search

tykeal / ep_ldapauth

(Up for adoption) LDAP authentication plugin for Etherpad-lite
GNU General Public License v2.0
25 stars 20 forks source link

Authentication not working #2

Closed teon closed 10 years ago

teon commented 11 years ago

Hi there,

I've configured according to the documentation (I have all my internal services working on LDAP so the ldap server is not a problem for sure), and I have the following error in logs:

[2013-09-01 12:26:12.252] [DEBUG] console - ep_ldapauth.authorize
[2013-09-01 12:26:12.252] [DEBUG] console - ep_ldapauth.authorize: no username in user object
[2013-09-01 12:26:12.252] [DEBUG] console - ep_ldapauth.authenticate
[2013-09-01 12:26:12.517] [ERROR] console - ep_ldapauth.authenticate: LDAP auth error: ConnectionError: [2013-09-01 12:26:12.252] [DEBUG] console - ep_ldapauth.authorize
[2013-09-01 12:26:12.252] [DEBUG] console - ep_ldapauth.authorize: no username in user object
[2013-09-01 12:26:12.252] [DEBUG] console - ep_ldapauth.authenticate
[2013-09-01 12:26:12.517] [ERROR] console - ep_ldapauth.authenticate: LDAP auth error: ConnectionError: ldaps://ldap.******.net:1636 closed closed

Any ideas why? Is my configuration ok, when I have a non standard port (ldaps://ldap.**.net:1636)?

tykeal commented 11 years ago

Sounds like there isn't a username being passed around.

You should have something like the following in your configuration:

--[cut]-- "accountPattern": "(&(objectClass=*)(uid={{username}}))", --[/cut]--

the {{username}} really is literal! That's used as a replacement holder for the actual username that is requested by the browser! If your LDAP isn't using using uid for storing the username make sure you change that accordingly as well.

-Andy-

teon commented 11 years ago

I have configured accountPattern like every other system I use internaly, like this:

--[cut]-- "accountPattern": "(&(objectClass=*)(cn={{username}}))", --[/cut]--

We use cn not uid. And it doesn't work...

tykeal commented 11 years ago

Are you getting prompted for a username and password?

If you aren't, make sure you set

--[cut]-- "requireAuthentication": true --[/cut]--

Please note that you do NOT want "requireAuthorization" to be true. Doing that will effectively force everyone that uses the system to have to be an administrator.

teon commented 11 years ago

Ok, I've changed "requireAuthentication" to false like so:

"requireAuthentication": false

and I got an exception, here is the log:

[2013-09-03 10:34:06.222] [DEBUG] message - from l0Rf4FsBMH98GsmP9Jx8: {"component":"pad","type":"CLIENT_READY","padId":"test","sessionID":"null","password":null,"token":"t.f7a8eBce138eMXasQ0nZ","protocolVersion":2}
[2013-09-03 10:34:06.222] [DEBUG] console - ep_ldapauth.handleMessage
[2013-09-03 10:34:06.225] [ERROR] console - TypeError: Cannot read property 'displayName' of undefined
    at Object.exports.handleMessage [as hook_fn] (/srv/notes/etherpad/git/node_modules/ep_ldapauth/ep_ldapauth.js:164:82)
    at normalizedhook (/srv/notes/etherpad/git/src/static/js/pluginfw/hooks.js:15:27)
    at hookCallWrapper (/srv/notes/etherpad/git/src/static/js/pluginfw/hooks.js:21:14)
    at /srv/notes/etherpad/git/src/static/js/pluginfw/hooks.js:88:7
    at /srv/notes/etherpad/git/src/node_modules/async/lib/async.js:185:13
    at /srv/notes/etherpad/git/src/node_modules/async/lib/async.js:86:13
    at Array.forEach (native)
    at _forEach (/srv/notes/etherpad/git/src/node_modules/async/lib/async.js:26:24)
    at async.forEach (/srv/notes/etherpad/git/src/node_modules/async/lib/async.js:85:9)
    at _asyncMap (/srv/notes/etherpad/git/src/node_modules/async/lib/async.js:184:9)
[2013-09-03 10:34:06.225] [INFO] console - graceful shutdown...
[2013-09-03 10:34:06.225] [INFO] console - db sucessfully closed.

Generaly I don't understand why "requireAuthentication" should be false. I like all my users to log in (have access to pads after giving LDAP login and password), but I hope later on it will be required if you suggest it should be false.

tykeal commented 11 years ago

It's

"requireAuthentication": true

and

"requireAuthorization": false

I agree with wanting folks to login, that's why I wrote this module. I was just trying to make sure that you had the flags set properly. Ok, let's backup bit. Can you post a scrubbed version of users block? Re-reading your initial posting is giving me an idea that there may be something not set correctly in it.

You do have a have a searchDN and searchPWD set correct? The module does not work without an account to use for looking up information as it is not built for (due to an underlying library issue) anonymous LDAP binds.

tykeal commented 11 years ago

teon,

Just checking to see if you have this working or not yet since I didn't hear back after my last post.

-tykeal-

JohnMcLear commented 10 years ago

@teon you should close this if you have this issue resolved.

tykeal commented 10 years ago

Closing for lack of follow-up after 8 months.