search

matrix-org / matrix-synapse-ldap3

An LDAP3 auth provider for Synapse
Apache License 2.0
128 stars 46 forks source link

Configuration option does not take into account "Search Mode" #157

Closed pouic-lol closed 2 years ago

pouic-lol commented 2 years ago

Describe the bug In the configuration file homeserver.yaml, I have set the config mode option to "search" however the ldap request seems to only be in "simple bind mode" and the authentication fails.

To Reproduce Try to login to a LDAP server (Active Directory) in search mode with a bind user but the search mode is not taken into account nor the bind user.

Expected behavior A search in LDAP directory with a bind user to locate the login account and successfully authenticates this login. It was working as expected in search mode with the precedent version of matrix-synapse-py3 (version 1.28.0+buster1 packaged with matrix_synapse_ldap3-0.1.4) even if the option was not available in the configuration at that time.

Screenshots Extract of my homeserver.yaml file

password_providers:
  - module: "ldap_auth_provider.LdapAuthProvider"
    config:
      enabled: true
      mode: "search"
      uri: "ldap://my.ldap.domain:389"
      start_tls: false
      base: "dc=ldap,dc=domain"
      attributes:
        uid: "sAMAccountName"
        mail: "mail"
        name: "cn"
        # Search auth if anonymous search not enabled
        bind_dn: "cn=service_account,ou=Services,dc=ldap,dc=domain"
        bind_password: "ch33kym0nk3y"`

Extract of the homeserver.log file

2022-02-07 23:58:47,659 - synapse.rest.client.login - 283 - INFO - POST-30 - Got login request with identifier: {'type': 'm.id.user', 'user': 'mylogin'}, medium: None, address: None, user: None
2022-02-07 23:58:47,660 - ldap_auth_provider - 109 - DEBUG - POST-30 - Attempting LDAP connection with ['ldap://my.ldap.domain:389']
2022-02-07 23:58:47,660 - ldap_auth_provider - 473 - DEBUG - sentinel - Established LDAP connection in simple bind mode: ldap://my.ldap.domain:389 - cleartext - user: sAMAccountName=mylogin,dc=ldap,dc=domain - not lazy - unbound - closed - <no socket> - tls not started - not listening - SyncStrategy - internal decoder
2022-02-07 23:58:47,671 - ldap_auth_provider - 493 - INFO - sentinel - Binding against LDAP failed for 'sAMAccountName=mylogin,dc=ldap,dc=domain' failed: invalidCredentials
2022-02-07 23:58:47,672 - ldap_auth_provider - 125 - DEBUG - sentinel - LDAP authentication method simple bind returned: False (conn: None)
2022-02-07 23:58:47,672 - synapse.handlers.auth - 2181 - WARNING - sentinel - Wrong type returned by module API callback <function load_single_legacy_password_auth_provider.<locals>.async_wrapper.<locals>.wrapped_check_auth at 0x7f55943800d0>: False, expected Optional[Tuple[str, Optional[Callable]]]
2022-02-07 23:58:47,673 - synapse.storage.database - 737 - WARNING - sentinel - Starting db txn 'get_users_by_id_case_insensitive' from sentinel context
2022-02-07 23:58:47,673 - synapse.storage.database - 786 - WARNING - sentinel - Starting db connection from sentinel context: metrics will be lost
2022-02-07 23:58:47,677 - synapse.storage.database - 737 - WARNING - sentinel - Starting db txn 'get_user_deactivated_status' from sentinel context
2022-02-07 23:58:47,677 - synapse.storage.database - 786 - WARNING - sentinel - Starting db connection from sentinel context: metrics will be lost
2022-02-07 23:58:47,679 - synapse.handlers.auth - 1387 - WARNING - sentinel - Failed password login for user @mylogin:my.matrix.server
2022-02-07 23:58:47,679 - synapse.http.server - 95 - INFO - sentinel - <SynapseRequest at 0x7f559419d5c0 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.1' site='8448'> SynapseError: 403 - Invalid password
2022-02-07 23:58:47,680 - synapse.logging.context - 949 - WARNING - sentinel - Calling defer_to_threadpool from sentinel context: metrics will be lost

Server side:

Client applications used

babolivier commented 2 years ago

Sorry about the delay on this issue.

As far as I can tell, the mode configuration setting has never existed. The way the module decides which mode it should use depends on whether the bind_dn setting is present in the config (if it's present then search mode is used, if not then simple mode is used). I can see it is in the snippet you provided, but the indentation is wrong: in your snippet it's under attributes, but it should be at the top level (ie under config) - same with bind_password. This would explain why the module is using simple mode instead of search mode.

babolivier commented 2 years ago

Since this is a configuration issue and not a bug, I'm closing this. Feel free to shout if it still doesn't work after fixing the indentation.

pouic-lol commented 2 years ago

I'm sorry, I didn't notice the indentation issue... my bad. With good yaml indentation, it works much better.

Concerning the "mode" option, maybe you can update the documentation in the README.rst of the main page because it's specified here : Usage.

Thanks for your answer

babolivier commented 2 years ago

Concerning the "mode" option, maybe you can update the documentation in the README.rst of the main page because it's specified here : Usage.

Good catch! I've opened https://github.com/matrix-org/matrix-synapse-ldap3/issues/158 to track this as an outstanding issue.