyz, still the server says it does not exist.
Hi, I upgraded to last version of synapse and I the bug has gone. It's working now. Thanks!!!
@rafaelmr2 19.1? I am on there too and I still have the bug.
@jcgruenhage , yes, is this version (19.1). Anyone can login now.
I think there is an issue here:
https://github.com/matrix-org/matrix-synapse-ldap3/blob/7276440021f6fb2c877d7a7e46cfff1ed53ac608/ldap_auth_provider.py#L187
According to the error posted by @rafaelmr2, the exception that needs to be caught here is an IndexError
not a KeyError
because I believe the expression attrs[self.ldap_attributes['mail']]
is evaluating to an empty array so indexing zero is failing.
I've made a modification on our server but am waiting to see if it fixes a certain member of ours' inability to log in, then I will try to submit a PR.
This was fixed in https://github.com/matrix-org/matrix-synapse-ldap3/commit/98ce626871ba2add8b100044e52eb7d5f0b829dd
Get 0.1.3 and try again.
@mweinelt I'm on 0.1.3 according to pip list
:
matrix-angular-sdk (0.6.8)
matrix-synapse (0.22.1)
matrix-synapse-ldap3 (0.1.3)
@mweinelt I also still have the exact same error message like @chrissphinx asserts, and I'm using version 0.1.2-1 from Debian/testing which includes the mentioned patch (98ce626). @chrissphinx fix in PR #40 works for me, too.
One interesting observation is that after I logged in, remove the patch, and login again, it works without the patch; maybe that points to why some people complain and most(?) don't.
Suspicious is also that synapse.handlers.auth - 488 - WARNING - - Attempted to login as @synapseuser:example.com but they do not exist
is triggered even with the patch applied - and also only until the first successful login.
Fyi, in my case, the Synapse ldap configuration is another way to fix it: I had mail: ''
(errors above) and changing to mail: null
fixed it. This also works for users without mail
attribute in ldap.
Just to be completely clear, here my full fixed ldap config in /etc/matrix-synapse/homeserver.yaml
:
password_providers:
- module: ldap_auth_provider.LdapAuthProvider
config:
enabled: true
uri: ldap://localhost:389
start_tls: false
base: ou=users,dc=thisbox
attributes:
uid: uid
name: uid
mail: null
Maybe that counts actually as user-error, but it may still be nice to be robust against it..?
Hi, I upgrade recently to last version of matrix (0.18.5). Only who logins before upgrade using LDAP can login now in matrix. New users don't. My config and error below.
I change the config to new version:
homeserver.yaml
homeserver.log
Thanks.