Ldap config being ignore and internal auth being used instead

[nakchak]

Just updated to latest docker release of homer-webapp and now LDAP auth no longer works, it appears to be attempting to look for users using internal auth, as there is no evidence of the web app attempting to contact the ldap server in a network capture which would have contained multiple login attempts.

Neither setting values in environment variables or config file has any effect for me.

[github-actions[bot]]

Your report is appreciated. Please star this repository to motivate its developers! :star:

[adubovikov]

let us check it asap

[adubovikov]

@nakchak can you please pull new image and retest again ? also, please join our channel: https://matrix.to/#/#sipcapture_homer:gitter.im we will help you there in RT

[nakchak]

Hi, i have pulled the latest images and still the same result

Shall dig in a bit deeper and see if i can capture any evidence of LDAP lookups being attempted..

[adubovikov]

yes, please do and inform us once you will get any input

[nakchak]

@adubovikov I can confirm that im seeing no traffic what so ever coming from homer to the domain controller i am using, and their is nothing in the application logs (trace level set in config) relating to the login other than a query to the users db table. The ldap config im using is the same as the one i posted here: https://github.com/sipcapture/homer/issues/468#issuecomment-943139719

I have tried it with both LDAP and LDAPS ports and suitable ssl/tls/verify settings. I havnt retried it using ENV VARS to define the config values, but looking at the source if the config file isnt working, then ENV VARS shouldnt either...

Is their a way to dump the running config values for homer-webapp? if not it might be handy to add a --info switch to its CLI

[adubovikov]

@nakchak let me add this --info to troubleshoot

[adubovikov]

something like this ?

./homer-app -show-current-config

MAIN_SETTINGS:

(config.HomerSettingServer) {
 MAIN_SETTINGS: (struct { IsolateQuery string "default:\"\""; IsolateGroup string "default:\"\""; UseCaptureIDInAlias bool "default:\"false\""; DefaultAuth string "default:\"internal\""; OAuth2Config oauth2.Config; GlobalToken *oauth2.Token; UserGroups []string "default:\"[admin,user,support]\"" }) {
  IsolateQuery: (string) "",
  IsolateGroup: (string) "",
  UseCaptureIDInAlias: (bool) true,
  DefaultAuth: (string) (len=8) "internal",
  OAuth2Config: (oauth2.Config) {
   ClientID: (string) (len=71) "XXXXXXXXXXXXXX",
   ClientSecret: (string) (len=35) "XXXXXXXXXXXXX",
   Endpoint: (oauth2.Endpoint) {
    AuthURL: (string) (len=41) "https://accounts.google.com/o/oauth2/auth",
    TokenURL: (string) (len=35) "https://oauth2.googleapis.com/token",
    AuthStyle: (oauth2.AuthStyle) 0
   },
   RedirectURL: (string) (len=52) "http://homer.net/api/v3/oauth2/auth/google",
   Scopes: ([]string) (len=3 cap=3) {
    (string) (len=5) "email",
    (string) (len=6) "openid",
    (string) (len=7) "profile"
   }
  },
  GlobalToken: (*oauth2.Token)(<nil>),
  UserGroups: ([]string) (len=3 cap=3) {
   (string) (len=5) "admin",
   (string) (len=4) "user",
   (string) (len=7) "support"
  }
 },
 GRAFANA_SETTINGS: (struct { URL string "default:\"http://grafana/\""; AuthKey string "default:\"\""; User string "default:\"\""; Password string "default:\"\""; Path string "default:\"/grafana\""; Enable bool "default:\"false\"" }) {
  URL: (string) (len=15) "http://grafana/",
  AuthKey: (string) "",
  User: (string) "",
  Password: (string) "",
  Path: (string) (len=8) "/grafana",
  Enable: (bool) false
 },
 TRANSACTION_SETTINGS: (struct { DedupModel string "default:\"message-ip-pair\""; GlobalDeduplicate bool "default:\"false\"" }) {
  DedupModel: (string) (len=15) "message-ip-pair",
  GlobalDeduplicate: (bool) false
 },
 DASHBOARD_SETTINGS: (struct { ExternalHomeDashboard string "default:\"\"" }) {
  ExternalHomeDashboard: (string) ""
 },

 LOG_SETTINGS: (struct { Enable bool "default:\"true\""; MaxAgeDays uint32 "default:\"7\""; RotationHours uint32 "default:\"24\""; Path string "default:\"/usr/local/homer/log\""; Level string "default:\"error\""; Name string "default:\"homer-app.log\""; Stdout bool "default:\"false\""; Json bool "default:\"true\""; SysLogLevel string "default:\"LOG_INFO\""; SysLog bool "default:\"false\""; SyslogUri string "default:\"\"" }) {
  Enable: (bool) true,
  MaxAgeDays: (uint32) 7,
  RotationHours: (uint32) 24,
  Path: (string) (len=20) "/usr/local/homer/log",
  Level: (string) (len=5) "debug",
  Name: (string) (len=13) "homer-app.log",
  Stdout: (bool) false,
  Json: (bool) true,
  SysLogLevel: (string) (len=8) "LOG_INFO",
  SysLog: (bool) false,
  SyslogUri: (string) ""
 },
 SWAGGER: (struct { Enable bool "default:\"true\""; ApiJson string "default:\"/usr/local/homer/etc/swagger.json\""; ApiHost string "default:\"127.0.0.1:9080\"" }) {
  Enable: (bool) true,
  ApiJson: (string) (len=33) "/usr/local/homer/etc/swagger.json",
  ApiHost: (string) (len=14) "127.0.0.1:9080"
 },
 DECODER_SHARK: (struct { Bin string "default:\"/usr/local/bin/tshark\""; Param string "default:\"\""; Protocols []string "default:\"\""; UID uint32 "default:\"0\""; GID uint32 "default:\"0\""; ImportNode string "default:\"\""; Enable bool "default:\"false\"" }) {
  Bin: (string) (len=21) "/usr/local/bin/tshark",
  Param: (string) "",
  Protocols: ([]string) <nil>,
  UID: (uint32) 0,
  GID: (uint32) 0,
  ImportNode: (string) "",
  Enable: (bool) false
 }
}

LDAP:

(ldap.LDAPClient) {
 Attributes: ([]string) <nil>,
 Base: (string) "",
 BindDN: (string) "",
 BindPassword: (string) "",
 GroupFilter: (string) "",
 GroupAttribute: ([]string) <nil>,
 Host: (string) "",
 ServerName: (string) "",
 UserFilter: (string) "",
 Conn: (*ldap.Conn)(<nil>),
 Port: (int) 0,
 InsecureSkipVerify: (bool) false,
 ShortGroup: (bool) false,
 ShortDNForGroup: (bool) false,
 NestedGroup: (bool) false,
 UseSSL: (bool) false,
 Anonymous: (bool) false,
 UserDN: (string) "",
 SkipTLS: (bool) false,
 AdminGroup: (string) "",
 AdminMode: (bool) false,
 UserGroup: (string) "",
 UserMode: (bool) false,
 UseDNForGroupSearch: (bool) false,
 DerefName: (string) "",
 DerefValue: (int) 0,
 SearchLimit: (int) 0,
 GroupLimit: (int) 0,
 TimeLimit: (int) 0,
 ScopeName: (string) "",
 ScopeValue: (int) 0,
 ClientCertificates: ([]tls.Certificate) <nil>
}

[gedia]

I'm also having the same trouble. Capturing on ldap proxy shows no traffic from homer-app host. This concerns latest version 1.4.22

It seemed to be working fine up to 1.4.18, haven't tested the versions in between.

I guess the 1.4.22 version's binary doesn't support the '-show-current-config' flag?

[adubovikov]

weird, let me release a new package and you guys can retest. Sorry about it.

[gedia]

Hmm, I just noticed some LDAP traffic flowing over, but not when I try to login (which fails)... Do you do any sssd-style caching/enumeration from LDAP, or should there be a request at every auth attempt?

[adubovikov]

so, I found the issue - sorry about it. The new version is coming. 1.4.33 It has also Oauth2 support. Just FYI!

[gedia]

Thanks! Just to clarify on the new ldap settings, do the groups defined in auth_settings.user_groups need to be the same as the ldap_config.admingroup and ldap_config.usergroup values? Or is auth_settings.user_groups ignored when auth_settings.type == "ldap"?

[gedia]

I can confirm ldap login now works with 1.4.23

[adubovikov]

@nakchak can you please confirm it ?

[lmangani]

Thanks @adubovikov 🥇

[adubovikov]

@nakchak I will close the ticket, please reopen if it will be needed

[nakchak]

Apologies for late reply, I've been on paternity leave and not monitoring email.

I have pulled the latest changes and can now see ldap traffic and the running config (Thanks so much for adding that, it really helps :-) ), had to add group attributes to my running config but other than that it works perfectly again

[adubovikov]

thank you for the bug report!