xet7
commented
5 years ago @JulianJacobi
Do you have ideas about this?
Open apages2 opened 5 years ago
xet7
commented
5 years ago @JulianJacobi
Do you have ideas about this?
apages2
commented
5 years ago for the whitelist problem:
the error is certainly from the sync.js file
if (syncUserData && syncUserDataFieldMap) { const whitelistedUserFields = ['email', 'name', 'customFields'];
is it possible to add the fields (invitedBoards,language, initials and starredBoards) in the whitelist?
if (syncUserData && syncUserDataFieldMap) { const whitelistedUserFields = ['email', 'name','initials','invitedBoards','language','starredBoards','customFields'];
JulianJacobi
commented
5 years ago I can not find any info on the use of the parameter : ldap-sync-group-roles, is it possible to explain its use?
This option i think is a relict from the origin of this module. Because in wekan there are no roles that you can sync with any ldap groups the usage of this option causes a server side error. Maybe we should remove this option completely.
JulianJacobi
commented
5 years ago for the whitelist problem: the error is certainly from the sync.js file
if (syncUserData && syncUserDataFieldMap) { const whitelistedUserFields = ['email', 'name', 'customFields'];is it possible to add the fields (invitedBoards,language, initials and starredBoards) in the whitelist?
if (syncUserData && syncUserDataFieldMap) { const whitelistedUserFields = ['email', 'name','initials','invitedBoards','language','starredBoards','customFields'];
No, its not that easy, then you have successfully synced information from ldap to MongoDB and no other part of wekan is able to use this information.
Maybe the customField option in addition to the Accounts_CustomFields option do what you want but i have not really understand yet how this is exactly working.
xet7
commented
5 years ago Wekan will have Teams/Groups etc so it would be good to have option to assign LDAP group to Team/Department/other group https://github.com/wekan/wekan/issues/802#issuecomment-468516881
apages2
commented
5 years ago if we synchronize these fields to add in mongodb, why can not we use?
these fields are well used
"profile" : { "boardView" : "board-view-swimlanes", "templatesBoardId" : "eaf4eBTSxEWGarK8z", "cardTemplatesSwimlaneId" : "39bmFd8dWN6DpNaLm", "listTemplatesSwimlaneId" : "vMMFCSuSXCp3ipuvh", "boardTemplatesSwimlaneId" : "G5eSYund4zM2hNoiT", "language" : "fr", "starredBoards" : [ "2pQeCYkSmNG4fqMf3", "invitedBoards" : [ ] ]
apages2
commented
5 years ago Re,
The PR (Add support for admin status sync #40) is it included in the SNAP package of version 2.38 of wekan?
that would correct my problem : the admin role is also not applied to the new user
xet7
commented
5 years ago @apages2
Yes it's included in snap: https://github.com/wekan/wekan/blob/devel/CHANGELOG.md#v238-2019-03-06-wekan-release
I don't currently have LDAP server, so I'm unable to test it.
Actually snap is already at v2.40.
apages2
commented
5 years ago Hello,
For the differents points:
Auto mapping between admin group AD ldap and admin role: NOK (tested in version 2.42). How can I help?
Account_CustomField: @xet7. I have the impression that it is not possible to add custom fields to a profile. It would be interesting to be able to do it (telephone number, location, services, etc ...)
xet7
commented
5 years ago @apages2
Well depends what all custom fields you need.
Profile is just table that is visible at Admin Panel / People. Currently there is Full Name, Email Address, etc. Those are mapped in LDAP and OIDC OAuth2 mapping like any other field currently. So adding new ones would be to just add new column to that table for telephone number, location, services etc. For example, I will add new column for HTTP header to implement https://github.com/wekan/wekan/issues/2019. I have not added yet to be editable columns initials and verified.
Can you write list about what fields you need?
xet7
commented
5 years ago @apages2
What fields you need visible somewhere else than at Admin Panel? For example, do you need them in viewable or editable user profile, or visible when clicking board member avatar?
Daniel-H76
commented
5 years ago I can confirm that ldap-sync-admin-groups (https://github.com/wekan/wekan-ldap/pull/40) is NOT working in 2.48 too.
xet7
commented
5 years ago @Daniel-H76
Has it worked in any Wekan version? For any Wekan user?
xet7
commented
5 years ago In general, if it's known in what Wekan version some feature works and in what Wekan version it does not work, it's easier to fix.
Daniel-H76
commented
5 years ago Never tried before.
xet7
commented
5 years ago @JulianJacobi
Can you fix this?
JulianJacobi
commented
5 years ago i can't reproduce the problem. All my running Wekan systems (dev and productive) not running under snap or docker neither are based on fixed releases. My system run on git master with default meteor installation. I had no problem at all. Specially because i'm not be abled to reproduce the problem in my development system i can't fix anything.
Daniel-H76
commented
5 years ago @JulianJacobi Maybe it's just about poor documentation of the feature. Can you share the ldap-sync configuration of your working environment?
I'm using following config: snap set wekan ldap-sync-admin-status='true' snap set wekan ldap-sync-admin-groups='DL_IT'
The LDAP is Microsoft Active Directory. "DL_IT" is the cn attribute of the group. Groups are nested according to MS best practice, that means the user that needs to get admin rights is NOT member of "DL_IT" domain local group but member of "G_IT" global group which is member of DL_IT.
Questions: Are nested groups supported? Which LDAP attribute is used to match the group? Is it "memberof"? Does ldap-sync-admin-groups expect cn format? "memberof" lists the group in distinguished names format. Does this feature only assign admin right during account creation or will it also assign admin rights if group membership was added after first wekan login?
Daniel-H76
commented
5 years ago is it possible to add the fields (invitedBoards,language, initials and starredBoards) in the whitelist?
I also vote for having the possibility to sync "initials" from LDAP. They are often used in enterprises to identify employees and currently this is the only field of a wekan user profile that can't be synced.
JulianJacobi
commented
5 years ago Now I understand your problems I think. The admin status sync is based on the groups found by group search of the group filter. So you neet to configure the Group filter options to.
UPDATE:
I'm not shure if you need to enable the group filter but I think so.
Daniel-H76
commented
5 years ago Hm, I though the group filter is used to limit the people that are allowed to login within the given basedn?
I did not find any useful documentation or examples (?) regarding group filters, therefore I tried following: snap set wekan ldap-group-filter-objectclass=group snap set wekan ldap-group-filter-group-id-attribute=cn snap set wekan ldap-group-filter-group-member-attribute=memberof snap set wekan ldap-group-filter-group-member-format=dn
When I set "snap set wekan ldap-group-filter-enable=true", I can no longer login via LDAP. I tried it together with "snap set wekan ldap-group-filter-group-name=DL_IT" but still nit able to login Therefore I've set it to false.
But: Even after adding the goup filter still no luck with assigning admin rights!
It would really be very helpfull if someone could share a working configuration for LDAP with MS AD including assignment of admin rights and may aslo answer the questiins above (nested groups, member vs. memberof, group format),
This is my current setup: default-authentication-method=ldap ldap-authentication=true ldap-authentication-password=password ldap-authentication-userdn=CN=Device,OU=Service Accounts,OU=Accounts,DC=intern,DC=domain,DC=de ldap-basedn=OU=Users,OU=Accounts,DC=intern,DC=domain,DC=de ldap-enable=true ldap-fullname-field=cn ldap-group-filter-group-id-attribute=cn ldap-group-filter-group-member-attribute=memberof ldap-group-filter-group-member-format=dn ldap-group-filter-objectclass=group ldap-host=dc1.intern.domain.de ldap-login-fallback=true ldap-reconnect=true ldap-sync-admin-groups=DL_IT ldap-sync-admin-status=true ldap-unique-identifier-field=objectguid ldap-user-search-field=UserPrincipalName ldap-user-search-scope=sub ldap-username-field=givenname ldap-group-filter-enable=false
Thanks!
n-st
commented
5 years ago It looks like https://github.com/wekan/wekan-ldap/pull/40 (which adds the admin sync feature) was closed instead of merged, so the code never made it into the repository. Is this intentional?
chirrut2
commented
5 years ago Hi, i'vh the same problem, that both issues occurs
Config: ldap-sync-user-data='true' \ ldap-sync-user-data-fieldmap='{"cn":"name", "mail":"email", "initials":"initials"}' \ ldap-sync-admin-status='true' \ ldap-sync-admin-groups='grp.app.admin.wekan' \ ldap-group-filter-enable='true' \ ldap-group-filter-objectclass='group' \ ldap-group-filter-id-attribute='cn' \ ldap-group-filter-member-attribute='member' \ ldap-group-filter-member-name='grp.app.wekan'
br, Daniel
xet7
commented
5 years ago Just for additional info, if all users are admin now, see this new setting: LDAP_USER_AUTHENTICATION=true https://github.com/wekan/wekan/blob/devel/CHANGELOG.md#v268-2019-05-10-wekan-release
xet7
commented
5 years ago Doh, I think I'll need to make that default setting in next Wekan release.
chirrut2
commented
5 years ago Hi, the LDAP_USER_AUTHENTICATION will enable that the user is directly searching the LDAP instead of of special Account using ldap-authentication-userdn and ldap-authentication-password.
The current configuration:
ldap-authentication true ldap-authentication-password <my Admin User DN pwd> ldap-authentication-userdn CN=<my Admin User DN>,DC=at ldap-basedn OU=<my base DN>,DC=at ldap-enable true ldap-fullname-field cn ldap-group-filter-enable true ldap-group-filter-group-id-attribute cn ldap-group-filter-group-member-attribute memberof ldap-group-filter-group-member-format dn ldap-group-filter-id-attribute cn ldap-group-filter-member-attribute sAMAccountName ldap-group-filter-member-name grp.app.wekan ldap-group-filter-objectclass group ldap-host ad.example.at ldap-log-enabled true ldap-sync-admin-groups grp.app.admin.wekan ldap-sync-admin-status true ldap-sync-user-data true ldap-sync-user-data-fieldmap '{"cn":"name", "mail":"email", "initials":"initials"}' ldap-user-search-field sAMAccountName ldap-username-field sAMAccountName
This config works sofar, that all found AD Users are able to login. The Problem is, that all Users are getting ADMIN Privileges in cause of > ldap-sync-admin-groups ='grp.app.admin.wekan' <;; even they are not part of the group in the LDAP; What i can see in the logfiles is, that all users will be queried, the all groups will als be queried but it seams to be that they are not get stick togehter. To see at the login which user has which role assigned.. for example in jasperreports it is a similar case. I'vh combined it by the group search filter:
<property name="groupSearchFilter" value="(&(member={0})(objectClass=group))"/>
br, Daniel
xet7
commented
5 years ago @Akuket
Can you look at this?
xet7
commented
5 years ago @chirrut2
According to one Wekan user, if you set LDAP_SYNC_ADMIN_STATUS to "true" then you also need to specify LDAP_SYNC_ADMIN_GROUPS for which groups are admin. That way it should work as expected, also the mapping of mail/fullname/username etc.
Please test. Thanks!
chirrut2
commented
5 years ago Hi xet7! my current configuration is as followed:
The behavior is, that the function ldap-sync-admin-groups will work well. So on login the user will get the admin rights. This has also been reduced by "ldap-sync-admin-groups". If i read the debug logs correctly the login will check up the groups are available unter the basedn. Thats ok for me sofar. The problem seams to be, that ALL groups will also be passed to the admin filter, without checkup if the login user is part of the group.
Logsnip: May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [DEBUG] BaseDN "DC=vie,DC=example,DC=com" May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [INFO] Search result count 1 May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [INFO] Authenticating "CN=Daniel DH. Hafner,OU=PowerUsers,OU=Benutzer,OU=office,DC=vie,DC=example,DC=com" May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [INFO] Authenticated "CN=Daniel DH. Hafner,OU=PowerUsers,OU=Benutzer,OU=office,DC=vie,DC=example,DC=com" May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [DEBUG] Group list filter LDAP: "(&(objectclass=group))" May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [INFO] Search result count 246 May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [DEBUG] Groups: many other roles,grp.app.admin.wekan, grp.app.wekan May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [DEBUG] Group filter LDAP: "(&(objectclass=group)(cn=dbc.app.wekan))" May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [INFO] Search result count 1 May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [DEBUG] Identifying user with: sAMAccountName May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [INFO] Querying user May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [DEBUG] userQuery { May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: "services.ldap.id": "61646d2e646861666e" May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: } May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [INFO] Logging user May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [DEBUG] Updating admin status <<-- starting admin check May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [DEBUG] Group list filter LDAP: "(&(objectclass=group))" May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [INFO] Search result count 246 May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [DEBUG] Groups: many other roles,grp.app.admin.wekan, grp.app.wekan May 25 10:45:24 vsvwekan01 wekan.wekan[13731]: [INFO] Syncing user data
In the LDAP the user IS NOT part of the grp.app.admin.wekan group... I dont know how to match the groups which are the user is memberof, for the admin group. This results in: All Users get admin, because in the matching all users have all groups ...
br Daniel
chirrut2
commented
5 years ago Ivh also checked, that the group filter will also not work . The group is total empty.
May 25 11:12:04 vsvwekan01 wekan.wekan[19357]: [DEBUG] Group filter LDAP: "(&(objectclass=group)(cn=dbc.app.wekan))"
But i dont think that the group is matched to the user in any way.
chirrut2
commented
5 years ago Hi, Any suggestions what I can do?
Kind Rgds, Daniel
xet7
commented
5 years ago @chirrut2
Group filter issue is at wekan/wekan#2356
Please someone add to Wekan GitHub wiki docs how I could install some LDAP server to some cloud or bare metal server, so that I could test Wekan with it. Problem is, I have never figured out how to install LDAP server, what all the options are, where are docs, how they work, etc. LDAP has been developed by other Wekan contributors, not me. So I'm at the mercy of those Wekan LDAP contributors.
1kidvidiot
commented
4 years ago | Wekan Version | 3.42.0 |
|---|
Running on Univention Server ucs-bdc.belldesign.com UCS Version 4.4-1 errata305 (Blumenthal) UMC Version 11.0.4-36A~4.4.0.201909050927
LDAP No longer works, can only login with password option., Just when I got a dept to start using it, they cant login. Can you fix this. It was working now it isnt. No new LDAP members can login even though they are authorized in USERS in Univention. Nothing changed. New users showing in Univention USERS and Active Directory but they still cant use this program. Even listed in admin panel under People, LDAP as authentication method can only login with password option.
xet7
commented
4 years ago @1kidvidiot
At Wekan Admin Panel / Setting / Layout / Default Authentication Method, is there LDAP selected?
In Wekan v3.56 for Univention, that will be released in near future, I have made all Wekan LDAP etc settings configurable in Univention App settings, so that it is possible to change those if something is not configured correctly.
tekmans
commented
4 years ago Do it mean that email won't never be updated ? with this whitelist
for the whitelist problem: the error is certainly from the sync.js file
if (syncUserData && syncUserDataFieldMap) { const whitelistedUserFields = ['email', 'name', 'customFields'];is it possible to add the fields (invitedBoards,language, initials and starredBoards) in the whitelist?
In my case i've entered a wrong email, it's impossible to update it
And even after deletion from ldap the user, wekan re import the user, because it still the collection in mongo then the email is wrong.
I had to setup mongo sock available in the host to delete the collection, but it's not simple and to recover a wekan fully fonctionnal it tooks me times...
xet7
commented
4 years ago @tekmans
What steps you did to recover Wekan fully? I'll think how to make it easier.
xet7
commented
4 years ago I have added some tasks from this issue to first comment of Teams/Organizations feature. If there is something missing, please comment at Teams/Organizations issue.
Server Setup Information:
Problem description: I have the following configuration:
snap set wekan ldap-sync-user-data='true' snap set wekan ldap-sync-user-data-fieldmap='{"cn":"name", "mail":"email", "initials":"initials"}' snap set wekan ldap-sync-admin-status='true' snap set wekan ldap-sync-admin-groups='SG_ACCES_WEKAN_ADMIN'
but the field "initials" is not updated with AD info. Error Message : [DEBUG] user attribute not whitelisted: initials
the admin role is also not applied to the new user
best regards