Groups don't appear to be coming through over LDAP, cannot set admins via LDAP

[tromlet]

Issue: I am unable to set users in my LDAP "admins" group to be automatically imported into WeKan AS administrators. Also, it kind of looks generally like there is no group functionality at all. For the most part, my LDAP settings ARE working - I can login using my LDAP credentials - I just don't have admin powers when I do (despite snap set wekan ldap-sync-admin-status='true' and snap set wekan ldap-sync-admin-groups='<ADMIN LDAP GROUP>'). I get some errors in my log, which I've highlighted below:

Admin Panel > Version: It should be noted that while I AM using "Linux x64", I am specifically using CentOS 8 x64. Runs lickety split, except for the groups thing not working.	Software	Detail
Wekan Version	4.50.0
Meteor version	2.0-beta.4
Node version	12.19.0
MongoDB version	3.2.22
MongoDB storage engine	wiredTiger
MongoDB Oplog enabled
OS Type	Linux
OS Platform	linux
OS Arch	x64
OS Release	4.18.0-193.28.1.el8_2.x86_64
OS Uptime	23 hours, 3 minutes, 32 seconds
OS Load Average	0.00, 0.05, 0.09
OS Total Memory	4 GB
OS Free Memory	2 GB
OS CPU Count	2

Output of snap get wekan:

caddy-enabled                                     false
default-authentication-method                     ldap
default-domain                                    example.com
ldap-authentication                               true
ldap-authentication-password                      <PASSWORD>
ldap-authentication-userdn                        uid=<USERNAME>,cn=users,dc=exampl,dc=com
ldap-background-sync                              true
ldap-background-sync-import-new-users             true
ldap-background-sync-interval                     Every 1 minute
ldap-background-sync-keep-existant-users-updated  true
ldap-basedn                                       dc=example,dc=com
ldap-connect-timeout                              10000
ldap-email-field                                  mail
ldap-enable                                       true
ldap-encryption                                   ssl
ldap-fullname-field                               displayName
ldap-group-filter-enable                          true
ldap-group-filter-id-attribute                    cn
ldap-group-filter-member-attribute                member
ldap-group-filter-objectclass                     groupofnames
ldap-host                                         freeipa.example.com
ldap-idle-timeout                                 10000
ldap-log-enabled                                  true
ldap-login-fallback                               true
ldap-merge-existing-users                         true
ldap-port                                         636
ldap-sync-admin-groups                            superusers
ldap-sync-admin-status                            true
ldap-timeout                                      10000
ldap-user-search-field                            uid
ldap-user-search-filter                           (&(objectclass=person))
ldap-user-search-scope                            sub
ldap-username-field                               uid
port                                              80
root-url                                          https://wekan.example.com

Log output via journalctl -fu snap.wekan.wekan:

Nov 11 19:20:00 wekan.example.com wekan.wekan[157138]: [DEBUG] Identifying user with: uid
Nov 11 19:20:00 wekan.example.com wekan.wekan[157138]: [ERROR] Error: LDAP Authentication succeded, there is no email to create an account. Have you tried setting your Default Domain in LDAP Settings? [LDAP-login-error]
Nov 11 19:20:00 wekan.example.com wekan.wekan[157138]: Exception in callback of async function: errorClass [Error]: LDAP Authentication succeded, there is no email to create an account. Have you tried setting your Default Domain in LDAP Settings? [LDAP-login-error]
Nov 11 19:20:00 wekan.example.com wekan.wekan[157138]:     at addLdapUser (packages/wekan-ldap/server/sync.js:291:19)
Nov 11 19:20:00 wekan.example.com wekan.wekan[157138]:     at packages/wekan-ldap/server/sync.js:376:9
Nov 11 19:20:00 wekan.example.com wekan.wekan[157138]:     at Array.forEach (<anonymous>)
Nov 11 19:20:00 wekan.example.com wekan.wekan[157138]:     at packages/wekan-ldap/server/sync.js:343:15
Nov 11 19:20:00 wekan.example.com wekan.wekan[157138]:     at runWithEnvironment (packages/meteor.js:1286:24) {
Nov 11 19:20:00 wekan.example.com wekan.wekan[157138]:   isClientSafe: true,
Nov 11 19:20:00 wekan.example.com wekan.wekan[157138]:   error: 'LDAP-login-error',
Nov 11 19:20:00 wekan.example.com wekan.wekan[157138]:   reason: 'LDAP Authentication succeded, there is no email to create an account. Have you tried setting your Default Domain in LDAP Settings?',
Nov 11 19:20:00 wekan.example.com wekan.wekan[157138]:   details: undefined,
Nov 11 19:20:00 wekan.example.com wekan.wekan[157138]:   errorType: 'Meteor.Error'
~~~
Nov 11 19:20:03 wekan.example.com wekan.wekan[157138]: [DEBUG] Group filter LDAP: "(&(objectclass=groupofnames)(cn=))"
Nov 11 19:20:03 wekan.example.com wekan.wekan[157138]: [ERROR] Error: cn= is invalid
Nov 11 19:20:03 wekan.example.com wekan.wekan[157138]: [INFO] Fallback to default account system:  {

[NoxInmortus]

Hello, I was about to open an issue for this problem as well, here is my log :

[INFO] TLS connected 
[INFO] Binding UserDN "cn=readonly,dc=mydom"
[INFO] Searching user "myuser"
[DEBUG] searchOptions {
  "filter": "(&(&(|(objectclass=inetOrgPerson))(|(memberof=cn=wekan,ou=groups,dc=mydom)))(uid=myuser))",
  "scope": "sub",
  "sizeLimit": 0
}
[DEBUG] BaseDN "ou=users,dc=mydom"
[INFO] Search result count 1
[INFO] Authenticating "cn=myuser,ou=users,dc=mydom"
[INFO] Authenticated "cn=myuser,ou=users,dc=mydom"
[DEBUG] Identifying user with: uid 
[INFO] Querying user 
[DEBUG] userQuery {
  "services.ldap.id": "616c62616e2e65737069656775696c6c6f6e"
}
[INFO] Logging user 
[DEBUG] Updating admin status 
Exception while invoking method 'login' TypeError: ldap.getUserGroups(...).filter is not a function
    at MethodInvocation.<anonymous> (packages/wekan-ldap/server/loginHandler.js:185:61)
    at packages/accounts-base/accounts_server.js:487:31
    at tryLoginMethod (packages/accounts-base/accounts_server.js:1329:14)
    at AccountsServer._runLoginHandlers (packages/accounts-base/accounts_server.js:485:22)
    at MethodInvocation.methods.login (packages/accounts-base/accounts_server.js:545:31)
    at packages/check/match.js:118:15
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
    at Object._failIfArgumentsAreNotAllChecked (packages/check/match.js:116:43)
    at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1768:18)
    at packages/ddp-server/livedata_server.js:719:19
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
    at packages/ddp-server/livedata_server.js:717:46
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
    at packages/ddp-server/livedata_server.js:715:46
    at new Promise (<anonymous>)
    at Session.method (packages/ddp-server/livedata_server.js:689:23)
    at packages/ddp-server/livedata_server.js:559:43
[INFO] Idle 
[INFO] Disconecting 
[INFO] Closed 
(node:1) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.

And related LDAP variables :

LDAP_LOG_ENABLED: 'true'
LDAP_ENABLE: 'true'
LDAP_PORT: '389'
LDAP_HOST: 'ldap.mydom.com'
LDAP_ENCRYPTION: 'tls'
LDAP_BASEDN: 'ou=users,dc=mydom'
LDAP_LOGIN_FALLBACK: 'false'
LDAP_RECONNECT: 'true'
LDAP_AUTHENTIFICATION: 'true'
LDAP_AUTHENTIFICATION_USERDN: 'cn=readonly,dc=mydom'
LDAP_AUTHENTIFICATION_PASSWORD: 'pwd'
LDAP_BACKGROUND_SYNC: 'true'
LDAP_BACKGROUND_SYNC_INTERVAL: 'every 4 hour'
LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED: 'false'
LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS: 'true'
LDAP_USER_SEARCH_FILTER: '(&(|(objectclass=inetOrgPerson))(|(memberof=cn=wekan,ou=groups,dc=mydom)))'
LDAP_USER_SEARCH_SCOPE: 'sub'
LDAP_USER_SEARCH_FIELD: 'uid'
LDAP_SEARCH_PAGE_SIZE: '0'
LDAP_SEARCH_SIZE_LIMIT: '0'
LDAP_UTF8_NAMES_SLUGIFY: 'true'
LDAP_USERNAME_FIELD: 'uid'
LDAP_FULLNAME_FIELD: 'cn'
LDAP_EMAIL_MATCH_ENABLE: 'true'
LDAP_EMAIL_FIELD: 'mail'
LDAP_EMAIL_MATCH_VERIFIED: 'false'
LDAP_SYNC_USER_DATA: 'true'
LDAP_SYNC_USER_DATA_FIELDMAP: '{"cn":"name", "mail":"email"}'
LDAP_DEFAULT_DOMAIN: 'mydom.com'
LDAP_SYNC_ADMIN_STATUS: 'true'
LDAP_SYNC_ADMIN_GROUPS: 'sysadmins'

There is some LDAP_GROUP_FILTER* variables that I was not sure about, the documentation is unclear about thoses and I did not used them

The logs are not the same as @tromlet tho

[NoxInmortus]

I'm not sure, but looking at openldap logs it seems wekan try to bind with the user I wish to log in wekan with

Idk why... @xet7 ?

5fe1efec conn=2067 op=1 BIND dn="cn=readonly,dc=mydom" method=128
5fe1efec conn=2067 op=1 BIND dn="cn=readonly,dc=mydom" mech=SIMPLE ssf=0
5fe1efec conn=2067 op=1 RESULT tag=97 err=0 text=
5fe1efec conn=2067 op=2 SRCH base="ou=users,dc=mydom" scope=1 deref=0 filter="(&(&(|(objectClass=inetOrgPerson))(|(memberOf=cn=wekan,ou=groups,dc=mydom)))(uid=myuser))"
5fe1efec conn=2067 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
5fe1efec conn=2067 op=3 BIND anonymous mech=implicit ssf=0
5fe1efec conn=2067 op=3 BIND dn="cn=myuser,ou=users,dc=mydom" method=128
5fe1efec conn=2067 op=3 BIND dn="cn=myuser,ou=users,dc=mydom" mech=SIMPLE ssf=0
5fe1efec conn=2067 op=3 RESULT tag=97 err=0 text=

[veloprofz]

how to turn on the option so that ldap authentication appears in the admin panel?

[xet7]

@veloprofz

https://github.com/wekan/wekan/wiki/LDAP

Snap

sudo snap set wekan ldap-enable='true'

Docker

https://github.com/wekan/wekan/blob/master/docker-compose.yml#L488