Help with Account disabled test and Open LDAP(Novell)

[cforce]

In our user entry we have an attrib "loginDisabled" = "true" or "lockedByIntruder"=true if account is locked.

Howto use this with the plugin?

[thorin]

The plugin would only allow to use one of those attributes.

You can set:

Account control flags: loginDisabled Account disabled test: flags == 'true'

[cforce]

i did exactly what you said, but my accounts still don't get unlocked, altough the flag is false. Is it one way?

[thorin]

Yes, it is one way on purpose. The idea is that one might need to lock one account on redmine but not on LDAP.

If it comes handy to you that the plugin also unlocks the users, I could try to make it configurable.

[cforce]

Normally the user shouldN't be able to login if ldap has account disbled, because ebery login queries ldap for auth. But however is such feature exists it is useful to be able to revert. Imagin there is any bug with this switching and you have to manaully (or by sql) unlock 1000 users. It would be useful to have a switch for the rake task to be able to also unlock again.

Tx in advance.

[thorin]

Done, it should work as suggested.

[cforce]

Please reopen this issue. My users still get locked although the account flag "loginDisabled" is set tor FALSE in ldap and i configured "Account disabled test" set to "flags == 'TRUE'"

Could it be a bug and the cause is if flagname in config does not match ldap flag? The names are indetically but not case sensitive.

ldap: "loginDisabled" plugins config": "logindisabled"

I can't get the "D" Uppercase, the plugin always chnages all to lowercase when saving the form.

[thorin]

Regarding the attributes, LDAP is case insensitive.

You can try the following flags.to_s.downcase == 'true'

I'm not sure what is the type of the flags on your case. If it is a boolean this solution might work. If it is a string, it will do no harm.

[cforce]

I didn't meant the flag value case senstive might the problem but the name of the flag, which plugin reformats always all downcase and ldap flags names in upper "D" in loginDisabled.

[cforce]

flags.to_s.downcase == 'true' doesn't help by the way. User gets locked again. Is there any debug i can see how the expression is evaluated to trace the problem.

I think the loginDisbled is of Type boolean, bevause i get a drop down with TRUE or FALSE in my ldap client.

[thorin]

I believe the problem is on value of the flags variable. If ldap_sync doesn't find the attribute, the method account_disabled? returns false. The only way for it to return true is for the _account_disabledtest to return true.

You can try to use the following value:

Rails.logger.error('!!!Flags: ' + flags.inspect); flags.to_s.downcase == 'true'

And the look at the logs to see what's the value of flags.

If Rails is not captured by the lambda, it might throw an error and do nothing.

[cforce]

Sory, where shall i put this log message exactly? Need some more hints..

[thorin]

On the plugin's configuration page, set it as the value of the "Account disabled test".

Account disabled test = Rails.logger.error('!!!Flags: ' + flags.inspect); flags.to_s.downcase == 'true'

[thorin]

If this is not enough place some puts on auth_source_ldap_patch.rb and try the rake task again:

      find_all_users(ldap_con, [:login, :account_flags]) do |entry|
        if account_disabled?(entry[:account_flags])
          puts "!!!User: #{entry.inspect} disabled"
          users[:disabled] << entry[:login]
        else
          puts "!!!User: #{entry.inspect} enabled"
          users[:enabled] << entry[:login]
        end
      end
    end

[cforce]

rake redmine:plugins:redmine_ldap_sync:sync_users RAILS_ENV=production

Synchronizing AuthSource ldap... -- Locked user '00001276' -- Updating user '00000960'... -> 34 groups added

--- LOG --- !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "TRUE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "TRUE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE" !!!Flags: "FALSE"

[cforce]

I added new debug code into the class also, but only puts the disbled users and what is very strange is that the users getting disabled are not also put as regular log message, there only user 00001276 is logged as "Locked" and one as updated . I don't undertsand this. I thought Locking=disbled, am i worng? The user marked as Updated gets updated all the time, even if i call this rake rask in an endless loop, although the user doesn't change, thats strange also.

user@dev-infomine:~/DevMine_WK/infomine-2.2> rake redmine:plugins:redmine_ldap_sync:sync_users RAILS_ENV=production

Synchronizing AuthSource ldap... !!!User: {:user_memberid=>"cn=00136502,ou=SPCxx,ou=S,o=D", :account_flags=>"TRUE", :login=>"00136502", :groupname=>"00136502"} disabled !!!User: {:user_memberid=>"cn=21001138,ou=Testuser,ou=S,o=D", :account_flags=>"TRUE", :login=>"21001138", :groupname=>"21001138"} disabled -- Locked user '00001276' -- Updating user '00000960'... -> 34 groups added Synchronizing AuthSource replic... user@dev-infomine:~/DevMine_WK/infomine-2.2>

[thorin]

Ok, so the correct expression for the test is flags == 'TRUE'. (the value is a string with uppercase letters)

If it is locking the users regardless of the expression there must be a bug somewhere else. On the plugin configuration, do you have something on "Users must be member of"?

[cforce]

-8dc61b770b78.jpg)

[thorin]

The default behaviour is that for every found user it shows either nothing or one of the 3 messages messages on the following situations:

• "-- Locked... ": If the user was unlocked and is now being locked (due to the account disabled test)
• "-- Updating ... ": If the user was neither locked and is not disabled on ldap and means that it will now try to update the groups and the user fields (mail and names).
• "-- Creating ...": If the user is not locked and the is new on the redmine's user database
• <Nothing is shown>: If the user is locked on redmine, regardless is the user is disabled or not on ldap.

Try to run the rake task as the following to see if it unlocks the users: rake redmine:plugins:redmine_ldap_sync:sync_users ACTIVATE_USERS=1 RAILS_ENV=production

User '00000960' shows up always because it is not being locked. Most probably you have only seen the "-> 34 groups added" message once.

[cforce]

I set disbale rule to "Rails.logger.error('!!!Flags: ' + flags.inspect); flags.to_s.downcase == 'TRUE'"

and then excecuted "rake redmine:plugins:redmine_ldap_sync:sync_users ACTIVATE_USERS=1 RAILS_ENV=production"

user@dev-infomine:~/DevMine_WK/infomine-2.2> rake redmine:plugins:redmine_ldap_sync:sync_users ACTIVATE_USERS=1 RAILS_ENV=production

Synchronizing AuthSource ldap... -- Locked user '00001276' -- Updating user '00000960'... -> 34 groups added Synchronizing AuthSource replic... user@dev-infomine:~/DevMine_WK/infomine-2.2>

---

Does not work. ;/

[cforce]

Something is very strange here. All the time he is doing the same thing Locking user 1276, updating user 960 and adding 34 groups .. Lookms like running in dry mode all the sme - lol

[thorin]

You have a quite strange redmine environment... it's like it was rolling back the changes every time.

You are using the latest version of the branch master, aren't you?

[thorin]

If you have disabled the "Create groups" option it's possible for you get that "-> 34 groups" all the time. The reason is that he finds 34 groups to wich the user doesn't belong to but since it cannot create them it ends not adding the user to those groups.

[thorin]

User '00001276' might be getting locked every time (without success) if it is invalid. For example, if you added a new required custom field or it is missing the firstname/lastname/email.

You can confirm this by trying to edit the user '00001276' on redmine.

(Later I'll try to fix this two problems)

[thorin]

Just make sure of the following:

• You're using the latest master version (or at least you have the following changes https://github.com/thorin/redmine_ldap_sync/commit/ea33eb2ab408a6f690743808dcf3e06bc1f19049)
• You have account disabled test = flags = 'TRUE'

And run rake redmine:plugins:redmine_ldap_sync:sync_users ACTIVATE_USERS=1 RAILS_ENV=production

You plugin configuration looks good.

[cforce]

Maybe the group are not added because i didn't set the flag "create groups" what is ok, because i don't want to create groups only to sync group membership in redmine like in ldap for in redmine existing groups and existing users. The log message is misleading, and shall not appear if the flag for "create groups is not set". In my case if group membership is synced on redmine site, it shall name is "Updates group membership" if not this is part of the "update user" process. Now i use https://github.com/thorin/redmine_ldap_sync.git 'master' on redmine 2.2.2 stable The only difference is that i use another net-ldap gem gem "net-ldap-1", "~> 0.4.0" because of https://github.com/thorin/redmine_ldap_sync/issues/49. I juts noticed about the secuity issue and fall back to standard gem, hopefully i don't run into the utf8 problem again.

[thorin]

So, both with master, flags = 'TRUE' and ACTIVATE_USERS=1 it doesn't unlock the users, right?

Sorry to insist, but after so many tests it's not clear to me if you already tried with this settings.

[cforce]

Ok, i removed and gem uninstalled net-ldap-1 and run into the utf8 bug again. I fixed the standard 0.31 gem manually with https://github.com/ruby-ldap/ruby-net-ldap/pull/44/files and got rid of this bug.

Now I have exactly the master (just did a clean clone), "flags = 'TRUE'" and called "rake redmine:plugins:redmine_ldap_sync:sync_users ACTIVATE_USERS=1 RAILS_ENV=production"

My user for example, which is "0001276" and many more other users get locked again, and i don't now why.

The ldap fields for this user exists in ldap server and are well set:

cn (uid), mail, givenName (first name), sn (last name) and loginDisabled

User don't get unlocked in redmine if already locked and gets locked if not locked after i execute "rake redmine:plugins:redmine_ldap_sync:sync_users ACTIVATE_USERS=1 RAILS_ENV=production"

Why does for example the user 00001276 gets locked if none of the "Puts" before prints out this user id ?????

See debug bcode:

find_all_users(ldap_con, [:login, :account_flags]) do |entry| if account_disabled?(entry[:account_flags]) puts "!!!User: #{entry.inspect} disabled" users[:disabled] << entry[:login]

(def ldap users) !=

My summary 1.) The cause for above fact is not account_disabled flag

[thorin]

You have some good questions. :)

The answer as to be where we are not looking:

 users_on_local    = self.users.active.map {|u| u.login.downcase }
 users_on_ldap     = users.values.sum.map(&:downcase)
 users[:disabled]  += users_on_local - users_on_ldap

This disables all the users that belongs to the current authentication source if they where not found on ldap.

Do you have two authentication sources with colliding users? [review: this question doesn't make much sense. When locking the users, it only locks the ones that belong to the current auth source]

[thorin]

To help understand what's happening you can add some puts after those lines:

 users_on_local    = self.users.active.map {|u| u.login.downcase }
 users_on_ldap     = users.values.sum.map(&:downcase)
 users[:disabled]  += users_on_local - users_on_ldap
 puts "local users = #{users_on_local.inspect}"
 puts "ldap users = #{users_on_ldap.inspect}"
 puts "users = #{users.inspect}"

It will show the final list of enabled and disabled users, before it starts locking them.

[cforce]

I have two ldap sources defined an use only one. ldap_sync config also has only one activated, maybe you shall check this flag and don't include non activated auth sources in any data retrieval. Beyond that i don't have any more auth sources then internal redmine base, what makes 3.

I removed the second ldap source, but error remains.

[cforce]

select distinct auth_source_id from users; returns 0 and 1 select distinct status from users; returns 0 and 1 and 3

select status, count(status) from users group by status (What is this value?) 0 1 1 60 3 247

[cforce]

active, locked, registered - what is what, stgh todo with problems?

[thorin]

STATUS_ANONYMOUS = 0 STATUS_ACTIVE = 1 STATUS_LOCKED = 3

[cforce]

Ok, all ldap user got locked by task, only redmine internal user are still active

[thorin]

The plugin takes into account the activated flag. If an auth_source isn't active it doesn't touch it. All the user locking, unlocking, update is done only on users associated to active auth_sources.

Can you include those puts I sent you before?

 users_on_local    = self.users.active.map {|u| u.login.downcase }
 users_on_ldap     = users.values.sum.map(&:downcase)
 users[:disabled]  += users_on_local - users_on_ldap
 puts "local users = #{users_on_local.inspect}"
 puts "ldap users = #{users_on_ldap.inspect}"
 puts "users = #{users.inspect}"

[thorin]

How do you have you authentication source configured? Have you made any recent changes?

Have you added an filter (user_filter)? Have you changed the base dn?

[cforce]

[cforce]

I inserted the debug code:

puts "local users = #{users_on_local.inspect}" puts "ldap users = #{users_on_ldap.inspect}" puts "users = #{users.inspect}"

For the example user 1276 which gets locked it look like this

local users = ["00001276",....] ldap users = not inlcuded <<---------------- This is strange! users = {:enabled=>#<Set: {"00001276",....} <<---------------- so its enabled, why its locked then???

[cforce]

so why its not in the ldap list , i inserted debug code again i found out that user 1276 is not listed in users var after the find_all_users() method

[thorin]

Was it both on :enabled and on :disabled? There's an issue I wasn't able to solve that might be related: #27

[cforce]

the find_all_users() method does not return this user, so neither activated or deactivated

[cforce]

But i don't use this field, "Must be member of" see my above screenshots from plugins settings.

https://github.com/thorin/redmine_ldap_sync/issues/56#issuecomment-13535983

[thorin]

I've seen it... but he also add a problem with the locking of users that were enabled.

[thorin]

What do you mean with ldap users = not included Was that the exact message?

[thorin]

I've done one more change to see if it solves it.

If not, I'll would give it some time and see if I can come up with an explanation.

Just one question. Does the users only get locked when you have account control flags and account disabled test?

Thank you for your patience

[cforce]

What do you mean with ldap users = not included

No, i just want to say that the user id value is not in the set/array

I've done one more change to see if it solves it.

Sadly, its not solved by the change.

Just one question. Does the users only get locked when you have account control flags and account disabled test?

I don't understand, not having both set doesn't make any sense to me. How shall the plugin now the name of the flag if not set and how does it check the flaf if not se the condition? Are there defaults? In my case none of any defaults would match, does it? So both has to be set, or nothing, if i won't the disability to be tested.

[cforce]

You have to check find_all_users() , stgh filters out or does not query correctly, so that user's don't get reqtrieved completly.

[cforce]

Maybe the user class? The attrib name is objectClass and user has many values, e.g organizationalPerson what i set in plugins settings. Maybe the filter only queries one values or stgh like this?

[thorin]

My question was, assuming you were using the plugin before, if the users only started to get locked once you configured the account control flags and the account disabled test. Without those configurations the plugin is designed to only lock users that were removed from ldap.

So far, the information I have been able to gather is a bit confusing. If the user 00001276 is on users_on_local and is not on users_on_ldap then it shouldn't be on users[:enabled].

# get all active users on current auth source
users_on_local    = self.users.active.map {|u| u.login.downcase }
# get all users both on :enabled and :disabled
users_on_ldap     = users.values.sum.map(&:downcase)
# removes from the local users, those that were found on ldap and add them to the disabled users
users[:disabled]  += users_on_local - users_on_ldap

According to the information that you have given me this code is not doing what is expected. The user was on users[:enabled] but it wasn't on users_on_ldap But later it shows up on users[:disabled] because the message "-- Locked user '00001276'" is printed.

---

You can try with any of the objectClasses. But if all your users belong to the objectClass organizationalPerson, that setting is fine.

[thorin]

I've fixed the two previous problems and added some trace messages to have more details of what's happening underneath the synchronization.