Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP: more then one mail entry per user - login fails #22

Open
eriCCsan opened this issue Mar 26, 2022 · 16 comments
Open

LDAP: more then one mail entry per user - login fails #22

eriCCsan opened this issue Mar 26, 2022 · 16 comments
Labels
enhancement New feature or request

Comments

@eriCCsan
Copy link

Hi guys,

i just tried to implement a simple docker-compose with a generic test-ldap. It starts but not more. I cant login. I've tried a lot but nothing seems to work. The problem is always the same

For my test-ldap I use this: https://github.com/rroemhild/docker-test-openldap
The other containers a stright forward I guess (see my docker-compose below).

This is the Problem I face everytime I tried to login with a account

Session error. Please check you have cookies enabled. If the problem persists, try clearing your cache and cookies.

I follow the instruction with clearing enbaling and so on but it doesn't help.
I also set this ENV to true and false. Nothing helps. I googled a lot nothing helps. What is wrong? Anybody had the same problem?

SHARELATEX_SECURE_COOKIE=true

I always get a 403 on /login when i look at the chrome dev-tools.

What I assume?
I assume after starting a complete new docker-compose with the ldap and the overleaf-ldap to login with the [email protected] and the password professor. But this doesn't work for any reason.

Thank you very much for any help :)

P.S.
This is my docker-compose:

version: "3.9"

volumes:
  dev_overleaf_mongo_data: {}
  dev_overleaf_redis_data: {}
  dev_overleaf_data: {}


networks:
  dev_overleaf:
    driver: bridge
    name: dev_overleaf

services:

  mongo:
    image: mongo:5.0.5
    container_name: mongo
    networks:
      - dev_overleaf
    volumes:
      - dev_overleaf_mongo_data:/data/db

  redis:
    image: redis:6.2.6
    container_name: redis
    sysctls:
      - net.core.somaxconn=65535
    volumes:
      - dev_overleaf_redis_data:/data
    networks:
      - dev_overleaf

  mailhog:
    container_name: mailhog
    image: mailhog/mailhog:v1.0.1
    networks:
      - dev_overleaf
    ports:
      - 1025:1025 
      - 8025:8025 

  ldap-container:
    image: rroemhild/test-openldap
    container_name: ldap-container
    networks:
      - dev_overleaf
    ports:
      - 10389:10389

  overleaf:
    container_name: overleaf
    image: ldap-overleaf-sl:latest
    ports:
      - 80:80
    networks:
      - dev_overleaf
    volumes:
      - dev_overleaf_data:/var/lib/sharelatex
    environment:
      - SHARELATEX_APP_NAME=Overleaf
      - SHARELATEX_REDIS_HOST=redis
      - SHARELATEX_REDIS_PORT=6379
      - SHARELATEX_MONGO_HOST=mongo
      - SHARELATEX_MONGO_PORT=27017
      - SHARELATEX_MONGO_URL=mongodb://mongo/sharelatex
      - SHARELATEX_SITE_URL=http://localhost
      - SHARELATEX_NAV_TITLE=A-Title
      - [email protected]
      - [email protected]
      - SHARELATEX_EMAIL_SMTP_HOST=mailhog 
      - SHARELATEX_EMAIL_SMTP_PORT=1025
      - SHARELATEX_EMAIL_SMTP_SECURE=false
      - SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH=false
      - SHARELATEX_EMAIL_SMTP_IGNORE_TLS=true 
      - SHARELATEX_ALLOW_PUBLIC_ACCESS=true 
      - SHARELATEX_ALLOW_ANONYMOUS_READ_AND_WRITE_SHARING=true
      - SHARELATEX_SECURE_COOKIE=true
      - SHARELATEX_BEHIND_PROXY=false
      - LDAP_SERVER=ldap://ldap-container:10389
      - LDAP_BASE=dc=planetexpress,dc=com

      ### There are to ways get users from the ldap server 

      ## NO LDAP BIND USER:
      # Tries to bind with login-user (as uid) to LDAP_BINDDN
      - LDAP_BINDDN=uid=%u,ou=people,dc=planetexpress,dc=com

      ## Using a LDAP_BIND_USER/PW
      # LDAP_BIND_USER:
      # LDAP_BIND_PW:

      # Only allow users matching LDAP_USER_FILTER
      #LDAP_USER_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'

      # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true.
      # Admin Users can invite external (non ldap) users. This feature makes only sense
      # when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send
      # system wide messages.
      #LDAP_ADMIN_GROUP_FILTER: '(memberof=cn=ADMINGROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
      - ALLOW_EMAIL_LOGIN=false

      # All users in the LDAP_CONTACT_FILTER are loaded from the ldap server into contacts.
      #LDAP_CONTACT_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
      - LDAP_CONTACTS=false

      # Same property, unfortunately with different names in
      # different locations
      - ENABLED_LINKED_FILE_TYPES=url,project_file
      - ENABLE_CONVERSIONS=true 
@smhaller
Copy link
Owner

smhaller commented Mar 26, 2022

can you post also the content of your .env file?
And maybe have also a look at Issue #21

@eriCCsan
Copy link
Author

yeah .env is pretty standard but for my test i haven't use it

MYDOMAIN=MYDOMAIN.TLD
[email protected]
MYDATA=/data
LOGIN_TEXT=username
COLLAB_TEXT=Direct share with collaborators is enabled only for activated users!
ADMIN_IS_SYSADMIN=true
VERSION=3.0.1

@smhaller
Copy link
Owner

A - i see: can you remove SHARELATEX_SECURE_COOKIE: 'true' and share the content of the web.log (from the sharelatex container) - mainly the part when you try to login ..

@eriCCsan
Copy link
Author

eriCCsan commented Mar 26, 2022

I removed the SHARELATEX_SECURE_COOKIE ENV but nothing happens. The error message does not shown anymore.
Then i try to loggin it stick at Loggin in after 2min it timeout. No logs in the docker-container.

Where i find the web.log ?

@eriCCsan
Copy link
Author

Both login with
email/password

and uid/password

professor
professor

does not work.

@smhaller
Copy link
Owner

smhaller commented Mar 26, 2022

docker exec  -it NAMEofLdap-overleaf-sl /bin/bash
tail -f /var/log/sharelatex/web.log

How did you configure dap-overleaf-sl/nginx/sharelatex.conf

Are those accounts in the ldap? Please try accounts which are in the ldap directory server

@eriCCsan
Copy link
Author

eriCCsan commented Mar 26, 2022

using the combination email/password

{"name":"web","hostname":"cc2825ab8f49","pid":155,"level":30,"rss":"138.02","heapTotal":"87.67","heapUsed":"71.83","external":"19.71","arrayBuffers":"18.12","msg":"process.memoryUsage()","time":"2022-03-26T13:23:00.937Z","v":0}
(node:155) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'replace' of undefined
    at Object.ldapAuth (/var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:287:52)
    at Object.authUserObj (/var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:108:29)
    at /var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:37:29
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4842:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4842:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/helpers/promiseOrCallback.js:24:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4865:21
    at /var/www/sharelatex/web/node_modules/mongoose/lib/query.js:4419:11
    at /var/www/sharelatex/web/node_modules/kareem/index.js:135:16
    at processTicksAndRejections (internal/process/task_queues.js:79:11)
    at runNextTicks (internal/process/task_queues.js:66:3)
    at processImmediate (internal/timers.js:434:9)
(node:155) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 4)

same for the uid/password combination

(node:155) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'replace' of undefined
    at Object.ldapAuth (/var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:287:52)
    at Object.authUserObj (/var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:108:29)
    at /var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:37:29
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4842:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4842:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/helpers/promiseOrCallback.js:24:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4865:21
    at /var/www/sharelatex/web/node_modules/mongoose/lib/query.js:4419:11
    at /var/www/sharelatex/web/node_modules/kareem/index.js:135:16
    at processTicksAndRejections (internal/process/task_queues.js:79:11)
    at runNextTicks (internal/process/task_queues.js:66:3)
    at processImmediate (internal/timers.js:434:9)
(node:155) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 5)

I tried something elase which does not exicts in the LDAP

(node:155) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'replace' of undefined
    at Object.ldapAuth (/var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:287:52)
    at Object.authUserObj (/var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:108:29)
    at /var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:37:29
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4842:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4842:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/helpers/promiseOrCallback.js:24:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4865:21
    at /var/www/sharelatex/web/node_modules/mongoose/lib/query.js:4419:11
    at /var/www/sharelatex/web/node_modules/kareem/index.js:135:16
    at processTicksAndRejections (internal/process/task_queues.js:79:11)
    at runNextTicks (internal/process/task_queues.js:66:3)
    at processImmediate (internal/timers.js:434:9)
(node:155) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 6)

Every error looks the same it cant read property of replace from undefined. I didn't know of these logs they are greate. But how can i fix it whats missing?

@smhaller
Copy link
Owner

I see: can you set a LDAP_USER_FILTER...

@eriCCsan
Copy link
Author

sure i can but whats the correct value?

I've tested: - LDAP_USER_FILTER='(&(ou=people,dc=planetexpress,dc=com)(uid=%u))'

It immediately teels me then i try different kombination that everything is wrong email/password or uid/password.

@eriCCsan
Copy link
Author

In the logs i can see: Could not bind user: uid=professor,ou=people,dc=planetexpress,dc=com

@eriCCsan
Copy link
Author

eriCCsan commented Mar 26, 2022

these are my current ENV's for the container in short:

      #- SHARELATEX_SECURE_COOKIE=true
      - SHARELATEX_BEHIND_PROXY=true
      - LDAP_SERVER=ldap://ldap-container:10389
      - LDAP_BASE=dc=planetexpress,dc=com

      ### There are to ways get users from the ldap server 

      ## NO LDAP BIND USER:
      # Tries to bind with login-user (as uid) to LDAP_BINDDN
      - LDAP_BINDDN=mail=%m,ou=people,dc=planetexpress,dc=com

      ## Using a LDAP_BIND_USER/PW
      # LDAP_BIND_USER:
      # LDAP_BIND_PW:

      # Only allow users matching LDAP_USER_FILTER
      #memberof=admin_staff,
      - LDAP_USER_FILTER='(&(memberof=cn=admin_staff,ou=people,dc=planetexpress,dc=com)(mail=%m))'
      - ALLOW_EMAIL_LOGIN=true

Do i need to set LDAP_BIND_USER and LDAP_BIND_PW ?
I've tried mail=%m and uid=%u but no difference in both places.

@eriCCsan
Copy link
Author

after a while i've managed to set the correct ENVs

      #- SHARELATEX_SECURE_COOKIE=true
      - SHARELATEX_BEHIND_PROXY=true
      - ALLOW_EMAIL_LOGIN=true
      - LDAP_SERVER=ldap://ldap-container:10389
      - LDAP_BASE=dc=planetexpress,dc=com
      - LDAP_BIND_USER=cn=admin,dc=planetexpress,dc=com
      - LDAP_BIND_PW=GoodNewsEveryone
      - LDAP_USER_FILTER=(mail=%m)

I figured one bug which was if the user has more then one email the login fails you can see it in the professor account he has two mails. With one mail no problem.

You can close this. I solved it. Thanks for your support.

@smhaller smhaller changed the title LDAP Auth does not work LDAP: more then one mail entry per user - login fails Mar 28, 2022
@smhaller
Copy link
Owner

smhaller commented Mar 28, 2022

I renamed the Issue to: LDAP: more then one mail entry per user - login fails. And l'll leave this open till its fixed.

Notes: This has to be fixed in ldap-overleaf-sl/sharelatex/AuthenticationManager.js (Line: 314).
As quick solution: I think we just can take the first mail address (because this is already after the Authentication process and only used for saving into the sharelatex db).

Additionally we could use this test ldap an the configuration from this issue to start solving issue #7.

@yzx9
Copy link
Collaborator

yzx9 commented Nov 9, 2024

Posted by @Wurzelmann in #62:

We encountered a problem with users with multiple mail address entries, the LDAP server's response became a list instead of a string and did not work.

The following little patch to services/web/app/src/Features/Contacts/ContactController.js fixed this:

the line

entry['email'] = obj['mail']

should be:

entry['email'] = obj['uid'] + '@example.com'

This filters the results and works for us.

@smhaller
Copy link
Owner

smhaller commented Nov 12, 2024

this only holds if your uid is part of the email in a very specific way - for our ldap server this is really not true because we have users with mails addresses from different providers.

I think the following code-snippet would solve the multiple mail-adress issues:

// Check if 'mail' is an array with more than one entry
if (Array.isArray(obj['mail']) && obj['mail'].length > 1) {
  entry['email'] = obj['mail'][0]; // Use the first email if multiple are present
} else {
  entry['email'] = obj['mail']; // Use the single email directly
}

@Wurzelmann
Copy link
Contributor

Selecting a random address in case of multiple e-mail addresses is only the second best solution for us, but this indeed fixes the crash.

It would be just great to have the possibility to specify the LDAP field that holds the primary e-mail address, instead of forcibly using the mail attribute.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants