Failed to load groups with LDAP auth

[muzzol]

I can login with my LDAP user but groups are not fetched. I get this line when I log in:

2019-05-17 13:48:31,667 [script_server.LdapAuthorizer.INFO] Logging in user u100001
2019-05-17 13:48:31,673 [script_server.LdapAuthorizer.ERROR] Failed to load groups for the user u100001
Traceback (most recent call last):
  File "src/auth/auth_ldap.py", line 114, in authenticate
    user_dn, user_uid = self._get_user_ids(full_username, connection)
  File "src/auth/auth_ldap.py", line 206, in _get_user_ids
    return entry.entry_dn, entry.uid.value
  File "/usr/lib/python3/dist-packages/ldap3/abstract/entry.py", line 88, in __getattr__
    raise LDAPAttributeError('attribute not found')
ldap3.core.exceptions.LDAPAttributeError: attribute not found
2019-05-17 13:48:31,675 [script_server.tornado_auth.INFO] Authenticated user u100001

this is my conf

  "auth": {
    "type": "ldap",
    "url": "ldap://cabot.cilma.net",
    "username_pattern": "uid=$username,ou=persones,ou=users,dc=consorci,dc=global",
    "base_dn": "dc=consorci,dc=global",
    "version": 3

and I can login so LDAP connection is working.

It could be related my LDAP tree because I got some nested OUs.

Users are in this OU:

uid=u100001,ou=persones,ou=users,dc=consorci,dc=global

and groups are here:

cn=rol-app3,ou=rols,ou=groups,dc=consorci,dc=global

maybe an additional setting like group_base_dn could be useful (some apps do it that way to avoid any confusion with other parts of tree).

I'm testing it with 1.14

[muzzol]

I can give more info about this issue, I think is related to LDAP tree structure.

I got two productions installations and in one I can get all groups without any problem, but in the other one i get the error described above.

both installations are pretty similar but tree structure is different.

what info do you need to debug this issue?

[bugy]

Hi @muzzol, could you check please, if user entry contains uid field? Not in the DN, but as a separate field

[muzzol]

yes, the field is there.

ldapsearch -x -LLL "(uid=u100001)" uid
dn: uid=u100001,ou=persones,ou=users,dc=xxxx,dc=global
uid: u100001

[bugy]

Then I have no idea to be honest... let me play with it at home

[muzzol]

are you sure that the missing attribute is UID?

I have different setups with groups and members, so if you can tell me exactly which attribute is giving problems I can debug it.

[bugy]

According to the code, the error happens when I get entry dn and uid.value
Could it be, that multiple records correspond to this username?

Also, could it be ldap3 version issue? I mean if ldap3 package versions are different

[bugy]

Hi @muzzol,

Could you add a log statement to src/auth/auth_ldap.py, line 205:
LOGGER.info('Found entries: ' + repr(entries))

And could you tell me your ldap3 version, please?

My current assumptions are different ldap3 versions OR users do not have rights to read their own ldap attributes (sounds weird)

[bugy]

Hi @muzzol, could you check my last message, please?

[muzzol]

sorry @bugy for taking so long but I was busy with other projects.

where exactly do you want me to put this line?

here are lines 200-210 of my auth_ldap.py:

        if len(entries) > 1:
            LOGGER.warning('More than one user found by filter: ' + search_filter)
            return full_username, None

        entry = entries[0]
        return entry.entry_dn, entry.uid.value

    def _load_groups(self, groups_file):
        if not os.path.exists(groups_file):
            return {}

[muzzol]

ok, I think I got it:

2019-10-25 15:16:16,609 [script_server.tornado_auth.INFO] Trying to authenticate user
2019-10-25 15:16:16,609 [script_server.LdapAuthorizer.INFO] Logging in user b1
2019-10-25 15:16:16,621 [script_server.LdapAuthorizer.INFO] Found entries: [DN: uid=b1,ou=users,ou=proves,dc=global
    uid: b1
]
2019-10-25 15:16:16,622 [script_server.LdapAuthorizer.ERROR] Failed to load groups for the user b1
Traceback (most recent call last):
  File "src/auth/auth_ldap.py", line 114, in authenticate
    user_dn, user_uid = self._get_user_ids(full_username, connection)
  File "src/auth/auth_ldap.py", line 207, in _get_user_ids
    return entry.entry_dn, entry.uid.value
  File "/usr/lib/python3/dist-packages/ldap3/abstract/entry.py", line 88, in __getattr__
    raise LDAPAttributeError('attribute not found')
ldap3.core.exceptions.LDAPAttributeError: attribute not found
2019-10-25 15:16:16,631 [script_server.tornado_auth.INFO] Authenticated user b1
2019-10-25 15:16:16,632 [tornado.access.INFO] 200 POST /login (172.19.2.95) 24.00ms
2019-10-25 15:16:16,677 [tornado.access.INFO] 200 GET /index.html (172.19.2.95) 1.63ms

[bugy]

Hi @muzzol, thanks a lot! I'll have a look next week probably

[bugy]

Hi @muzzol,
I found that there was a breaking change in ldap3 module API (between 2.5 and 2.6), may be that's the reason

Could you try one more thing on your code. In the same place, where you did changes already, replace existing code:

        entry = entries[0]
        return entry.entry_dn, entry.uid.value

with the following:

        entry = entries[0]
        entry_dn = entry.entry_dn if hasattr(entry, 'entry_dn') else entry._dn
        return entry_dn, entry.uid.value

It can be entry._dn or entry._dn(), I'm not sure

For future reference: related commit in ldap3 module: cannatag/ldap3@1130221#diff-99157569b3f8968a3735cfad9e041ee3

[muzzol]

it worked!

grups are loaded now:
2019-11-06 10:02:30,372 [script_server.LdapAuthorizer.INFO] Loaded groups for b1: ['group2', 'test-admin']

[bugy]

Thanks for checking! Then I'll add this fix to the repository And sorry for taking so long... mussol <notifications@github.com> schrieb am Mi., 6. Nov. 2019, 10:03:

…

it worked! grups are loaded now: 2019-11-06 10:02:30,372 [script_server.LdapAuthorizer.INFO] Loaded groups for b1: ['group2', 'test-admin'] — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#216?email_source=notifications&email_token=AAJXPJIVYKXKH2JUYTCH6UDQSKB6FA5CNFSM4HNUVCLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDFZR6I#issuecomment-550213881>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJXPJLPCEQKPTZM3TOGVK3QSKB6FANCNFSM4HNUVCLA> .