Closed ptoulouse closed 3 years ago
I can work around the group filter with a user filter using "memberOf" and removing all the LDAP_GROUP_FILTER variables.
LDAP_USER_SEARCH_FILTER: (ObjectClass=inetOrgPerson)(memberOf=cn=wekan_admins,ou=groups,dc=example,dc=org)
However, the group filter logic not working also means that the Sync Admin Status feature is not working. It looks like the first user to log in becomes Admin.
I'm having a similar issue - using FreeIPA 4.6.6, not OpenLDAP. I'd like to get mine working so that I could upload a sanitized version of my config for other FreeIPA users to this page.
EDIT: I should add, I'm not using the Docker image - I'm using the Snap on CentOS 8. I'm going to try some of your efforts but based on my Googling, the admin status thing doesn't seem to work all that well.
Hi @ptoulouse
I just had the very same issue with the Wekan Docker container and the group filtering. While having a look at my OpenLDAP Docker container logs, I understood that the two errors below in Wekan :
[ERROR] NoSuchObjectError: No Such Object [ERROR] NoSuchObjectError: No Such Object
... are related to some errors in OpenLDAP. It looks like on the login page, after checking the given user/password with OpenLDAP, Wekan binds the user you are trying to log in with its OpenLDAP session, and then searching the group using this same user, not the LDAP_AUTHENTIFICATION_USERDN. The problem in my case is that only the LDAP_AUTHENTIFICATION_USERDN is able to search through my ldap tree, so I'm getting issues saying that no objects were found... which is obvious because my authenticated user can't search.
My workaround was to modify some JS files in this project to avoid this behaviour. The goal is to use the LDAP_AUTHENTIFICATION_USERDN in order to search for groups, instead of the user to authenticate. Here is my quick&dirty fix, if it can help you... I could also open a PR if needed.
In server/loginHandler.js
, I had to replace this piece of code :
if (ldap.authSync(users[0].dn, loginRequest.ldapPass) === true) {
if (ldap.isUserInGroup(loginRequest.username, users[0])) {
ldapUser = users[0];
} else {
throw new Error('User not in a valid group');
}
} else {
log_info('Wrong password for', loginRequest.username);
}
} catch (error) {
log_error(error);
}
by this one :
if (ldap.isUserInGroup(loginRequest.username, users[0])) {
ldapUser = users[0];
} else {
throw new Error('User not in a valid group');
}
if (ldap.authSync(users[0].dn, loginRequest.ldapPass) !== true) {
ldapUser = null;
log_info('Wrong password for', loginRequest.username)
}
Here is my config:
Logs:
From the OpenLDAP container, if I run ldapsearch it works:
Am I missing something obvious? The debug trace is not verbose enough to see if the scope or the Base DN is correctly set for the group query.