Closed lpar closed 6 years ago
Hi @lpar - nice to see you again ;) To get an orientation please run the ruby code as follows:
1.) Create a file called debug_ldap.rb
in your Zammad directory (usually /opt/zammad
)
2.) Run the file from your Zammad directory via zammad run rails r debug_ldap.rb
or rails r debug_ldap.rb
as zammad user, depending on your installation source (package/source)
3.) Post the output here. Make sure all sensitive data is anonymized! If you want you can drop it as an email to support@zammad.com. Please refer to this issue and me :)
4.) Delete the debug_ldap.rb
file
bind_dn = 'dn here'
bind_pw = 'password here'
filter = '(objectClass=person)'
host = 'bluepages.ibm.com'
port = 636
base_dn = 'ou=bluepages,o=ibm.com'
ssl = true
ssl_verify = true
require 'ldap'
params = {
host: host,
port: port,
ssl: ssl,
ssl_verify: ssl_verify,
base_dn: base_dn,
bind_user: bind_dn,
bind_pw: bind_pw,
}
ldap = ::Ldap.new(params)
group = ::Ldap::Group.new(params, ldap: ldap)
p group.filter
This reproduces the behavior of Zammad trying to find the filter for listing all available groups. There is a list of default group filters. If a filter returns some entries it will be used. I think none of the filters matches for you. If there is no output of the script: What would be the filter you would use to list all groups in your bluepages.ibm.com
setup?
It outputs nil
.
Our groups are under a different base DN, ou=memberlist,ou=ibmgroups,o=ibm.com
For example, if I do:
ldap.search(:base => "ou=memberlist,ou=ibmgroups,o=ibm.com",
:scope => Net::LDAP::SearchScope_SingleLevel,
:filter => nil) do |entry|
pp entry
break
end
I get
#<Net::LDAP::Entry:0x0055846991c830
@myhash=
{:dn=>["cn=admin,ou=memberlist,ou=ibmgroups,o=ibm.com"],
:objectclass=>["groupOfUniqueNames", "top"],
:o=>["ibm.com"],
:cn=>["admin"],
:ou=>["ibmgroups", "memberlist"],
:uniquemember=>
["uid=REDACTED,c=us,ou=bluepages,o=ibm.com",
"uid=REDACTED,c=us,ou=bluepages,o=ibm.com",
"uid=REDACTED,c=us,ou=bluepages,o=ibm.com",
"uid=REDACTED,c=us,ou=bluepages,o=ibm.com",
"uid=REDACTED,c=us,ou=bluepages,o=ibm.com",
"uid=REDACTED,c=us,ou=bluepages,o=ibm.com"]}>
where each uniquemember
value is a DN of a user.
Could you please replace lib/ldap/group.rb
with this file. Restart your Zammad services (Websocket, Scheduler and Application) afterwards. Then retry the import again via the admin interface. While doing so have a look at the log/production.log
file and provide the generated, anonymized content in case of an error. 🤞
I'm afraid I don't get anything useful in the production.log:
I, [2017-11-03T11:20:16.655036 #517] INFO -- : Started POST "/api/v1/integration/ldap/bind" for 9.80.198.211 at 2017-11-03 11:20:16 -0400
I, [2017-11-03T11:20:16.667944 #517] INFO -- : Processing by Integration::LdapController#bind as JSON
I, [2017-11-03T11:20:16.668207 #517] INFO -- : Parameters: {"base_dn"=>"ou=bluepages,o=ibm.com", "bind_user"=>"uid=L13490897,c=us,ou=bluepages,o=ibm.com", "bind_pw"=>"[FILTERED]", "host_url"=>"ldaps://bluepages.ibm.com/", "ssl_verify"=>true}
I, [2017-11-03T11:20:17.019961 #519] INFO -- : 2017-11-03T11:20:17-0400: [Worker(host:techelp.dfw.ibm.com pid:519)] Job Observer::UserDeviceLogJob (id=403) RUNNING
I, [2017-11-03T11:20:18.968583 #519] INFO -- : 2017-11-03T11:20:18-0400: [Worker(host:techelp.dfw.ibm.com pid:519)] Job Observer::UserDeviceLogJob (id=403) COMPLETED after 1.9482
I, [2017-11-03T11:20:20.876715 #519] INFO -- : Scheduler running...
What happened in the admin interface?
The same "Unable to retrive group information, please check your bind user permissions" error message.
Hi @lpar - we did some changes regarding the LDAP groups via issue #1664 which might affect your issue, too. Could you please check if your issue still persists in the latest version of the develop branch? Thanks!
No improvement. "Unable to retrive group information, please check your bind user permissions."
I had this issue before and I fix it by including the default OpenLDAP objectclass
.
After upgrading to 2.3 the group file was restored back and experienced the same issue.
So under /opt/zammad/lib/ldap/group.rb
on line 115
it should be something like this to get ride of this issue:
@filter ||= lookup_filter(['(objectClass= organizationalUnit)', '(objectClass=group)', '(objectClass=posixgroup)', '(objectClass=organization)', '(ou=memberlist,ou=ibmgroups,o=ibm.com)'])
That does indeed get me past the error!
Great @AchuM - thank you very much for your input! We will refactor the group filter detection very soon to chose the correct one. We will use the filter with the most entries found. That should work. Any feedback is appreciated.
So what is the next thing Zammad does? Because once I get past the error that it locks up performing some sort of processing. I think it might be trying to iterate through entries, which isn't going to work well because there are over 386,000 of them.
Could you post a screenshot of the dialog. I'm lost trace where we are currently.
I get a dialog asking for LDAP sync mappings, so I provide some:
At the bottom of that dialog I click Continue. It says analyzing structure briefly, then presents a dialog saying it's counting entries, which may take a while:
Since I haven't asked it to do any mapping between LDAP groups and Zammad roles, the only thing I can think of is that it's counting the users. If that's the case, it's not going to go well.
Hi @lpar - We have done some performance improvements in the LDAP sync which reduce the overall runtime by up to 30%. However, sorry to say but 386.000 entries is still not a use case we aim to cover. Just out of curiosity: Why do you need all these users in your Zammad?
I don't need all of those users. What I need is some way to have directory information populated for the ones who actually use Zammad, and to have them able to log in with their enterprise credentials. The OAuth2 authentication seems to be buggy and ignores some fields, so I was hoping the LDAP integration might fill out the missing information, or even allow for authentication via LDAP.
Which way do you prefer? For the LDAP sync I would recommend to have some distinguishing feature that can be used in a LDAP filter (in the expert block below). The size of the result set is responsible for the duration of the import. Which size would it be in your setup after applying such filter? We have multiple customers syncing round about 20.000 users into Zammad without any issues. The first sync takes some time but after that only diffs are applied which speeds up the process lot.
Would it be possible to sync from LDAP only for accounts which are created on the fly via (say) OAuth2 login or some other method? That would avoid the initial long sync and avoid having tens of thousands of unnecessary accounts in the database — which is a liability given GDPR.
There are two possible LDAP integrations in general: Bulk sync or on the fly. We already had experience with on the fly syncs before designing Zammads LDAP integration and decided against it because of the negative side effects it brings with it. To avoid unnecessary accounts in the database a proper LDAP filter should be used. So the OAuth2 way would be preferable for your use case I guess then. We will have a look at the issue 👍 I'm closing here now since we can't go further from here. Correct me if I'm wrong. Thanks for your great support getting this far.
Infos:
Actual behavior:
Followup to issue #1422 so all other info (bind DN, base DN etc) is as per that ticket.