nilsteampassnet / TeamPass

Collaborative Passwords Manager
https://www.teampass.net
1.69k stars 551 forks source link

LDAP group filter not working when searching for more than one group #3702

Open hitenmandalia opened 1 year ago

hitenmandalia commented 1 year ago

I am trying to get the AD group to Role mapping working with Teampass. When using the (ObjectClass=group) filter, i get a very large list of groups returned, although not complete list as our AD has a huge number of groups. When trying to search for just the specific groups i need, I can use the filter (cn=) and it will return me the group in question. However, I have multiple groups which I want to assign to different TeamPass roles, and I cannot get more then one group to appear. I have tried the following filters of which only one works:

(ObjectClass=group) - Works but lists large number of groups. Many groups still missing (cn=) - Works (single group) (cn=)(cn=) - Doesnt work (2 groups) (|(cn=)(cn=)) - Doesnt work (using OR filter)

Maybe i am writing the filters wrong, so it would be really appreciated if someone who has this working could reply.

Steps to reproduce

  1. In LDAP settings page, trying to add multiple groups for group to role mapping fails
  2. If I add a single group using the filter (cn=), it returns me the single group

Expected behaviour

I should be able to get all listed groups in AD returned

Actual behaviour

Can only get one group at a time

Server configuration

Operating system: Alpine Linux 3,17

Web server: Nginx

Database: MySQL 8

PHP version: 8.1.18

Teampass version: 3.0.7

Teampass configuration file:

<?php
global $SETTINGS;
$SETTINGS = array (
    'max_latest_items' => '10',
    'enable_favourites' => '1',
    'show_last_items' => '1',
    'enable_pf_feature' => '0',
    'log_connections' => '1',
    'log_accessed' => '1',
    'time_format' => 'H:i:s',
    'date_format' => 'd/m/Y',
    'duplicate_folder' => '0',
    'item_duplicate_in_same_folder' => '0',
    'duplicate_item' => '1',
    'number_of_used_pw' => '3',
    'manager_edit' => '1',
    'cpassman_dir' => '/var/www/TeamPass',
    'cpassman_url' => '<removed>',
    'favicon' => '<removed>',
    'path_to_upload_folder' => '/var/www/TeamPass/upload',
    'path_to_files_folder' => '/var/www/TeamPass/files',
    'url_to_files_folder' => '<removed>',
    'activate_expiration' => '0',
    'pw_life_duration' => '0',
    'maintenance_mode' => '0',
    'enable_sts' => '0',
    'encryptClientServer' => '1',
    'teampass_version' => '3.0.7',
    'ldap_mode' => '1',
    'ldap_type' => 'ActiveDirectory',
    'ldap_suffix' => '0',
    'ldap_domain_dn' => '0',
    'ldap_domain_controler' => '0',
    'ldap_user_attribute' => 'samaccountname',
    'ldap_ssl' => '0',
    'ldap_tls' => '0',
    'ldap_search_base' => '0',
    'ldap_port' => '389',
    'richtext' => '0',
    'allow_print' => '0',
    'roles_allowed_to_print' => '0',
    'show_description' => '1',
    'anyone_can_modify' => '0',
    'anyone_can_modify_bydefault' => '0',
    'nb_bad_authentication' => '0',
    'utf8_enabled' => '1',
    'restricted_to' => '0',
    'restricted_to_roles' => '0',
    'enable_send_email_on_user_login' => '0',
    'enable_user_can_create_folders' => '0',
    'insert_manual_entry_item_history' => '0',
    'enable_kb' => '0',
    'enable_email_notification_on_item_shown' => '0',
    'enable_email_notification_on_user_pw_change' => '0',
    'custom_logo' => '',
    'custom_login_text' => '',
    'default_language' => 'english',
    'send_stats' => '0',
    'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;',
    'send_stats_time' => '1680622106',
    'get_tp_info' => '1',
    'send_mail_on_user_login' => '0',
    'nb_items_by_query' => 'auto',
    'enable_delete_after_consultation' => '0',
    'enable_personal_saltkey_cookie' => '0',
    'personal_saltkey_cookie_duration' => '31',
    'email_smtp_server' => '',
    'email_smtp_auth' => '',
    'email_auth_username' => '',
    'email_auth_pwd' => '',
    'email_port' => '',
    'email_security' => '',
    'email_server_url' => '',
    'email_from' => '',
    'email_from_name' => '',
    'pwd_maximum_length' => '40',
    'google_authentication' => '0',
    'delay_item_edition' => '0',
    'allow_import' => '0',
    'proxy_ip' => '',
    'proxy_port' => '',
    'upload_maxfilesize' => '10mb',
    'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx',
    'upload_imagesext' => 'jpg,jpeg,gif,png',
    'upload_pkgext' => '7z,rar,tar,zip',
    'upload_otherext' => 'sql,xml',
    'upload_imageresize_options' => '1',
    'upload_imageresize_width' => '800',
    'upload_imageresize_height' => '600',
    'upload_imageresize_quality' => '90',
    'use_md5_password_as_salt' => '0',
    'ga_website_name' => 'TeamPass for ChangeMe',
    'api' => '0',
    'subfolder_rights_as_parent' => '1',
    'show_only_accessible_folders' => '0',
    'enable_suggestion' => '0',
    'otv_expiration_period' => '7',
    'default_session_expiration_time' => '60',
    'duo' => '0',
    'enable_server_password_change' => '0',
    'ldap_object_class' => '0',
    'bck_script_path' => '/var/www/TeamPass/backups',
    'bck_script_filename' => 'bck_teampass',
    'syslog_enable' => '0',
    'syslog_host' => 'localhost',
    'syslog_port' => '514',
    'manager_move_item' => '0',
    'create_item_without_password' => '1',
    'otv_is_enabled' => '0',
    'agses_authentication_enabled' => '0',
    'item_extra_fields' => '0',
    'saltkey_ante_2127' => 'none',
    'migration_to_2127' => 'done',
    'files_with_defuse' => 'done',
    'timezone' => 'UTC',
    'enable_attachment_encryption' => '1',
    'personal_saltkey_security_level' => '50',
    'ldap_new_user_is_administrated_by' => '0',
    'disable_show_forgot_pwd_link' => '0',
    'offline_key_level' => '0',
    'enable_http_request_login' => '0',
    'ldap_and_local_authentication' => '1',
    'secure_display_image' => '1',
    'upload_zero_byte_file' => '0',
    'upload_all_extensions_file' => '1',
    'bck_script_passkey' => '<removed>',
    'admin_2fa_required' => '0',
    'password_overview_delay' => '4',
    'copy_to_clipboard_small_icons' => '1',
    'duo_ikey' => '',
    'duo_skey' => '',
    'duo_host' => '',
    'duo_failmode' => 'secure',
    'roles_allowed_to_print_select' => '',
    'clipboard_life_duration' => '30',
    'mfa_for_roles' => '',
    'tree_counters' => '0',
    'settings_offline_mode' => '0',
    'settings_tree_counters' => '0',
    'enable_massive_move_delete' => '0',
    'email_debug_level' => '0',
    'ga_reset_by_user' => '',
    'onthefly-backup-key' => '',
    'onthefly-restore-key' => '',
    'ldap_user_dn_attribute' => '',
    'ldap_dn_additional_user_dn' => '',
    'ldap_user_object_filter' => '(&(objectcategory=person)(memberof=cn=xxx,dc=xxx,dc=xxx))',
    'ldap_bdn' => '<removed>',
    'ldap_hosts' => '<removed>',
    'ldap_password' => '<removed>',
    'ldap_username' => '<removed>',
    'api_token_duration' => '60',
    'enable_tasks_manager' => '1',
    'task_maximum_run_time' => '300',
    'tasks_manager_refreshing_period' => '20',
    'maximum_number_of_items_to_treat' => '100',
    'ldap_tls_certifacte_check' => 'LDAP_OPT_X_TLS_NEVER',
    'enable_tasks_log' => '1',
    'upgrade_timestamp' => '1683214106',
    'enable_ad_users_with_ad_groups' => '1',
    'enable_ad_user_auto_creation' => '0',
    'ldap_group_object_filter' => '(cn=<removed>)',
    'ldap_guid_attibute' => 'objectguid',
    'sending_emails_job_frequency' => '2',
    'user_keys_job_frequency' => '1',
    'items_statistics_job_frequency' => '5',
);

Below is the error when using the non-working filters

Logs

Web server error log

2023/05/04 16:43:59 [error] 16#16: *818 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught ErrorException: ldap_search(): Search: Bad search filter in /var/www/TeamPass/includes/libraries/LdapRecord/Ldap.php:235 Stack trace:

0 [internal function]: LdapRecord\Ldap->LdapRecord{closure}()

1 /var/www/TeamPass/includes/libraries/LdapRecord/Ldap.php(235): ldap_search()

2 /var/www/TeamPass/includes/libraries/LdapRecord/HandlesConnection.php(171): LdapRecord\Ldap->LdapRecord{closure}()

3 /var/www/TeamPass/includes/libraries/LdapRecord/Ldap.php(237): LdapRecord\Ldap->executeFailableOperation()

4 /var/www/TeamPass/includes/libraries/LdapRecord/Query/Builder.php(716): LdapRecord\Ldap->search()

5 /var/www/TeamPass/includes/libraries/LdapRecord/Connection.php(394): LdapRecord\Query\Builder->LdapRecord\Query{closure}()

6 /var/www/TeamPass/includes/libraries/LdapRecord/Connection.php(352): LdapRecord\Connection->runOperationCallback()

7 /var/www/TeamPass/includes/libraries/LdapRecord/Query/Builder.php(718): LdapRecord\Connection->run()

8 /var/www/Tea" while reading response header from upstream, client: 172.17.0.1, server: , request: "POST /sources/roles.queries.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "", referrer: "http:///index.php?page=roles"

Log from the web-browser developer console (CTRL + SHIFT + i)

Insert the log here and especially the answer of the query that failed.
Andrei-Paul commented 1 year ago

A temporary workaround would be to assign your groups a dummy object class not used by other groups and filter by that too: (ObjectClass=group)(ObjectClass=whateverdummyobjectclassyouchose)

But yes, from what I tested, all that Teampass can resolve for now are enumerations of simple filters that will be ANDed together, no compound filters, no wildcards. The above will produce: (&(ObjectClass=group)(ObjectClass=whateverdummyobjectclassyouchose))

If your teampass groups sit in a subtree from other groups, like cn=standard,dc=teampass,dc=groups,dc=example / cn=trusted,dc=teampass,dc=groups,dc=example, you can add a filter like (dc:dn:=tempass) that will only allow groups that have dc=tempass in their dn.

hitenmandalia commented 1 year ago

@Andrei-Paul Thank you for helping point me in the right direction. What I ended up doing is using the extension attributes in AD. I used one extension attribute and gave it the value "teampassgroup". Also I was getting the same issue as with https://github.com/nilsteampassnet/TeamPass/issues/3710. I used a second extension attribute and gave each group a unique integer value. And this fixed the issue for both. so thank you for your input on both.

However, there is now an issue with AD login on the latest version 3.0.7. Whilst I can so LDAP sync's and select users and groups, I cannot log in using an AD account. So hopefully that get looked at soon and fixed.

I also saw your fix for the cronjob which i am also experiencing. However I am not using a dockerfile to build my container as I am using AWS Fargate to run my teampass with an RDS MySQL DB.

Andrei-Paul commented 1 year ago

@hitenmandalia Posted there a runtime cronjob fix, but since AWS Fargate seems to use a container, that container must be build somewhere using some instructions. I suspect it uses the Dockerfile in a repo, so if the PR is accepted, the build-time fix will work. (never used AWS Fargate, just guessing)

hitenmandalia commented 1 year ago

@Andrei-Paul I have built the container manually on my machine rather than using a docker file. However, right now since LDAP login seems to be broken on 3.0.7, ill wait it out before trying it out again.

eriksornes commented 2 months ago

Just a small comment. Same problem in 3.1.0. By adding som debug lines I discovered that whe passing the parameter for ldap_group_object_filter, the code somehow transforms all the chars after =-sign into "\ascii-code for sign".That is "samaccountname=*" transforms into "samaccountname=\2A". ldap_user_object_filter is not translated in this way, but used directly as it is stated in tp.config, so that one works So this must be a bug of som sort. I think it should be up to the user to escape the chars she wants in the setting according to rfc 2254