Login via LDAP with LLDAP server about convos HOT 10 CLOSED

Looks like the error is actually something else.

After adding CONVOS_PLUGINS=Convos::Plugin::Auth::LDAP as an environmental variable I now get the following error on login: Can't locate object method "email" via package "Mojo::Promise"

The debug log says this:

Net::LDAP=HASH(some number) sending:

*Retracted as it contains secrets in clear text*

Net::LDAP=HASH(some number) received:
[2023-01-09 21:35:52.12058] [1] [error] {"message":"Can't locate object method \"email\" via package \"Mojo::Promise\" at \/app\/lib\/Convos\/Controller\/User.pm line 90.\n","status":400}
Unhandled rejected promise: Invalid email or password. at /app/local/lib/perl5/Mojo/Reactor/Poll.pm line 129.

from convos.

Edit: Seems like the above is nonsense and after loadif the LDAP auth plugin via the environment variable another bug is happening, see second message.

What do you mean with "above" ?

there doesn't seem to be a way to pass a Simple Bind with DN and password

The Convos documentation is lacking there, but you can use this environment variable:

CONVOS_AUTH_LDAP_URL=ldap://localhost:389?password=MyS3cret

Is it possible that the LDAP plugin is not enabled on that

It's present, but not enabled. You have to enable it yourself with the environment variable that you added in your second comment.

from convos.

Sorry, I meant the below.

Maybe I am missing something, but only a password? What username will be used?
Edit: ah I guess some shared secret function? Seems not like that is my problem here.

And anyway, see the second message. After loading the plugin it still fails. Do you think that might be a bug or am I still configurating something wrong?

Edit: I am pretty sure the User/pass combination I use to try and log in via LDAP is correct. How can I force it to use the LDAP back end? Because it still accepts non-ldap logins.

Thanks for the help.

from convos.

The query parameters are transformed into a hash and the url and hash are passed to the Net::LDAP constuctor

from convos.

Well that doesn't clarify anything though.

Looking at the ldap login debug log posted above and going by the bugfix @jhthorsen did, the problem seems to be that my user and password are not accepted as correct.

My current guess is that the LDAP auth silently fails somewhere and the fallback to the non-LDAP auth (that is working for existing users) returns a wrong email or password error as the user I am trying to log in with only exists in the LDAP backend.

from convos.

Ah looks like with LLDAP verbose logging I am getting a hint (actual user replaced with [email protected]):

2023-01-10T18:13:39.267121011+00:00 INFO     LDAP session [ 110µs | 39.39% / 100.00% ]
2023-01-10T18:13:39.267339254+00:00 INFO     ┕━ LDAP request [ 66.8µs | 52.07% / 60.61% ]
2023-01-10T18:13:39.267349334+00:00 DEBUG       ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 8, op: BindRequest(LdapBindRequest { dn: "uid=user,dc=example,dc=com", cred: Simple("********") }), ctrl: [] }
2023-01-10T18:13:39.267352398+00:00 DEBUG       ┝━ do_bind [ 9.41µs | 8.54% ]
2023-01-10T18:13:39.267355679+00:00 DEBUG       │  ┕━ 🐛 [debug]: DN: uid=user,dc=example,dc=com
2023-01-10T18:13:39.267372701+00:00 DEBUG       ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: NamingViolation, matcheddn: "", message: "Unexpected DN format. Got \"uid=user,dc=example,dc=com\", expected: \"uid=id,ou=people,dc=example,dc=com\"", referral: [] }, saslcreds: None })

So it seems like the request from Convos is missing a ou=people?

from convos.

Passing it via CONVOS_AUTH_LDAP_URL="ldap://localhost:3890?ou=people doesn't seem to work either (same error), so I think this is a bug in the LDAP auth plugin as the ou=people seems required by the LDAP specs?

from convos.

Got it to work via CONVOS_AUTH_LDAP_DN="uid=%uid,ou=people,dc=%domain,dc=%tld"

But it still fails on first login attempt with the same error. I think it needs to create the user Convos side first. On a retry it works with LLDAP.

from convos.

You can also activate verbose logging on the Convos side using CONVOS_LOG_LEVEL=debug (or even trace)

But it still fails on first login attempt with the same error. I think it needs to create the user Convos side first. On a retry it works with LLDAP.

That's strange, since it should create the user on the Convos side on registration. Maybe you can provide the debug output after setting the environment variable mentioned above. The debug output should contain something like:

[LDAP/[email protected]] code=X, exists=yes"

from convos.

I'll try that tomorrow and comment on the new specific bug-report.

from convos.