How to use ctldap in Docker?

oschuetze commented 3 years ago

Hi, there is a Docker container available, that's great! I could install it (in an environment with Portainer + Traefik). But there is nothing more than a single log item:

ChurchTools-LDAP-Wrapper listening @ ldap://0.0.0.0:1389

I have several questions:

config file: what do you mean with "virtual root"? is this the user I have to use later when another application (like NextCloud) will contact this LDAP server?
config file: the API user is a CT user - why do you use the real username/password and don't use the login token? this would make the password a little bit more "secret" ...
How can i check if the installation and the connection to CT really works? Should the log show any details about a successful connection?
How can I access the LDAP server in this container from another container (e.g. NextCloud)?

Regards, Oliver

oschuetze commented 3 years ago

Ok, small success ;-) There is a log available now, but what does it means? ctldap tries to establish a connection, but there is still a problem during getting the CSRF-Token (ping to my elkwXXXX.church.tools site is possible - I have anonymized the elkw domain with "XXXX") ...

Is it correct to have 2x // in the URL? e.g. https://elkwXXXX.church.tools//api/csrftoken I have no endling slash in the configured URL as "CT_URI".

Debug mode enabled, expect lots of output!,
ChurchTools-LDAP-Wrapper listening @ ldap://0.0.0.0:1389,
[DEBUG] churchtools - Admin bind DN: cn=root, ou=users, o=churchtools,
[DEBUG] churchtools - Authentication success,
[DEBUG] churchtools - SEARCH base object: o=churchtools scope: sub,
[DEBUG] churchtools - Filter: (objectclass=*),
[DEBUG] churchtools - Search for users and groups combined,
[DEBUG] churchtools - Performing request to API function getUsersData,
[DEBUG] churchtools - Performing request to API function getGroupsData,
[DEBUG] churchtools - CT session invalid, login and retry...,
[DEBUG] churchtools - Performing CT API login...,
[DEBUG] churchtools - CT session invalid, login and retry...,
[DEBUG] churchtools - Return pending login promise,
[DEBUG] churchtools - CT API login successful, fetching CSRF-Token...,
[DEBUG] churchtools - Could not get CSRF-Token: {
"name":"StatusCodeError",
"statusCode":401,
"message":"401 - \"Session expired!\"",
"error":"Session expired!",
"options":{
  "method":"GET",
  "jar":{
    "_jar":{
      "version":"tough-cookie@2.5.0",
      "storeType":"MemoryCookieStore",
      "rejectPublicSuffixes":true,
      "cookies":[{
        "key":"ChurchTools_ct_elkwXXXX",
        "value":"t2gluoat7mi3gmnm8jm65jeb74",
        "domain":"elkwXXXX.church.tools",
        "path":"/",
        "secure":true,
        "httpOnly":true,
        "extensions":["SameSite=None"],
        "hostOnly":true,
        "creation":"2021-03-01T17:04:40.810Z",
        "lastAccessed":"2021-03-01T17:04:40.967Z"
      }]
    }
  },
  "uri":"https://elkwXXXX.church.tools//api/csrftoken",
  "json":true,
  "simple":true,
  "resolveWithFullResponse":false,
  "transform2xxOnly":false
},
"response":{
  "statusCode":401,
  "body":"Session expired!",
  "headers":{
    "date":"Mon, 01 Mar 2021 17:04:41 GMT",
    "content-type":"application/json",
    "transfer-encoding":"chunked",
    "expires":"Thu, 19 Nov 1981 08:52:00 GMT",
    "cache-control":"no-store, no-cache, must-revalidate",
    "pragma":"no-cache",
    "content-security-policy":"default-src 'self'; script-src 'self' js.stripe.com 'unsafe-eval' ; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src * data: blob *.church.tools; child-src * data; connect-src *; object-src 'self' www.youtube.com",
    "access-control-allow-origin":"portal.elkw.de",
    "access-control-allow-methods":"POST, GET, OPTIONS, PUT, DELETE",
    "access-control-allow-headers":"Content-Type, csrf-token",
    "access-control-allow-credentials":"true",
    "strict-transport-security":"max-age=15768000",
    "connection":"close"
  },
  "request":{
    "uri":{
      "protocol":"https:",
      "slashes":true,
      "auth":null,
      "host":"elkwXXXX.church.tools",
      "port":443,
      "hostname":"elkwXXXX.church.tools",
      "hash":null,
      "search":null,
      "query":null,
      "pathname":"//api/csrftoken",
      "path":"//api/csrftoken",
      "href":"https://elkwXXXX.church.tools//api/csrftoken"
    },
    "method":"GET",
    "headers":{
      "cookie":"ChurchTools_ct_elkwXXXX=t2gluoat7mi3gmnm8jm65jeb74",
      "accept":"application/json"
    }
  }
}},
[DEBUG] churchtools - CT API login completed,
[DEBUG] churchtools - Retry request to API function getUsersData after login,
[DEBUG] churchtools - Performing request to API function getUsersData,
[DEBUG] churchtools - Retry request to API function getGroupsData after login,
[DEBUG] churchtools - Performing request to API function getGroupsData,
[ERROR] churchtools - CT API request still not working after login.,
[ERROR] churchtools - Error while retrieving users: ,
Error: {"status":"error","message":"Session expired!"},
    at /app/ctldap.js:258:15,
    at tryCatcher (/app/node_modules/bluebird/js/release/util.js:16:23),
    at Promise._settlePromiseFromHandler (/app/node_modules/bluebird/js/release/promise.js:547:31),
    at Promise._settlePromise (/app/node_modules/bluebird/js/release/promise.js:604:18),
    at Promise._settlePromise0 (/app/node_modules/bluebird/js/release/promise.js:649:10),
    at Promise._settlePromises (/app/node_modules/bluebird/js/release/promise.js:729:18),
    at _drainQueueStep (/app/node_modules/bluebird/js/release/async.js:93:12),
    at _drainQueue (/app/node_modules/bluebird/js/release/async.js:86:9),
    at Async._drainQueues (/app/node_modules/bluebird/js/release/async.js:102:5),
    at Immediate.Async.drainQueues [as _onImmediate] (/app/node_modules/bluebird/js/release/async.js:15:14),
    at processImmediate (internal/timers.js:456:21),
[ERROR] churchtools - CT API request still not working after login.,
[ERROR] churchtools - Error while retrieving groups: ,
Error: {"status":"error","message":"Session expired!"},
    at /app/ctldap.js:258:15,
    at tryCatcher (/app/node_modules/bluebird/js/release/util.js:16:23),
    at Promise._settlePromiseFromHandler (/app/node_modules/bluebird/js/release/promise.js:547:31),
    at Promise._settlePromise (/app/node_modules/bluebird/js/release/promise.js:604:18),
    at Promise._settlePromise0 (/app/node_modules/bluebird/js/release/promise.js:649:10),
    at Promise._settlePromises (/app/node_modules/bluebird/js/release/promise.js:729:18),
    at _drainQueueStep (/app/node_modules/bluebird/js/release/async.js:93:12),
    at _drainQueue (/app/node_modules/bluebird/js/release/async.js:86:9),
    at Async._drainQueues (/app/node_modules/bluebird/js/release/async.js:102:5),
    at Immediate.Async.drainQueues [as _onImmediate] (/app/node_modules/bluebird/js/release/async.js:15:14),
    at processImmediate (internal/timers.js:456:21),

rswrz commented 3 years ago

Hi @oschuetze,

I've create a dedicated Church-Tools user with the permissions churchcore:administer persons and churchdb:view and use ctldap in docker-compose.yaml like this:

version: '3.1'
services:
  ctldap:
    image: milux/ctldap:latest
    restart: always
    environment:
      DEBUG: 'false'
      IS_DN_LOWER_CASE: 'true'
      LDAP_USER: root
      LDAP_PW: root
      LDAP_PORT: '1389'
      LDAP_BASE_DN: churchtools
      CT_URI: https://XXXXXXX.church.tools
      CT_USER: _dedicated_user_
      CT_PW: _dedicated_user_password_
      CACHE_LIVETIME: '10000'

Hope this helps!

For ldap queries use something like this:

# ldapsearch -H ldap://$ldap_host:$LDAP_PORT -x -D cn=$LDAP_USER,ou=users,o=$LDAP_BASE_DN -w $LDAP_PW -b ou=users,o=$LDAP_BASE_DN
ldapsearch -H ldap://ctldap:1389 -x -D cn=root,ou=users,o=churchtools -w root -b ou=users,o=churchtools

Use this for Docker CLI (change CT_URI, CT_USER, CT_PW) :

docker run --rm --detach --publish 1389:1389 --name ctldap \
    --env DEBUG=false \
    --env IS_DN_LOWER_CASE=true \
    --env LDAP_USER=root \
    --env LDAP_PW=root \
    --env LDAP_PORT=1389 \
    --env LDAP_BASE_DN=churchtools \
    --env CT_URI=https://XXXXXXX.church.tools \
    --env CT_USER=_dedicated_user_ \
    --env CT_PW=_dedicated_user_password_ \
    --env CACHE_LIVETIME='10000' \
    milux/ctldap:latest

Then you can use ldapsearch CLI on localhost:1389:

# get all users
ldapsearch -x -H ldap://localhost:1389 -D cn=root,ou=users,o=churchtools -w root -b ou=users,o=churchtools

# get all groups
ldapsearch -x -H ldap://localhost:1389 -D cn=root,ou=users,o=churchtools -w root -b ou=groups,o=churchtools

milux commented 3 years ago

@rswrz Nice guide, thanks. :+1: @oschuetze It's rather useless trying to hide a subdomain like you do, just FYI ;) https://spyse.com/target/domain/church.tools/subdomain-list?search_params=%5B%7B%22domain_name%22%3A%7B%22operator%22%3A%22ends%22,%22value%22%3A%22.church.tools%22%7D%7D,%7B%22domain_name%22%3A%7B%22operator%22%3A%22starts%22,%22value%22%3A%22elkw%22%7D%7D%5D

milux commented 1 year ago

Docker is now the preferred way for ctldap deployment. I think this issue has been resolved quite some while ago anyway.

milux / ctldap

How to use ctldap in Docker? #25