Closed quenenni closed 11 months ago
ikedas
commented
1 year ago Hi @quenenni ,
When using ldapsearch or the /usr/share/sympa/bin/sympa_test_ldap.pl script from sympa, it works well in both case and I can see the connection in our Ldap server logs.
How have you invoked sympa_test_ldap.pl ? Please show us full of the command line options you specified.
quenenni
commented
1 year ago Hello @ikedas,
Thanks for your time.
Here is the command and the result
/usr/share/sympa/bin/sympa_test_ldap.pl --filter="(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE))" --host=ldap.xxxx.school --suffix=ou=people,dc=xxxx,dc=school --bind_dn=uid=moodle,ou=services,dc=xxxx,dc=school --port=23389 --scope=sub --use_tls=starttls
host=ldap.xxxx.school suffix=ou=people,dc=xxxx,dc=school filter=(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE))
#uid=E99992,ou=people,dc=xxxx,dc=school
Total : 1sympa_test_ldap.pl without --bind_password so that no attributes of the entry are retrieved. Please try again with this option.bind_dn to retrieve the entry for the user trying login. Second, it binds as the DN of retrieved entry.
So if you successfully retrieved the entry on 1., try additionally:
sympa_test_ldap.pl --bind_dn=[user's DN] --bind_password=[user's password] --host=... --port=... --scope=sub --use_tls=starttls
and check if the binding is successful.Also, if possible, please check the log of LDAP server.
quenenni
commented
1 year ago /usr/share/sympa/bin/sympa_test_ldap.pl --filter="(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE))" --host=ldap.xxxx.school --suffix=ou=people,dc=xxxx,dc=school --bind_dn=uid=moodle,ou=services,dc=xxxx,dc=school --bind_password=xxxxxxxxxx --port=23389 --scope=sub --use_tls=startt
host=ldap.xxxx.school suffix=ou=people,dc=xxxx,dc=school filter=(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE))
#uid=E99992,ou=people,dc=xxxx,dc=school
Total : 1/usr/share/sympa/bin/sympa_test_ldap.pl --filter="(active=TRUE)" --host=ldap.xxxx.school --suffix=ou=people,dc=xxxx,dc=school --bind_dn=uid=E99992,ou=people,dc=xxxx,dc=school --bind_password=xxxxxxxxxx --port=23389 --scope=sub --use_tls=starttI had to put the --filter arg, without it, the script returns an error.
The script returns this error:
host=ldap.xxxx.school suffix=ou=people,dc=xxxx,dc=school filter=(active=TRUE)
err Sympa::DatabaseDriver::LDAP::do_operation() Unable to perform LDAP operation: No such object
Search impossible: (32) No such objectI tried also with --suffix="uid=E99992,ou=people,dc=xxxx,dc=school" and it works:
host=ldap.xxxx.school suffix=uid=E99992,ou=people,dc=xxxx,dc=school filter=(active=TRUE)
#uid=E99992,ou=people,dc=xxxx,dc=school
Total : 1The same with LdapSearch.
ldapsearch -x -H ldap://ldap.xxxx.school:23389 -D uid=E99992,ou=people,dc=xxxx,dc=school -W -b "ou=people,dc=xxxx,dc=school" -s sub "(mail=test.test92@xxxx.school)"
search: 2
result: 32 No such objectWhile this command is successful.
ldapsearch -x -H ldap://ldap.xxxx.school:23389 -D uid=E99992,ou=people,dc=xxxx,dc=school -W -b "uid=E99992,ou=people,dc=xxxx,dc=school"
And that's because of the user rights on the ´ou=people,dc=xxxx,dc=school` branch.
User can't search that branch but they can see their own ldap entry in that branch.
Is it only working if users can search the ´ou=people,dc=xxxx,dc=school´ branch?
ikedas
commented
12 months ago (Deleted)
ikedas
commented
12 months ago I was slightly mistaken. Below is the corrected reply.
- It asks me for a password when not having the bind_password param on the command line. But I did it also with bind_password as param and have the same result.
/usr/share/sympa/bin/sympa_test_ldap.pl --filter="(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE))" --host=ldap.xxxx.school --suffix=ou=people,dc=xxxx,dc=school --bind_dn=uid=moodle,ou=services,dc=xxxx,dc=school --bind_password=xxxxxxxxxx --port=23389 --scope=sub --use_tls=startthost=ldap.xxxx.school suffix=ou=people,dc=xxxx,dc=school filter=(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE)) #uid=E99992,ou=people,dc=xxxx,dc=school Total : 1
The result of this search operation is used as the user's attribute (e-mail address). Therefore, it is necessary that the bind_dn is allowed to get the entry (at least the attribute specified by email_attribute) by the ACL of the LDAP server.
/usr/share/sympa/bin/sympa_test_ldap.pl --filter="(active=TRUE)" --host=ldap.xxxx.school --suffix=ou=people,dc=xxxx,dc=school --bind_dn=uid=E99992,ou=people,dc=xxxx,dc=school --bind_password=xxxxxxxxxx --port=23389 --scope=sub --use_tls=starttI had to put the --filter arg, without it, the script returns an error.
The script returns this error:
host=ldap.xxxx.school suffix=ou=people,dc=xxxx,dc=school filter=(active=TRUE) err Sympa::DatabaseDriver::LDAP::do_operation() Unable to perform LDAP operation: No such object Search impossible: (32) No such objectI tried also with
--suffix="uid=E99992,ou=people,dc=xxxx,dc=school"and it works:host=ldap.xxxx.school suffix=uid=E99992,ou=people,dc=xxxx,dc=school filter=(active=TRUE) #uid=E99992,ou=people,dc=xxxx,dc=school Total : 1The same with LdapSearch.
ldapsearch -x -H ldap://ldap.xxxx.school:23389 -D uid=E99992,ou=people,dc=xxxx,dc=school -W -b "ou=people,dc=xxxx,dc=school" -s sub "(mail=test.test92@xxxx.school)"search: 2 result: 32 No such objectWhile this command is successful.
ldapsearch -x -H ldap://ldap.xxxx.school:23389 -D uid=E99992,ou=people,dc=xxxx,dc=school -W -b "uid=E99992,ou=people,dc=xxxx,dc=school"And that's because of the user rights on the ´ou=people,dc=xxxx,dc=school` branch.
User can't search that branch but they can see their own ldap entry in that branch.
Is it only working if users can search the ´ou=people,dc=xxxx,dc=school´ branch?
Actually, this second connection only performs the bind operation and not the search operation. According to your results, the bind operation is successful, so there is no problem on the second connection.
quenenni
commented
12 months ago Thanks for the info.
So the problem is elsewhere..
Shouldn't I see something about ldap connection in the startup logs (as show in the first post)? Even if I misconfigured my Ldap parameters, shouldn't I see something in the logs?
And the fact that the Ldap server logs doesn't show anything when starting Sympa is also strange, no?
ikedas
commented
12 months ago Sympa does not connect to the LDAP server when it starts up, nor does it stay connected all the time. As explained above, it connects and disconnects twice when authentication is requested.
quenenni
commented
11 months ago But when I try to log with an existing user, I should see an attempt in the ldap server logs.
Actual behavior
If I try to connect with a mail that exists in our Ldap, I have the error :
wwsympa[40440]: info main::do_login(test.test92@xxxx.school) [robot listes.xxxx.school] [session 45640241505289] [client 213.211.YYY.YYY]
wwsympa[40440]: err main::#1557 > main::do_login#3155 > Sympa::WWW::Auth::check_auth#62 > Sympa::WWW::Auth::authentication#214 Incorrect password for user test.test92@xxxx.school
wwsympa[40440]: notice main::do_login() Authentication failedAnd nothing happens in the ldap server logs.
ikedas
commented
11 months ago Please read my psts, The search operation in the first LDAP connection should return the attributes, however it does not,
quenenni
commented
11 months ago Sorry, I thought you didn't read well my post :)
So I understand that this answer from the ldap_test script is not good despite saying it found a result:
/usr/share/sympa/bin/sympa_test_ldap.pl --filter="(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE))" --host=ldap.xxxx.school --suffix=ou=people,dc=xxxx,dc=school --bind_dn=uid=moodle,ou=services,dc=xxxx,dc=school --port=23389 --scope=sub --use_tls=starttls
host=ldap.xxxx.school suffix=ou=people,dc=xxxx,dc=school filter=(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE))
#uid=E99992,ou=people,dc=xxxx,dc=school
Total : 1For me that was a good answer saying it found 1 user with that filter with the "bind user". But you're saying the result should show several attributes and their value in the result? Something like:
host=ldap.xxxx.school suffix=ou=people,dc=xxxx,dc=school filter=(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE))
#uid=E99992,ou=people,dc=xxxx,dc=school
mail=xxx@yyy.zz
Total : 1Sorry if it's not that, but I still don't understand what I should have as an answer and why nothing appears in the ldap server logs, not even a connection attempt, when I try to login with a ldap user.
ikedas
commented
11 months ago Sorry, I thought you didn't read well my post :)
So I understand that this answer from the ldap_test script is not good despite saying it found a result:
/usr/share/sympa/bin/sympa_test_ldap.pl --filter="(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE))" --host=ldap.xxxx.school --suffix=ou=people,dc=xxxx,dc=school --bind_dn=uid=moodle,ou=services,dc=xxxx,dc=school --port=23389 --scope=sub --use_tls=starttls host=ldap.xxxx.school suffix=ou=people,dc=xxxx,dc=school filter=(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE)) #uid=E99992,ou=people,dc=xxxx,dc=school Total : 1For me that was a good answer saying it found 1 user with that filter with the "bind user". But you're saying the result should show several attributes and their value in the result? Something like:
host=ldap.xxxx.school suffix=ou=people,dc=xxxx,dc=school filter=(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE)) #uid=E99992,ou=people,dc=xxxx,dc=school mail=xxx@yyy.zz Total : 1
Yes.
Sorry if it's not that, but I still don't understand what I should have as an answer and why nothing appears in the ldap server logs, not even a connection attempt, when I try to login with a ldap user.
About the feature of the LDAP server, please ask the administrator of that server.
quenenni
commented
11 months ago Thanks for the info.
About the feature of the LDAP server, please ask the administrator of that server.
I am the administrator of the Ldap server. Our Ldap server is working with Nextcloud / Mailcow / Gitea / Moodle / Peertube and Mattermost. We tried to add Sympa, but not possible at the moment.
The fact the a sympa_test_ldap.pl or ldapsearch command is working and we can see the connection in the Ldap server logs, but nothing appears in the Ldap logs when trying to connect in Sympa with a user from the Ldap database seems to show the problem is not my Ldap server.
I searched all I could on the net, saw sympa ldap examples, check a hundred time my config and tried different options, but not once trying to connect to Sympa showed a line in the Ldap server.
If the problem is the user rights on the branch "ou=people,dc=xxxx,dc=school", it still doens't explain why the first connection with the bind_user "uid=moodle,ou=services,dc=xxxx,dc=school" is not working either as that user has the necessary rights on that branch.
So, at this point, I'm still not sure if I have a config problem (bigger probability) or if Sympa has a problem.
I'm going to debug the script sympa_test_ldap.pl and try to see if I can understand why it doesn't get the attributes in the result.
quenenni
commented
11 months ago I found I forgot to use the '--attrs' param in the sympa_test_ldap.pl command and that's why no attributes where shown despite having a successfull connection.
/usr/share/sympa/bin/sympa_test_ldap.pl --filter="(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE))" --host=ldap.xxxx.school --suffix=ou=people,dc=xxxx,dc=school --bind_dn=uid=moodle,ou=services,dc=xxxx,dc=school --bind_password=xxxxxxxxxx --port=23389 --scope=sub --use_tls=startt --attrs=uid,mail,mailinitial
host=ldap.xxxx.school suffix=ou=people,dc=xxxx,dc=school filter=(&(|(mail=test.test92@xxxx.school)(mailinitial=test.test92@xxxx.school))(active=TRUE))
#uid=E99992,ou=people,dc=xxxx,dc=school
uid => E99992
mailinitial => test.test92@xxxx.school
mail => test.test92@xxxx.school
Total : 1The same when binding with a normal user.
/usr/share/sympa/bin/sympa_test_ldap.pl --filter="(active=TRUE)" --host=ldap.xxxx.school --suffix=uid=E99992,ou=people,dc=xxxx,dc=school --bind_dn=uid=E99992,ou=people,dc=xxxx,dc=school --bind_password=secret --port=23389 --scope=sub --use_tls=startt --attrs=uid,mail,mailinitial
host=ldap.xxxx.school suffix=uid=E99992,ou=people,dc=xxxx,dc=school filter=(active=TRUE)
#uid=E99992,ou=people,dc=xxxx,dc=school
uid => E99992
mail => test.test92@xxxx.school
mailinitial => test.test92@xxxx.school
Total : 1I think I found the problem.
When trying to connect with a user, I found this in the sympa logs:
debug2 Sympa::Database::new(Sympa::Database, LDAP)
2023-10-13T15:45:00.373311+02:00 listes wwsympa[906]: debug3 Sympa::Database::connect(Sympa::DatabaseDriver::LDAP <bind_dn=uid=moodle,ou=services,dc=xxxx,dc=school;host=ldap://192.168.6.101:389;ssl_version=tlsv1_2;timeout=30;use_tls=starttls>)
2023-10-13T15:45:03.425041+02:00 listes wwsympa[906]: err main::#1557 > main::do_login#3094 > main::is_ldap_user#3775 > Sympa::Database::connect#153 > (eval)#153 > Sympa::DatabaseDriver::LDAP::_connect#125 Unable to connect to the LDAP server ldap://192.168.6.101:389: No route to host
2023-10-13T15:45:03.425585+02:00 listes wwsympa[906]: err main::#1557 > main::do_login#3094 > main::is_ldap_user#3775 > Sympa::Database::connect#157 Can't connect to Database Sympa::DatabaseDriver::LDAP <bind_dn=uid=moodle,ou=services,dc=xxxx,dc=school;host=ldap://192.168.6.101:389;ssl_version=tlsv1_2;timeout=30;use_tls=starttls>:
2023-10-13T15:45:03.425856+02:00 listes wwsympa[906]: err main::#1557 > main::do_login#3094 > main::is_ldap_user#3777 Unable to connect to the LDAP server "192.168.6.101:389"In my auth.conf file, I have this option:
host ldap.xxxx.school:23389So the ldap://192.168.6.101:389 is wrong.
I tried to find where Sympa could have this address but couldn't find it. This address was an address used at the beginning but changed to ldap.xxx.school:23389 for a while.
I restarted every Sympa service, but no change
systemctl restart sympa-task_manager
systemctl restart sympasoap
systemctl restart sympa-bulk
systemctl restart sympa-bounced
systemctl restart sympa-archived
systemctl restart sympaAny idea why Sympa is not using the host option from auth.conf ?
ikedas
commented
11 months ago How about grep-ing all the files under /etc/sympa ?
ikedas
commented
11 months ago Why don't you restart wwsympa and HTTP server?
quenenni
commented
11 months ago I found the problem last Friday and you're 100% right.
The problem I had is that a systemctl restart sympa doesn't refresh the config file and thus doesn't take into account the modifications.
It was the systemctl restart wwsympa that fixed my auth.conf problem.
And that's why I became crazy because nothing was logical.
The same for options added into sympa.conf.
I added log_level and by just restarting sympa, several sub services were still using ther old value of log_level.
I feel that's something that could be improved
Either have sympa.service refreshing the config options on restart/reload or have somethiong like a sympa_all.service that restart/reload all services / sub services.
But the way it's done now brings confusion.
Thanks again for your help. Much appreciated.
Version
Debian: 12.1 (new install) Sympa 6.2.70
Installation method
Deb package
Expected behavior
We have several Sympa instances working nicely. On this new one, we would like to connect to our Ldap server, but whatever I'm trying, not once I saw a connection attempt from Sympa to our Ldap server. I tried lots of configurations found on the net and the official doc from Sympa without luck.
Actual behavior
If I try to connect with a mail that exists in our Ldap, I have the error :
If I try to connect with an Uid instead of a mail, I have this error:
This is the only time I see something about Ldap in the sympa logs, but in the case of an Uid, it shouldn't use LDAP as the "regexp" value doesn't include the Uid format.
And not one connection since my first try to the ldap server
It's like Sympa doesn't take into account our Ldap configuration
Additional information
Here is my auth.conf file:
Whatever configuration I tried, I never saw a connection attempt from Sympa in the Ldap server logs.
When using ldapsearch or the /usr/share/sympa/bin/sympa_test_ldap.pl script from sympa, it works well in both case and I can see the connection in our Ldap server logs.
Here you can find the logs when starting Sympa:
Nothing about Ldap in the starting logs. I feel that's already saying something.
I searched if I had to install specific things in order to have Ldap working, but from what I gather, I'd say no.
Any idea what I'm missing?