search

pondersource / nextcloud-mfa-awareness

Make Nextcloud aware of whether the current user is logged in with Multi-Factor Authentication
MIT License
0 stars 2 forks source link

Configure gss leader + follower in Docker compose #8

Closed michielbdejong closed 1 year ago

michielbdejong commented 1 year ago

@navid-dada says this is working already, but I got an error last time I tried. Will check again to reproduce.

michielbdejong commented 1 year ago

Just tested this with latest main branch, and this is what you see when user Admin logs in to the gss master:

Screenshot 2022-10-27 at 13 45 03
michielbdejong commented 1 year ago

The gss master is configured to take the user discovery from SAML, so this is blocked on #18.

mrvahedi68 commented 1 year ago

As I read about GSS configuration, we need to have a lookup server that all nodes have in their configuration files. Something like this: 'lookup_server' => 'URL_TO_LOOKUPSERVER'

and the lookup server is a database of users with some APIs.

In this line of GSS ask from lookup server for the user:

https://github.com/nextcloud/globalsiteselector/blob/03b191361014fad6b5c580376935ebdb35990270/lib/Master.php#L155

mrvahedi68 commented 1 year ago

Here is the lookup server:

https://github.com/nextcloud/lookup-server

michielbdejong commented 1 year ago

we need to have a lookup server

Hm, isn't that dealt with by #6?

michielbdejong commented 1 year ago

https://github.com/nextcloud/globalsiteselector says:

In "master" mode the server will query the lookup-server for the users location and redirect the user to the right Nextcloud server. [...] // define a class which will be used to decide on which server a user should be // provisioned in case the lookup server doesn't know the user yet. // Note: That this will create a user account on a global scale note for every user // so make sure that the Global Site Selector has verified if it is a valid user before. // The user disovery module might require additional config paramters you can find in // the documentation of the module 'gss.user.discovery.module' => '\OCA\GlobalSiteSelector\UserDiscoveryModules\UserDiscoverySAML',

michielbdejong commented 1 year ago

We have a user discovery module configured in https://github.com/pondersource/nextcloud-mfa-awareness/blob/97a1435/servers/sunet-nextcloud/init-nc1-gss-master.sh#L17 so I don't think we need a lookup server?

michielbdejong commented 1 year ago

So far, so good:

Screenshot 2022-10-28 at 16 13 19
michielbdejong commented 1 year ago

Yay, it's working :)

shokri-navid commented 1 year ago

SAML Idp provider is working and we are redirecting from the leader or follower next cloud node to the IDP server. the login process is also ok but when the user is redirected to the Leader Nextcloud we are encountering this error:

Could not find a location for user: user1

I took a look at the https://github.com/nextcloud/globalsiteselector/blob/03b191361014fad6b5c580376935ebdb35990270/lib/Master.php#L155 and found that the GSS needs one of this two options to find the location of user:

I will try to enable one of them.

michielbdejong commented 1 year ago

Ha, that's because you misspelled the username :) It's "usr1", not "user1". See https://github.com/pondersource/nextcloud-mfa-awareness/blob/9c51370/servers/setup-gss.sh#L77 I wonder why the SAML server let you log in with that username though... Or are you diverging from the setup-gss.sh script? If so, let's see how we can fix your setup so you can run the script properly. I'll ping you on Slack!

michielbdejong commented 1 year ago

Ah, it's because of 'gss.user.discovery.module' => 'OCAGlobalSiteSelectorUserDiscoveryModulesUserDiscoverySAML', in sunet-nc1:/var/www/html/config/config.php.

Apparently the slashes are still not properly escaped in https://github.com/pondersource/nextcloud-mfa-awareness/blob/0655f1b/servers/sunet-nextcloud/init-nc1-gss-leader.sh#L17

michielbdejong commented 1 year ago

we are redirecting from the leader or follower next cloud node to the IDP server. Note that redirection from a follower server only works if you run ./setup-gss.sh localhost. If you run ./setup-gss.sh testnet or ./setup-gss.sh example.com, redirection from the leader will work, but from the follower will not. See "NB1" in the readme.

shokri-navid commented 1 year ago

Ha, that's because you misspelled the username :) It's "usr1", not "user1". See https://github.com/pondersource/nextcloud-mfa-awareness/blob/9c51370/servers/setup-gss.sh#L77 I wonder why the SAML server let you log in with that username though... Or are you diverging from the setup-gss.sh script? If so, let's see how we can fix your setup so you can run the script properly. I'll ping you on Slack!

I saw the username and password are inserted in setup-gss.sh I got them from there.

https://github.com/pondersource/nextcloud-mfa-awareness/blob/645592e04589eb51cfcd75fbec4120ae50c8bd37/servers/setup-gss.sh#L75