Closed oschuetze closed 1 year ago
Ok, small success ;-) There is a log available now, but what does it means? ctldap tries to establish a connection, but there is still a problem during getting the CSRF-Token (ping to my elkwXXXX.church.tools site is possible - I have anonymized the elkw domain with "XXXX") ...
Is it correct to have 2x // in the URL? e.g. https://elkwXXXX.church.tools//api/csrftoken I have no endling slash in the configured URL as "CT_URI".
Debug mode enabled, expect lots of output!,
ChurchTools-LDAP-Wrapper listening @ ldap://0.0.0.0:1389,
[DEBUG] churchtools - Admin bind DN: cn=root, ou=users, o=churchtools,
[DEBUG] churchtools - Authentication success,
[DEBUG] churchtools - SEARCH base object: o=churchtools scope: sub,
[DEBUG] churchtools - Filter: (objectclass=*),
[DEBUG] churchtools - Search for users and groups combined,
[DEBUG] churchtools - Performing request to API function getUsersData,
[DEBUG] churchtools - Performing request to API function getGroupsData,
[DEBUG] churchtools - CT session invalid, login and retry...,
[DEBUG] churchtools - Performing CT API login...,
[DEBUG] churchtools - CT session invalid, login and retry...,
[DEBUG] churchtools - Return pending login promise,
[DEBUG] churchtools - CT API login successful, fetching CSRF-Token...,
[DEBUG] churchtools - Could not get CSRF-Token: {
"name":"StatusCodeError",
"statusCode":401,
"message":"401 - \"Session expired!\"",
"error":"Session expired!",
"options":{
"method":"GET",
"jar":{
"_jar":{
"version":"tough-cookie@2.5.0",
"storeType":"MemoryCookieStore",
"rejectPublicSuffixes":true,
"cookies":[{
"key":"ChurchTools_ct_elkwXXXX",
"value":"t2gluoat7mi3gmnm8jm65jeb74",
"domain":"elkwXXXX.church.tools",
"path":"/",
"secure":true,
"httpOnly":true,
"extensions":["SameSite=None"],
"hostOnly":true,
"creation":"2021-03-01T17:04:40.810Z",
"lastAccessed":"2021-03-01T17:04:40.967Z"
}]
}
},
"uri":"https://elkwXXXX.church.tools//api/csrftoken",
"json":true,
"simple":true,
"resolveWithFullResponse":false,
"transform2xxOnly":false
},
"response":{
"statusCode":401,
"body":"Session expired!",
"headers":{
"date":"Mon, 01 Mar 2021 17:04:41 GMT",
"content-type":"application/json",
"transfer-encoding":"chunked",
"expires":"Thu, 19 Nov 1981 08:52:00 GMT",
"cache-control":"no-store, no-cache, must-revalidate",
"pragma":"no-cache",
"content-security-policy":"default-src 'self'; script-src 'self' js.stripe.com 'unsafe-eval' ; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src * data: blob *.church.tools; child-src * data; connect-src *; object-src 'self' www.youtube.com",
"access-control-allow-origin":"portal.elkw.de",
"access-control-allow-methods":"POST, GET, OPTIONS, PUT, DELETE",
"access-control-allow-headers":"Content-Type, csrf-token",
"access-control-allow-credentials":"true",
"strict-transport-security":"max-age=15768000",
"connection":"close"
},
"request":{
"uri":{
"protocol":"https:",
"slashes":true,
"auth":null,
"host":"elkwXXXX.church.tools",
"port":443,
"hostname":"elkwXXXX.church.tools",
"hash":null,
"search":null,
"query":null,
"pathname":"//api/csrftoken",
"path":"//api/csrftoken",
"href":"https://elkwXXXX.church.tools//api/csrftoken"
},
"method":"GET",
"headers":{
"cookie":"ChurchTools_ct_elkwXXXX=t2gluoat7mi3gmnm8jm65jeb74",
"accept":"application/json"
}
}
}},
[DEBUG] churchtools - CT API login completed,
[DEBUG] churchtools - Retry request to API function getUsersData after login,
[DEBUG] churchtools - Performing request to API function getUsersData,
[DEBUG] churchtools - Retry request to API function getGroupsData after login,
[DEBUG] churchtools - Performing request to API function getGroupsData,
[ERROR] churchtools - CT API request still not working after login.,
[ERROR] churchtools - Error while retrieving users: ,
Error: {"status":"error","message":"Session expired!"},
at /app/ctldap.js:258:15,
at tryCatcher (/app/node_modules/bluebird/js/release/util.js:16:23),
at Promise._settlePromiseFromHandler (/app/node_modules/bluebird/js/release/promise.js:547:31),
at Promise._settlePromise (/app/node_modules/bluebird/js/release/promise.js:604:18),
at Promise._settlePromise0 (/app/node_modules/bluebird/js/release/promise.js:649:10),
at Promise._settlePromises (/app/node_modules/bluebird/js/release/promise.js:729:18),
at _drainQueueStep (/app/node_modules/bluebird/js/release/async.js:93:12),
at _drainQueue (/app/node_modules/bluebird/js/release/async.js:86:9),
at Async._drainQueues (/app/node_modules/bluebird/js/release/async.js:102:5),
at Immediate.Async.drainQueues [as _onImmediate] (/app/node_modules/bluebird/js/release/async.js:15:14),
at processImmediate (internal/timers.js:456:21),
[ERROR] churchtools - CT API request still not working after login.,
[ERROR] churchtools - Error while retrieving groups: ,
Error: {"status":"error","message":"Session expired!"},
at /app/ctldap.js:258:15,
at tryCatcher (/app/node_modules/bluebird/js/release/util.js:16:23),
at Promise._settlePromiseFromHandler (/app/node_modules/bluebird/js/release/promise.js:547:31),
at Promise._settlePromise (/app/node_modules/bluebird/js/release/promise.js:604:18),
at Promise._settlePromise0 (/app/node_modules/bluebird/js/release/promise.js:649:10),
at Promise._settlePromises (/app/node_modules/bluebird/js/release/promise.js:729:18),
at _drainQueueStep (/app/node_modules/bluebird/js/release/async.js:93:12),
at _drainQueue (/app/node_modules/bluebird/js/release/async.js:86:9),
at Async._drainQueues (/app/node_modules/bluebird/js/release/async.js:102:5),
at Immediate.Async.drainQueues [as _onImmediate] (/app/node_modules/bluebird/js/release/async.js:15:14),
at processImmediate (internal/timers.js:456:21),
Hi @oschuetze,
I've create a dedicated Church-Tools user with the permissions churchcore:administer persons and churchdb:view and use ctldap in docker-compose.yaml
like this:
version: '3.1'
services:
ctldap:
image: milux/ctldap:latest
restart: always
environment:
DEBUG: 'false'
IS_DN_LOWER_CASE: 'true'
LDAP_USER: root
LDAP_PW: root
LDAP_PORT: '1389'
LDAP_BASE_DN: churchtools
CT_URI: https://XXXXXXX.church.tools
CT_USER: _dedicated_user_
CT_PW: _dedicated_user_password_
CACHE_LIVETIME: '10000'
Hope this helps!
For ldap queries use something like this:
# ldapsearch -H ldap://$ldap_host:$LDAP_PORT -x -D cn=$LDAP_USER,ou=users,o=$LDAP_BASE_DN -w $LDAP_PW -b ou=users,o=$LDAP_BASE_DN
ldapsearch -H ldap://ctldap:1389 -x -D cn=root,ou=users,o=churchtools -w root -b ou=users,o=churchtools
Use this for Docker CLI (change CT_URI
, CT_USER
, CT_PW
) :
docker run --rm --detach --publish 1389:1389 --name ctldap \
--env DEBUG=false \
--env IS_DN_LOWER_CASE=true \
--env LDAP_USER=root \
--env LDAP_PW=root \
--env LDAP_PORT=1389 \
--env LDAP_BASE_DN=churchtools \
--env CT_URI=https://XXXXXXX.church.tools \
--env CT_USER=_dedicated_user_ \
--env CT_PW=_dedicated_user_password_ \
--env CACHE_LIVETIME='10000' \
milux/ctldap:latest
Then you can use ldapsearch
CLI on localhost:1389
:
# get all users
ldapsearch -x -H ldap://localhost:1389 -D cn=root,ou=users,o=churchtools -w root -b ou=users,o=churchtools
# get all groups
ldapsearch -x -H ldap://localhost:1389 -D cn=root,ou=users,o=churchtools -w root -b ou=groups,o=churchtools
@rswrz Nice guide, thanks. :+1: @oschuetze It's rather useless trying to hide a subdomain like you do, just FYI ;) https://spyse.com/target/domain/church.tools/subdomain-list?search_params=%5B%7B%22domain_name%22%3A%7B%22operator%22%3A%22ends%22,%22value%22%3A%22.church.tools%22%7D%7D,%7B%22domain_name%22%3A%7B%22operator%22%3A%22starts%22,%22value%22%3A%22elkw%22%7D%7D%5D
Docker is now the preferred way for ctldap
deployment. I think this issue has been resolved quite some while ago anyway.
Hi, there is a Docker container available, that's great! I could install it (in an environment with Portainer + Traefik). But there is nothing more than a single log item:
I have several questions:
Regards, Oliver