search

myOmikron / mailcow-ldap-sync

26 stars 2 forks source link

it's overwriting all my users even if there was no change at all. #5

Closed theoneandonly-vector closed 2 years ago

theoneandonly-vector commented 2 years ago

somehow this ldap-connector overwrites all my users even if everythign is the same as on last synch.. I found out about this because I was losing my SSO-logins every 5 minutes (I synch the users every 5 minutes using crontab)

it makes sense to logout the users if there really was a change. but somehow it just happens on every synch (It doesn't happen anymore as soon as I stop my crontab-task.)

theoneandonly-vector commented 2 years ago

the log tells me on each user on each synch "was modified in mailcow" how can I see what's "changing" (It cannot be a real change as I never change something on all users every 5 minutes)?

theoneandonly-vector commented 2 years ago

is there something I can provide?

myOmikron commented 2 years ago

As this script just inserts the retrieved data from ldap in mailcow, and mailcow determines, if there were changes, there's not much I can do on my side.

To see, what has changed, you can add in line 95 and 169 the following (on the same indent as logger.info(f"LDAP user {uid} was modified in mailcow"):

logger.info(response)
theoneandonly-vector commented 2 years ago

I added this in my main.py, but it only outputs the same as before:

                if "mailbox_modified" in response[0]["msg"]:
                    logger.info(f"LDAP user {uid} was modified in mailcow")
                    logger.info(response)
myOmikron commented 2 years ago

There must be some additional output in the log. There are only the mentioned two lines in the code, which output was modified in mailcow, so if the lines appear in the log, now there has to be also the output of the new one.

theoneandonly-vector commented 2 years ago

there isn't..

theoneandonly-vector commented 2 years ago

this is the exact passage in my main.py

                if "mailbox_modified" in response[0]["msg"]:
                    logger.info(response)
                    logger.info(f"LDAP user {uid} was modified in mailcow")
            else:

this also doesn't work:

                if "mailbox_modified" in response[0]["msg"]:
                    logger.info(f"my logging message")
                    logger.info(f"{response}")
                    logger.info(f"LDAP user {uid} was modified in mailcow")
            else:

but only the original on will be in my log (I clear the logfile on every run!).

theoneandonly-vector commented 2 years ago

I can even copy the line just abov eor unter itself.. and it only displays it once when run in the log..

theoneandonly-vector commented 2 years ago

"logger.info(f"LDAP user {uid} was modified in mailcow")" exists twice in the script..

theoneandonly-vector commented 2 years ago

this is the output But I don't get what's "changed":...

INFO:mailcow_ldap_sync:[{'type': 'success', 'log': ['mailbox', 'edit', 'mailbox', {'username': ['administrator@mydomain.tld'], 'active': '1', 'name': 'Administrator Administrator', 'password': '*', 'password2': '*', 'quota': '0', 'tls_enforce_in': '0', 'tls_enforce_out': '0'}, None], 'msg': ['mailbox_modified', 'administrator@mydomain.tld']}]
myOmikron commented 2 years ago

"logger.info(f"LDAP user {uid} was modified in mailcow")" exists twice in the script..

As I said:

To see, what has changed, you can add in line 95 and 169 the following (on the same indent as logger.info(f"LDAP user {uid} was modified in mailcow"):

Add this snippet before and after the two requests to modify the mailbox user:

logger.info(requests.get(
    f"https://{conf['mailcow_host']}/api/v1/get/mailbox/{mail}",
    headers={"X-API-Key": conf['mailcow_api_key']}
).json())

So it should look like this:

                    logger.info(requests.get(
                        f"https://{conf['mailcow_host']}/api/v1/get/mailbox/{mail}",
                        headers={"X-API-Key": conf['mailcow_api_key']}
                    ).json())
                    response = json.loads(requests.post(
                        f"https://{conf['mailcow_host']}/api/v1/edit/mailbox",
                        data=json.dumps(data),
                        headers={
                            "X-API-Key": conf['mailcow_api_key'],
                            "accept": "application/json",
                            "Content-Type": "application/json"
                        }
                    ).text)
                    logger.info(requests.get(
                        f"https://{conf['mailcow_host']}/api/v1/get/mailbox/{mail}",
                        headers={"X-API-Key": conf['mailcow_api_key']}
                    ).json())
                    if "mailbox_modified" in response[0]["msg"]:
                        logger.info(f"LDAP user {uid} was modified in mailcow")

Modify both requests, and check the logs if there has something changed.

theoneandonly-vector commented 2 years ago

I did this.. but there's nothing changed at all:

INFO:mailcow_ldap_sync:{'username': 'administrator@mydomain.tld', 'active': 1, 'active_int': 1, 'domain': 'mydomain.tld', 'relayhost': None, 'name': 'Administrator Administrator', 'local_part': 'administrator',>
INFO:mailcow_ldap_sync:{'username': 'administrator@mydomain.tld', 'active': 1, 'active_int': 1, 'domain': 'mydomain.tld', 'relayhost': None, 'name': 'Administrator Administrator', 'local_part': 'administrator',>
theoneandonly-vector commented 2 years ago

"It is based on an intermediate database (sqlite3 by default) to compare the values retrieved by LDAP with the current ones." this doesn't seem to happen I think

myOmikron commented 2 years ago

This doesn't happen for this step, that's correct. As mailcow does not return the hash of the current password via the API, there's no way to determine if it has changed. As there are many ways to change your password in mailcow / SOGo, this script is intended to be executed via cron so the password from mailcow is overwritten.

I can add an option to just overwrite, if there's a diff between database and the values returned by mailcow, but as I said, you won't detect password changes in mailcow.

theoneandonly-vector commented 2 years ago

This doesn't happen for this step, that's correct. As mailcow does not return the hash of the current password via the API, there's no way to determine if it has changed. As there are many ways to change your password in mailcow / SOGo, this script is intended to be executed via cron so the password from mailcow is overwritten.

I can add an option to just overwrite, if there's a diff between database and the values returned by mailcow, but as I said, you won't detect password changes in mailcow.

"I can add an option to just overwrite, if there's a diff between database and the values returned by mailcow" but can it check if the password in LDAP changed? (users are not able to change it in mailcow in my setup)

theoneandonly-vector commented 2 years ago

This doesn't happen for this step, that's correct. As mailcow does not return the hash of the current password via the API, there's no way to determine if it has changed. As there are many ways to change your password in mailcow / SOGo, this script is intended to be executed via cron so the password from mailcow is overwritten. I can add an option to just overwrite, if there's a diff between database and the values returned by mailcow, but as I said, you won't detect password changes in mailcow.

"I can add an option to just overwrite, if there's a diff between database and the values returned by mailcow" but can it check if the password in LDAP changed? (users are not able to change it in mailcow in my setup)

this is possible?

theoneandonly-vector commented 2 years ago

any way to push this ? :)

myOmikron commented 2 years ago

Closed by fb5f251f9822c24a8f85648436f580f155a9874b.

theoneandonly-vector commented 2 years ago

confirmed :)

theoneandonly-vector commented 2 years ago

what can I do to debug this if it still happens?