Comments (18)
Thanks. The LDAP_SYNC_FILTER
actually fixed the problem.
from wg-portal.
It is currently only supported to use email addresses as unique user identifiers or login names.
from wg-portal.
So, even in case I directly set LDAP_ATTR_EMAIL
to something different, it does not work? Shouldn't the LDAP lookup work independent of the type of data specified?
Or is any kind of application-side data validation performed?
from wg-portal.
I found the issue:
wg-portal/internal/server/ldapsync.go
Lines 37 to 40 in edfecd5
In our setup, we pay lots of attention to privacy and do not collect information like name or email address. As we have no data for
LDAP.EmailAttribute
LDAP.FirstNameAttribute
LDAP.LastNameAttribute
, all users of our setup are skipped. It would be great to provide an option to allow users without these attributes or (even better) a direct configuration field to specify the requested LDAP lookup (e. g. (&(|(objectclass=inetOrgPerson)))
) implying the provided email (or whatsoever) attribute from the config.
What do you think about this?
from wg-portal.
The problem is, that email addresses are used to link peers to users and thus an email address is required.
As a workaround, you could introduce a pseudo email address like [email protected].
I will possibly change the LDAP filter mechanism to support plain LDAP filter strings.
from wg-portal.
I see. Couldn't the peer user be liked by the UID too? Or is there technical need for mail addresses?
But yes, then, we will need to create pseudo mail addresses. Where would you recommend performing this within the source code?
from wg-portal.
The field that is used to link peers and users is called email
and there are some validators (for example all UI requests) that require that field to be a valid email address.
The easiest way is to directly add a pseudo email to your LDAP entries. So you can use the LDAP_ATTR_EMAIL as intended.
If you want to change it in the code you would have to modify:
- https://github.com/h44z/wg-portal/blob/master/internal/authentication/providers/ldap/provider.go#L162 : use a pseudo email
- https://github.com/h44z/wg-portal/blob/master/internal/server/ldapsync.go#L36 : replace this filter and also store the the pseudo email address in
ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute]
- https://github.com/h44z/wg-portal/blob/master/internal/server/handlers_auth.go#L47: you might also want to replace the username here with the pseudo email address
That should be it...
Also make sure that the pseudo email addresses belong to your server or are undeliverable, otherwise WireGuard configurations might get leaked if they are send to some random email address...
from wg-portal.
I don't know whether it may be relevant for the upstream, but I performed the corresponding modifications in https://github.com/TheOneWithTheBraid/wg-portal.
from wg-portal.
I'm not sure why but these modifications do not seem to work properly, Maybe I need to adjust is somewhere else too?
Do you see any mistake here? TheOneWithTheBraid@aac3bb9
from wg-portal.
It is now possible to use an LDAP filter string like for example (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))
for the LDAP authentication and user synchronization: LDAP_LOGIN_FILTER and LDAP_SYNC_FILTER.
This is now the only way to filter users from LDAP, there are no other hardcoded filters in the code. Just make sure that the
LDAP_ATTR_EMAIL is always filled as this attribute is required by WireGuard Portal.
The configuration attributes LDAP_TYPE, LDAP_USER_CLASS and LDAP_ATTR_DISABLED are therefore no longer needed and supported.
from wg-portal.
I did not go through all the changes yet but does this great change include support for different identifiers than mail address too?
from wg-portal.
Partially, you can now use a different attribute for login. Internally, WireGuard Portal still requires a valid email address to link user profiles with WireGuard peers.
from wg-portal.
Is there any plan to update this? We still cannot use the portal because we don't collect email addresses for privacy reasons? Are there any other blocking mechanisms preventing from using a generally configurable parameter instead of email?
from wg-portal.
You can use any ldap attribute for login. If you do not use email adresses, simply generate some randome ones and use those. I will change this requirement in version 2 of wg-portal, but I have no release date yet.
from wg-portal.
Yeah, we already generate random mail addresses. Our problem is that they are random, so no one - even not the user themself - knows them except of the LDAP server and some other incompatible services requireing a mail attribute (e.g. Nextcloud Registration). But as of now I don't see a way of using another identifier than mail for login, right? I cannot use uid
as identifier instead of mail
, even if I set LDAP_LOGIN_FILTER=(&(objectClass=organizationalPerson)(uid={{login_identifier}}))
right?
from wg-portal.
LDAP_LOGIN_FILTER=(&(objectClass=organizationalPerson)(uid={{login_identifier}}))
should work fine
from wg-portal.
Okay, interesting, because we still get the known errors:
wg-portal_1 | ERRO[2021-09-10 11:51:39] failed to fetch users from ldap: failed to search in ldap: LDAP Result Code 32 "No Such Object":
Our whole LDAP config is:
# LDAP Settings
LDAP_ENABLED=true
LDAP_URL=ldap://ip:389
LDAP_STARTTLS=false
LDAP_CERT_VALIDATION=false
LDAP_BASEDN=cn=users,cn=accounts,dc=example,dc=com
LDAP_USER=uid=admin,cn=users,cn=accounts,dc=example,dc=com
LDAP_PASSWORD=secret
LDAP_ADMIN_GROUP=cn=admins,cn=users,cn=accounts,dc=example,dc=com
LDAP_LOGIN_FILTER=(&(objectClass=organizationalPerson)(uid={{login_identifier}}))
LDAP_SYNC_FILTER=(&(|(objectclass=inetOrgPerson)))
LDAP_TYPE=OpenLDAP
#LDAP_USER_CLASS=inetOrgPerson
LDAP_ATTR_EMAIL=UID
LDAP_ATTR_FIRSTNAME=displayName
LDAP_ATTR_LASTNAME=uid
ldapsearch
perfectly works using these filters.
Do you see any misconfiguration there?
from wg-portal.
This error is not related to the authentication backend. It is thrown while synchronizing ldap users to the database (LDAP_SYNC_FILTER is used here). The syncfilter looks incorrect to me... there is a AND and OR condition that does not make any sense. Replace that filter with LDAP_SYNC_FILTER=(objectclass=inetOrgPerson)
. You also specify the UID attributes inconsistent, use either all lowercase or uppercase characters, I think the attribute name should be specified in lowercase characters.
from wg-portal.
Related Issues (20)
- Can't delete oauth users or set them to admin HOT 8
- [v2] Keypairs/PublicKey can not be changed HOT 3
- Deploy and run HOT 1
- Squashed PostUp / PostDown HOT 2
- wg-portal deletes routes HOT 4
- User management
- LDAP disable Peers deleted from ldap HOT 1
- Issue with Postgres database HOT 1
- Redirect traffic to domain HOT 1
- Option to bind webserver to specific interface HOT 1
- Customizing homepage HOT 1
- Instructions/example for `field_map`? HOT 6
- Docker container refuses to find/load config.yml when not mapped directly to the file
- Peers are added to wg0.conf with a mask of /24
- LDAP Login Issue HOT 6
- Doc: Showing prominently config format for current stable version HOT 2
- Error when using mysql as database
- LDAP sync runs every 10 seconds, ldap_sync_interval is ignored
- Sending Wireguard-Config via Postfix Mailserver Fails
- no work with ghcr.io/wg-easy/wg-easy:latest after update HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wg-portal.