search

nilsteampassnet / TeamPass

Collaborative Passwords Manager
https://www.teampass.net
1.67k stars 545 forks source link

LDAP synchronization not working #3740

Open mateuszdomagalayosi opened 1 year ago

mateuszdomagalayosi commented 1 year ago

Steps to reproduce

  1. Clean install of teampass
  2. Configure LDAP settings
  3. Testing current configuration works
  4. Click on LDAP synchronization

Actual behaviour

Only "In progress ..." message appears

Server configuration

Operating system: Debian 11, SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux

Web server: Nginx 1.24.0-1~bullseye

Database: 10.5.19-MariaDB-0+deb11u2

PHP version: 8.2

Teampass version: 3.0.8

Teampass configuration file:

<?php
global $SETTINGS;
$SETTINGS = array (
    'max_latest_items' => '10',
    'enable_favourites' => '1',
    'show_last_items' => '1',
    'enable_pf_feature' => '0',
    'log_connections' => '1',
    'log_accessed' => '1',
    'time_format' => 'H:i:s',
    'date_format' => 'd/m/Y',
    'duplicate_folder' => '1',
    'item_duplicate_in_same_folder' => '1',
    'duplicate_item' => '1',
    'number_of_used_pw' => '3',
    'manager_edit' => '1',
    'cpassman_dir' => '/teampass*dir',
    'cpassman_url' => 'https://teampass.example.com',
    'favicon' => 'https://teampass.example.com/favicon.ico',
    'path_to_upload_folder' => '/teampass*dir/upload',
    'path_to_files_folder' => '/teampass*dir/files',
    'url_to_files_folder' => 'https://teampass.example.com/files',
    'activate_expiration' => '0',
    'pw_life_duration' => '0',
    'maintenance_mode' => '0',
    'enable_sts' => '0',
    'encryptClientServer' => '1',
    'teampass_version' => '3.0.8',
    'ldap_mode' => '1',
    'ldap_type' => 'ActiveDirectory',
    'ldap_suffix' => '0',
    'ldap_domain_dn' => '0',
    'ldap_domain_controler' => '0',
    'ldap_user_attribute' => 'samaccountname',
    'ldap_ssl' => '1',
    'ldap_tls' => '1',
    'ldap_search_base' => '0',
    'ldap_port' => '636',
    'richtext' => '0',
    'allow_print' => '1',
    'roles_allowed_to_print' => '0',
    'show_description' => '1',
    'anyone_can_modify' => '0',
    'anyone_can_modify_bydefault' => '0',
    'nb_bad_authentication' => '0',
    'utf8_enabled' => '1',
    'restricted_to' => '0',
    'restricted_to_roles' => '0',
    'enable_send_email_on_user_login' => '0',
    'enable_user_can_create_folders' => '0',
    'insert_manual_entry_item_history' => '0',
    'enable_kb' => '1',
    'enable_email_notification_on_item_shown' => '0',
    'enable_email_notification_on_user_pw_change' => '0',
    'custom_logo' => 'https://teampass.example.com/y1.png',
    'custom_login_text' => '',
    'default_language' => 'english',
    'send_stats' => '0',
    'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;',
    'send_stats_time' => '1682167508',
    'get_tp_info' => '1',
    'send_mail_on_user_login' => '0',
    'nb_items_by_query' => 'auto',
    'enable_delete_after_consultation' => '0',
    'enable_personal_saltkey_cookie' => '0',
    'personal_saltkey_cookie_duration' => '31',
    'email_smtp_server' => '********',
    'email_smtp_auth' => '1',
    'email_auth_username' => '********',
    'email_auth_pwd' => '********',
    'email_port' => '587',
    'email_security' => 'tls',
    'email_server_url' => '',
    'email_from' => '********',
    'email_from_name' => '********',
    'email_auth_pwd' => '********',
    'email_port' => '587',
    'email_security' => 'tls',
    'email_server_url' => '',
    'email_from' => '********',
    'email_from_name' => '********',
    'pwd_maximum_length' => '64',
    'google_authentication' => '0',
    'delay_item_edition' => '0',
    'allow_import' => '1',
    'proxy_ip' => '',
    'proxy_port' => '',
    'upload_maxfilesize' => '10mb',
    'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx',
    'upload_imagesext' => 'jpg,jpeg,gif,png',
    'upload_pkgext' => '7z,rar,tar,zip,tar.gz,gz',
    'upload_otherext' => 'sql,xml,crt,key,ptx',
    'upload_imageresize_options' => '1',
    'upload_imageresize_width' => '800',
    'upload_imageresize_height' => '600',
    'upload_imageresize_quality' => '90',
    'use_md5_password_as_salt' => '0',
    'ga_website_name' => 'TeamPass for ChangeMe',
    'api' => '0',
    'subfolder_rights_as_parent' => '1',
    'show_only_accessible_folders' => '1',
    'enable_suggestion' => '1',
    'otv_expiration_period' => '7',
    'default_session_expiration_time' => '480',
    'duo' => '0',
    'enable_server_password_change' => '0',
    'ldap_object_class' => '0',
    'bck_script_path' => '/teampass*dir/backups',
    'bck_script_filename' => 'bck_teampass',
    'syslog_enable' => '0',
    'syslog_host' => 'localhost',
    'syslog_port' => '514',
    'manager_move_item' => '1',
    'create_item_without_password' => '1',
    'otv_is_enabled' => '1',
    'agses_authentication_enabled' => '0',
    'item_extra_fields' => '0',
    'saltkey_ante_2127' => 'none',
    'migration_to_2127' => 'done',
    'files_with_defuse' => 'done',
    'timezone' => 'UTC',
    'enable_attachment_encryption' => '1',
    'personal_saltkey_security_level' => '50',
    'ldap_new_user_is_administrated_by' => '0',
    'disable_show_forgot_pwd_link' => '0',
    'offline_key_level' => '0',
    'enable_http_request_login' => '0',
    'ldap_and_local_authentication' => '1',
    'secure_display_image' => '1',
    'upload_zero_byte_file' => '0',
    'upload_all_extensions_file' => '0',
    'bck_script_passkey' => '********',
    'admin_2fa_required' => '1',
    'password_overview_delay' => '4',
    'copy_to_clipboard_small_icons' => '1',
    'duo_ikey' => '',
    'duo_skey' => '',
    'duo_host' => '',
    'duo_failmode' => 'secure',
    'roles_allowed_to_print_select' => '[2]',
    'clipboard_life_duration' => '30',
    'mfa_for_roles' => '',
    'tree_counters' => '1',
    'settings_offline_mode' => '0',
    'settings_tree_counters' => '0',
    'enable_massive_move_delete' => '1',
    'email_debug_level' => '0',
    'ga_reset_by_user' => '',
    'onthefly-backup-key' => '********',
    'onthefly-restore-key' => '',
    'ldap_user_dn_attribute' => '',
    'ldap_dn_additional_user_dn' => 'OU=UNITS,OU=_GLOBAL',
    'ldap_user_object_filter' => '(objectCategory=Person)(sAMAccountName=*)',
    'ldap_bdn' => 'DC=********,DC=********',
    'ldap_bdn' => 'DC=********,DC=********',
    'ldap_hosts' => '********',
    'ldap_password' => '********',
    'ldap_username' => 'CN=teampassaccount,OU=TECHNICAL,OU=ACCOUNTS,OU=_GLOBAL,DC=********,DC=********',
    'api_token_duration' => '60',
    'enable_tasks_manager' => '1',
    'task_maximum_run_time' => '300',
    'tasks_manager_refreshing_period' => '20',
    'maximum_number_of_items_to_treat' => '100',
    'ldap_tls_certifacte_check' => 'LDAP_OPT_X_TLS_NEVER',
    'enable_tasks_log' => '0',
    'upgrade_timestamp' => '1684759508',
    'enable_ad_users_with_ad_groups' => '0',
    'enable_ad_user_auto_creation' => '0',
    'ldap_group_object_filter' => '',
    'ldap_guid_attibute' => 'objectguid',
    'sending_emails_job_frequency' => '2',
    'user_keys_job_frequency' => '1',
    'items_statistics_job_frequency' => '5',
    'can_create_root_folder' => '1',
);

Updated from an older Teampass or fresh install: Fresh install

Client configuration

Browser: Chrome and Firefox

Operating system: Windows 10 22H2

Logs

Web server error log

2023/05/26 13:26:57 [error] 1276578#1276578: *11093 FastCGI sent in stderr: "PHP message: PHP Fatal error:  Uncaught TypeError: Carbon\Carbon::setLastErrors(): Argument #1 ($lastErrors) must be of type array, bool given, called in /teampass*dir/includes/libraries/Carbon/Traits/Creator.php on line 96 and defined in /home/teampass/teampass2www/includes/libraries/Carbon/Traits/Creator.php:894
Stack trace:
#0 /teampass*dir/includes/libraries/Carbon/Traits/Creator.php(96): Carbon\Carbon::setLastErrors()
#1 /teampass*dir/includes/libraries/Carbon/Traits/Creator.php(250): Carbon\Carbon->__construct()
#2 /teampass*dir/includes/libraries/LdapRecord/Connection.php(495): Carbon\Carbon::now()
#3 /teampass*dir/includes/libraries/LdapRecord/Connection.php(268): LdapRecord\Connection->retryOnNextHost()
#4 /teampass*dir/sources/users.queries.php(2560): LdapRecord\Connection->connect()
#5 {main}
  thrown in /teampass*dir/includes/libraries/Carbon/Traits/Creator.php on line 894" while reading response header from upstream, client: 189.91.31.109, server: teampass.example.com, request: "POST /sources/users.queries.php HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "teampass.example.com", referrer: "https://teampass.example.com/index.php?page=users"

Log from the web-browser developer console (CTRL + SHIFT + i)

image

image image

Andrei-Paul commented 1 year ago

I don't know if it matters in PHP or if it's just a typo here, but 'ldap_bdn' is present twice in your configuration. Also, might as well set 'ldap_user_dn_attribute' to dn or whatever Active Directory uses. Also also, I suspect SSL and TLS should not be both on at the same time (one of them means ldaps://, the other means "StartTLS" mode, NOT TLS as in TLS 1.1/1.2/1.3). I think you only need "Use LDAP through SSL (LDAPS)"

useronkel commented 1 year ago

I wonder how it is possible to have ldap_bdn twice in config....

And Andrei-Paul is absolutely right with SSL and TLS, never enable both, choose the one that better fits your needs.

mateuszdomagalayosi commented 1 year ago

@Andrei-Paul @useronkel Duplicate of ldap_bdn is my typo. After disabling TLS nothing changed, still seeing the same error in nginx log.

nilsteampassnet commented 1 year ago

@mateuszdomagalayosi I'm not an LDAP specialist. I'm wondering if it is possible to have empty "Distinguished Name" field when performing AD query? Could you try to identify this value and set in configuration page?

mateuszdomagalayosi commented 1 year ago

@nilsteampassnet Still the same error after adding "distinguishedName" to User Distinguished Name

image image

mateuszdomagalayosi commented 1 year ago

Also i tried to fill LDAP group object filter using filters from https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx , but i dont quite understand how should this work. Changing other filters has no affect either.

bananatree23 commented 1 year ago

I had a similar issue, the fix for me was to add the CA cert to the ldap.conf. I did the following:

  1. Upload the CA cert to my server
  2. Navigate to the ldap.conf file and open it (for me on debian: /etc/ldap/ldap.conf)
  3. Add the following: TLS_CACERT /etc/ssl/mycertificate.cer

I also have the following settings:

'max_latest_items' => '10', 'enable_favourites' => '1', 'show_last_items' => '1', 'enable_pf_feature' => '1', 'log_connections' => '1', 'log_accessed' => '0', 'time_format' => 'H:i:s', 'date_format' => 'd/m/Y', 'duplicate_folder' => '1', 'item_duplicate_in_same_folder' => '1', 'duplicate_item' => '1', 'number_of_used_pw' => '3', 'manager_edit' => '1', 'cpassman_dir' => '/var/www/html/TeamPass', 'cpassman_url' => 'https:// 'favicon' => 'https:///favicon.ico', 'path_to_upload_folder' => '/var/www/html/TeamPass/upload', 'path_to_files_folder' => '/var/www/html/TeamPass/files', 'url_to_files_folder' => 'https:///files', 'activate_expiration' => '0', 'pw_life_duration' => '0', 'maintenance_mode' => '0', 'enable_sts' => '0', 'encryptClientServer' => '1', 'teampass_version' => '3.0.9', 'ldap_mode' => '1', 'ldap_type' => 'ActiveDirectory', 'ldap_suffix' => '0', 'ldap_domain_dn' => '0', 'ldap_domain_controler' => '0', 'ldap_user_attribute' => 'samaccountname', 'ldap_ssl' => '1', 'ldap_tls' => '0', 'ldap_search_base' => '0', 'ldap_port' => '636', 'richtext' => '0', 'allow_print' => '0', 'roles_allowed_to_print' => '0', 'show_description' => '1', 'anyone_can_modify' => '0', 'anyone_can_modify_bydefault' => '0', 'nb_bad_authentication' => '0', 'utf8_enabled' => '1', 'restricted_to' => '0', 'restricted_to_roles' => '0', 'enable_send_email_on_user_login' => '0', 'enable_user_can_create_folders' => '1', 'insert_manual_entry_item_history' => '0', 'enable_kb' => '0', 'enable_email_notification_on_item_shown' => '0', 'enable_email_notification_on_user_pw_change' => '0', 'custom_logo' => '', 'custom_login_text' => '', 'default_language' => 'german', 'send_stats' => '0', 'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;', 'send_stats_time' => '1683112960', 'get_tp_info' => '1', 'send_mail_on_user_login' => '0', 'sending_emails' => '0', 'nb_items_by_query' => 'auto', 'enable_delete_after_consultation' => '0', 'enable_personal_saltkey_cookie' => '0', 'personal_saltkey_cookie_duration' => '31', 'email_smtp_server' => '' 'email_smtp_auth' => '', 'email_auth_username' => '' 'email_auth_pwd' => '' 'email_port' => '25', 'email_security' => '', 'email_server_url' => '', 'email_from' => '' 'email_from' => '' 'pwd_maximum_length' => '128', 'google_authentication' => '0', 'delay_item_edition' => '0', 'allow_import' => '1', 'proxy_ip' => '' 'proxy_port' => '', 'upload_maxfilesize' => '32mb', 'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx', 'upload_imagesext' => 'jpg,jpeg,gif,png', 'upload_pkgext' => '7z,rar,tar,zip', 'upload_otherext' => 'sql,xml', 'upload_imageresize_options' => '1', 'upload_imageresize_width' => '800', 'upload_imageresize_height' => '600', 'upload_imageresize_quality' => '90', 'use_md5_password_as_salt' => '0', 'ga_website_name' => 'TeamPass for ChangeMe', 'api' => '0', 'subfolder_rights_as_parent' => '1', 'show_only_accessible_folders' => '1', 'enable_suggestion' => '1', 'otv_expiration_period' => '7', 'default_session_expiration_time' => '60', 'duo' => '0', 'enable_server_password_change' => '0', 'ldap_object_class' => '0', 'bck_script_path' => '/var/www/html/TeamPass/backups', 'bck_script_filename' => 'bck_teampass', 'syslog_enable' => '0', 'syslog_host' => '' 'syslog_port' => '514', 'manager_move_item' => '1', 'create_item_without_password' => '1', 'otv_is_enabled' => '0', 'agses_authentication_enabled' => '0', 'item_extra_fields' => '0', 'saltkey_ante_2127' => 'none', 'migration_to_2127' => 'done', 'files_with_defuse' => 'done', 'timezone' => 'Europe/Berlin', 'enable_attachment_encryption' => '1', 'personal_saltkey_security_level' => '50', 'ldap_new_user_is_administrated_by' => '0', 'disable_show_forgot_pwd_link' => '1', 'offline_key_level' => '0', 'enable_http_request_login' => '0', 'ldap_and_local_authentication' => '1', 'secure_display_image' => '1', 'upload_zero_byte_file' => '0', 'upload_all_extensions_file' => '0', 'bck_script_passkey' => '' 'admin_2fa_required' => '1', 'password_overview_delay' => '4', 'copy_to_clipboard_small_icons' => '1', 'duo_ikey' => '' 'duo_skey' => '' 'duo_host' => '' 'duo_failmode' => 'secure', 'roles_allowed_to_print_select' => '', 'clipboard_life_duration' => '30', 'mfa_for_roles' => '', 'tree_counters' => '1', 'settings_offline_mode' => '0', 'settings_tree_counters' => '0', 'enable_massive_move_delete' => '1', 'email_debug_level' => '0', 'ga_reset_by_user' => '', 'onthefly-backup-key' => '' 'onthefly-restore-key' => '' 'ldap_user_dn_attribute' => 'distinguishedname', 'ldap_dn_additional_user_dn' => 'ou=,ou=,ou=,ou=', 'ldap_user_object_filter' => '(objectCategory=Person),(sAMAccountName=*)', 'ldap_bdn' => 'dc=,dc=', 'ldap_hosts' => '' 'ldap_password' => '' 'ldap_username' => 'cn=,cn=,dc=,dc=', 'api_token_duration' => '60', 'last_folder_change' => '', 'enable_tasks_manager' => '1', 'task_maximum_run_time' => '300', 'tasks_manager_refreshing_period' => '20', 'maximum_number_of_items_to_treat' => '100', 'ldap_tls_certifacte_check' => 'LDAP_OPT_X_TLS_HARD', 'enable_tasks_log' => '0', 'upgrade_timestamp' => '1685704960', 'enable_ad_users_with_ad_groups' => '1', 'enable_ad_user_auto_creation' => '0', 'ldap_group_object_filter' => '(objectclass=)(objectclass=)', 'ldap_guid_attibute' => 'objectSid', 'sending_emails_job_frequency' => '2', 'user_keys_job_frequency' => '1', 'items_statistics_job_frequency' => '5', 'users_personal_folder_task' => 'hourly;', 'clean_orphan_objects_task' => '', 'purge_temporary_files_task' => '', 'rebuild_config_file' => '', 'reload_cache_table_task' => '', 'max_last_items' => '10', 'can_create_root_folder' => '1',

Hope it helps!

mateuszdomagalayosi commented 1 year ago

@bananatree23 Checked and changed config to look like yours, but still doesnt work. How (objectclass=)(objectclass=) in ldap_group_object_filter works? (objectclass=group)?

bananatree23 commented 1 year ago

@bananatree23 Checked and changed config to look like yours, but still doesnt work. How (objectclass=)(objectclass=) in ldap_group_object_filter works? (objectclass=group)?

Yes, I just added the user groups which I want to be able to login for now. I don't know if it is the intended use, but it works for me.

Example for how I did it: (objectclass=TEST-GROUP)(objectclass=TEST-GROUP2)

Did you configure the ldap.conf? It didn't work for me until I did that.

bananatree23 commented 1 year ago

My ldap.conf looks like this (/etc/ldap/ldap.conf):

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-provider.example.com:666

#SIZELIMIT  12
#TIMELIMIT  15
#DEREF      never

# TLS certificates (needed for GnuTLS)
TLS_CACERT  /etc/ssl/mycert.cer