In an email i received: Hi Toby, than

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Docker-compose: <div class="highlight highlight-source-yaml notranslate position-r

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

KimaiV2 as Docker container with LDAP,about tobybatch/kimai2

Comments (46)

bkraul commented on July 30, 2024 1

@kevinpapst you were right. Had the LAMP env (using webdevops/apache) going in no time. Set my app env to dev, worked immediately. Added local.yaml (as posted here), cleared cache and did warmup, changes immediately picked up. Getting tons of debugging information on dev.log:

[2019-07-05 11:59:10] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"secured_area","authenticators":1} []
[2019-07-05 11:59:10] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2019-07-05 11:59:10] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2019-07-05 11:59:11] doctrine.DEBUG: SELECT t0.username AS username_1, t0.username_canonical AS username_canonical_2, t0.email AS email_3, t0.email_canonical AS email_canonical_4, t0.enabled AS enabled_5, t0.salt AS salt_6, t0.password AS password_7, t0.last_login AS last_login_8, t0.confirmation_token AS confirmation_token_9, t0.password_requested_at AS password_requested_at_10, t0.roles AS roles_11, t0.id AS id_12, t0.alias AS alias_13, t0.registration_date AS registration_date_14, t0.title AS title_15, t0.avatar AS avatar_16, t0.api_token AS api_token_17 FROM kimai2_users t0 WHERE t0.username_canonical = ? LIMIT 1 ["bkraul"] []
[2019-07-05 11:59:12] app.DEBUG: ldap_search(ou=Users,dc=mydomain,dc=com, (&(samaccountname=bkraul)), [array]) {"action":"ldap_search","base_dn":"ou=Users,dc=mydomain,dc=com","filter":"(&(samaccountname=bkraul))","attributes":["+","*"]} []
[2019-07-05 11:59:12] app.DEBUG: Zend\Ldap\Exception\LdapException: 0x31 (Invalid credentials; 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580): cn=serviceaccount,dc=mydomain,dc=com in /app/vendor/zendframework/zend-ldap/src/Ldap.php:991 Stack trace: #0 /app/src/Ldap/LdapDriver.php(64): Zend\Ldap\Ldap->bind() #1 /app/src/Ldap/LdapManager.php(66): App\Ldap\LdapDriver->search('ou=Users,dc=...', '(&(samaccountna...') #2 /app/src/Ldap/LdapManager.php(55): App\Ldap\LdapManager->findUserBy(Array) #3 /app/src/Ldap/LdapUserProvider.php(47): App\Ldap\LdapManager->findUserByUsername('bkraul') #4 /app/vendor/symfony/security/Core/User/ChainUserProvider.php(56): App\Ldap\LdapUserProvider->loadUserByUsername('bkraul') #5 /app/src/Ldap/LdapAuthenticationProvider.php(62): Symfony\Component\Security\Core\User\ChainUserProvider->loadUserByUsername('bkraul') #6 /app/vendor/symfony/security/Core/Authentication/Provider/UserAuthenticationProvider.php(64): App\Ldap\LdapAuthenticationProvider->retrieveUser('bkraul', Object(Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken)) #7 /app/vendor/symfony/security/Core/Authentication/AuthenticationProviderManager.php(76): Symfony\Component\Security\Core\Authentication\Provider\UserAuthenticationProvider->authenticate(Object(Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken)) #8 /app/vendor/symfony/security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php(100): Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager->authenticate(Object(Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken)) #9 /app/vendor/symfony/security/Http/Firewall/AbstractAuthenticationListener.php(128): Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener->attemptAuthentication(Object(Symfony\Component\HttpFoundation\Request)) #10 /app/vendor/symfony/security-bundle/Debug/WrappedListener.php(46): Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener->handle(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #11 /app/vendor/symfony/security-bundle/Debug/TraceableFirewallListener.php(35): Symfony\Bundle\SecurityBundle\Debug\WrappedListener->handle(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #12 /app/vendor/symfony/security/Http/Firewall.php(90): Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener->handleRequest(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent), Object(Generator)) #13 /app/vendor/symfony/security-bundle/EventListener/FirewallListener.php(48): Symfony\Component\Security\Http\Firewall->onKernelRequest(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #14 /app/vendor/symfony/event-dispatcher/Debug/WrappedListener.php(115): Symfony\Bundle\SecurityBundle\EventListener\FirewallListener->onKernelRequest(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent), 'kernel.request', Object(Symfony\Component\HttpKernel\Debug\TraceableEventDispatcher)) #15 /app/vendor/symfony/event-dispatcher/EventDispatcher.php(212): Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent), 'kernel.request', Object(Symfony\Component\HttpKernel\Debug\TraceableEventDispatcher)) #16 /app/vendor/symfony/event-dispatcher/EventDispatcher.php(44): Symfony\Component\EventDispatcher\EventDispatcher->doDispatch(Array, 'kernel.request', Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #17 /app/vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php(145): Symfony\Component\EventDispatcher\EventDispatcher->dispatch('kernel.request', Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #18 /app/vendor/symfony/http-kernel/HttpKernel.php(126): Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch('kernel.request', Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #19 /app/vendor/symfony/http-kernel/HttpKernel.php(67): Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object(Symfony\Component\HttpFoundation\Request), 1) #20 /app/vendor/symfony/http-kernel/Kernel.php(198): Symfony\Component\HttpKernel\HttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true) #21 /app/public/index.php(37): Symfony\Component\HttpKernel\Kernel->handle(Object(Symfony\Component\HttpFoundation\Request)) #22 {main} {"exception":"[object] (Zend\\Ldap\\Exception\\LdapException(code: 49): 0x31 (Invalid credentials; 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580): cn=serviceaccount,dc=mydomain,dc=com at /app/vendor/zendframework/zend-ldap/src/Ldap.php:991)"} []
[2019-07-05 11:59:12] doctrine.DEBUG: SELECT t0.username AS username_1, t0.username_canonical AS username_canonical_2, t0.email AS email_3, t0.email_canonical AS email_canonical_4, t0.enabled AS enabled_5, t0.salt AS salt_6, t0.password AS password_7, t0.last_login AS last_login_8, t0.confirmation_token AS confirmation_token_9, t0.password_requested_at AS password_requested_at_10, t0.roles AS roles_11, t0.id AS id_12, t0.alias AS alias_13, t0.registration_date AS registration_date_14, t0.title AS title_15, t0.avatar AS avatar_16, t0.api_token AS api_token_17 FROM kimai2_users t0 WHERE t0.username_canonical = ? LIMIT 1 ["bkraul"] []
[2019-07-05 11:59:12] app.DEBUG: ldap_search(ou=Users,dc=mydomain,dc=com, (&(samaccountname=bkraul)), [array]) {"action":"ldap_search","base_dn":"ou=Users,dc=mydomain,dc=com","filter":"(&(samaccountname=bkraul))","attributes":["+","*"]} []
[2019-07-05 11:59:14] app.DEBUG: Zend\Ldap\Exception\LdapException: 0x31 (Invalid credentials; 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580): cn=serviceaccount,dc=mydomain,dc=com in /app/vendor/zendframework/zend-ldap/src/Ldap.php:991 Stack trace: #0 /app/src/Ldap/LdapDriver.php(64): Zend\Ldap\Ldap->bind() #1 /app/src/Ldap/LdapManager.php(66): App\Ldap\LdapDriver->search('ou=Users,dc=...', '(&(samaccountna...') #2 /app/src/Ldap/LdapManager.php(55): App\Ldap\LdapManager->findUserBy(Array) #3 /app/src/Ldap/LdapUserProvider.php(47): App\Ldap\LdapManager->findUserByUsername('bkraul') #4 /app/vendor/symfony/security/Core/User/ChainUserProvider.php(56): App\Ldap\LdapUserProvider->loadUserByUsername('bkraul') #5 /app/vendor/symfony/security/Core/Authentication/Provider/DaoAuthenticationProvider.php(74): Symfony\Component\Security\Core\User\ChainUserProvider->loadUserByUsername('bkraul') #6 /app/vendor/symfony/security/Core/Authentication/Provider/UserAuthenticationProvider.php(64): Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider->retrieveUser('bkraul', Object(Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken)) #7 /app/vendor/symfony/security/Core/Authentication/AuthenticationProviderManager.php(76): Symfony\Component\Security\Core\Authentication\Provider\UserAuthenticationProvider->authenticate(Object(Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken)) #8 /app/vendor/symfony/security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php(100): Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager->authenticate(Object(Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken)) #9 /app/vendor/symfony/security/Http/Firewall/AbstractAuthenticationListener.php(128): Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener->attemptAuthentication(Object(Symfony\Component\HttpFoundation\Request)) #10 /app/vendor/symfony/security-bundle/Debug/WrappedListener.php(46): Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener->handle(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #11 /app/vendor/symfony/security-bundle/Debug/TraceableFirewallListener.php(35): Symfony\Bundle\SecurityBundle\Debug\WrappedListener->handle(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #12 /app/vendor/symfony/security/Http/Firewall.php(90): Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener->handleRequest(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent), Object(Generator)) #13 /app/vendor/symfony/security-bundle/EventListener/FirewallListener.php(48): Symfony\Component\Security\Http\Firewall->onKernelRequest(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #14 /app/vendor/symfony/event-dispatcher/Debug/WrappedListener.php(115): Symfony\Bundle\SecurityBundle\EventListener\FirewallListener->onKernelRequest(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent), 'kernel.request', Object(Symfony\Component\HttpKernel\Debug\TraceableEventDispatcher)) #15 /app/vendor/symfony/event-dispatcher/EventDispatcher.php(212): Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent), 'kernel.request', Object(Symfony\Component\HttpKernel\Debug\TraceableEventDispatcher)) #16 /app/vendor/symfony/event-dispatcher/EventDispatcher.php(44): Symfony\Component\EventDispatcher\EventDispatcher->doDispatch(Array, 'kernel.request', Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #17 /app/vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php(145): Symfony\Component\EventDispatcher\EventDispatcher->dispatch('kernel.request', Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #18 /app/vendor/symfony/http-kernel/HttpKernel.php(126): Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch('kernel.request', Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #19 /app/vendor/symfony/http-kernel/HttpKernel.php(67): Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object(Symfony\Component\HttpFoundation\Request), 1) #20 /app/vendor/symfony/http-kernel/Kernel.php(198): Symfony\Component\HttpKernel\HttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true) #21 /app/public/index.php(37): Symfony\Component\HttpKernel\Kernel->handle(Object(Symfony\Component\HttpFoundation\Request)) #22 {main} {"exception":"[object] (Zend\\Ldap\\Exception\\LdapException(code: 49): 0x31 (Invalid credentials; 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580): cn=serviceaccount,dc=mydomain,dc=com at /app/vendor/zendframework/zend-ldap/src/Ldap.php:991)"} []
[2019-07-05 11:59:14] security.INFO: Authentication request failed. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException(code: 0): An error occurred with the search operation. at /app/vendor/symfony/security/Core/Authentication/Provider/DaoAuthenticationProvider.php:85, App\\Ldap\\LdapDriverException(code: 0): An error occurred with the search operation. at /app/src/Ldap/LdapDriver.php:72)"} []
[2019-07-05 11:59:14] security.DEBUG: Authentication failure, redirect triggered. {"failure_path":"fos_user_security_login"} []
[2019-07-05 11:59:20] request.INFO: Matched route "fos_user_security_login". {"route":"fos_user_security_login","route_parameters":{"_route":"fos_user_security_login","_controller":"fos_user.security.controller:loginAction","_locale":"en"},"request_uri":"http://dev-kimai.mydomain.com/en/login","method":"GET"} []
[2019-07-05 11:59:20] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"secured_area","authenticators":1} []
[2019-07-05 11:59:20] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2019-07-05 11:59:20] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2019-07-05 11:59:20] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2019-07-05 11:59:24] doctrine.DEBUG: SELECT k0_.id AS id_0, k0_.name AS name_1, k0_.value AS value_2 FROM kimai2_configuration k0_ WHERE k0_.name LIKE ? ["theme.%"] []
[2019-07-05 11:59:29] request.INFO: Matched route "_wdt". {"route":"_wdt","route_parameters":{"_route":"_wdt","_controller":"web_profiler.controller.profiler::toolbarAction","token":"32d37d"},"request_uri":"http://dev-kimai.mydomain.com/_wdt/32d37d","method":"GET"} []

from kimai2.

tobybatch commented on July 30, 2024

I'm waiting for a stable release from Kevin of Kimai before I build the new Docker. If you really need it then you can use the dev docker image as that builds against master.

If you have problems then let me know.

from kimai2.

bkraul commented on July 30, 2024

I too am interested on this. I am not sure exactly how I would use the docker image to add this functionality. I am guessing I would add the ldap component through composer, then include the yaml data, and add a few env variables?

from kimai2.

tobybatch commented on July 30, 2024

@bkraul It's available, https://cloud.docker.com/u/kimai/repository/docker/kimai/kimai2

Just mount the local.yml into the container something like this:

docker run -v $(pwd)/local.yml:/opt/docker/config/package/local.yml kimai/kimai2:1.0

I'll write this up better for the readme.

from kimai2.

bkraul commented on July 30, 2024

Added the mount as specified with local.yml containing AD information for my organization, however, I do not see it being called, and LDAP authentication is not working, as described in the Kimai LDAP referenced (accounts get synced on first login). Is the /opt/docker/config path correct? I have tried with tag 1.0 and with tag latest, to no avail. I am also unable to see any log information pointing me to any configuration issues.

Would I need to drop the database and recreate from scratch?

from kimai2.

kevinpapst commented on July 30, 2024

Not sure about the docker container, but if you run in prod, you normally have to clear the cache in order for new configs to take effect.

from kimai2.

tobybatch commented on July 30, 2024

Can you please include your local.yml and docker command or docker-compose file please?

from kimai2.

bkraul commented on July 30, 2024

Docker-compose:

version: '3.7'
services:
  kimai:
    image: kimai/kimai2:latest
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /root/docker-persist/kimai/local.yml:/opt/docker/config/package/local.yml
    environment:
      - VIRTUAL_HOST=kimai.mydomain.com
      - VIRTUAL_PORT=8001
      - APP_ENV=prod
      - DATABASE_URL=mysql://kimai:mypass@mydbserver/kimai
      - [email protected]
      - MAILER_URL=smtp://myemailserver:25/?encryption=null&auth_mode=null
      - APP_SECRET=myappsecret
    networks:
      - reverse-proxy

networks:
  reverse-proxy:
    external:
      name: reverse-proxy

local.yml:

kimai:
    ldap:
        connection:
            host: dc.mydomain.com
            username: [email protected]
            password: mypass
            accountDomainName: mydomain.com
            accountDomainNameShort: MYDOMAIN
            accountFilterFormat: (&(objectClass=Person)(sAMAccountName=%s))
        user:
            baseDn: ou=Users,dc=mydomain,dc=com
            filter: (&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=person))
            usernameAttribute: samaccountname
            attributesFilter: (objectClass=Person)
            attributes:
                - { ldap_attr: mail, user_method: setEmail }
                - { ldap_attr: displayname, user_method: setAlias }
                - { ldap_attr: samaccountname,  user_method: setUsername }
        role:
            baseDn: dc=ad,dc=example,dc=com
            filter: (&(objectClass=group))
            groups:
                - { ldap_value: Leads, role: ROLE_TEAMLEAD }
                - { ldap_value: Sysadmins, role: ROLE_SUPER_ADMIN }
                - { ldap_value: Domain Admins, role: ROLE_SUPER_ADMIN }
                - { ldap_value: Users, role: ROLE_USER }

What I am confused about is, why does the file need to be mounted to /opt/docker/config, when the kimai folder for the docker image has /opt/kimai/config as the folder for the configurations? @kevinpapst, I also tried clearing the prod cache.

from kimai2.

tobybatch commented on July 30, 2024

@bkraul You're right thta's a type in the docs. it should be mounted as per these instructions: https://github.com/tobybatch/kimai2#docker-compose

I only updated those docs this morning.

As per @kevinpapst instruction clearing the cache will need a docker exec command:

docker-compose exec kimai /opt/kimai/bin/console cache:clear --env=prod

from kimai2.

bkraul commented on July 30, 2024

Followed everything to no avail. Documentation says an LDAP user will be imported on first login. However, as I try to do this with a user I know exists on the directory, I only get an Invaid credentials message.

Is there any way I can turn on logging to see any kind of errors that may be happening? Right now, my docker container's STDOUT only shows the container's initialization messages and HTTP requests, but nothing else.

from kimai2.

bkraul commented on July 30, 2024

Update: It seems that in addition to the cache clear, I have to restart the container itself. I was noticing that some of the other options I was setting in local.yaml were not taking place.

I was able to get those with a docker-compose down && docker-compose up -d. There is a configuration problem likely with my LDAP setup, so I still wish I could see more debugging information.

from kimai2.

bkraul commented on July 30, 2024

At a loss. This is what I am getting:

But no errors or any feedback on container logs.

from kimai2.

kevinpapst commented on July 30, 2024

Hm, that looks more like a misconfiguration.
We are currently trying to figure out how to stream the Kimai logs to the container output.
Right now, Kimai logs into var/log/prod.log, so I guess it should be /opt/kimai/var/log/prod.log.
Please have a look there.
If you can't find helpful logs, you should change your APP_ENV to dev to activate more logs.

from kimai2.

bkraul commented on July 30, 2024

Set APP_ENV=dev on my docker-compose. Container startup still shows this:

 // Clearing the cache for the prod environment with debug                      
 // false                                                                       
 [OK] Cache for the "prod" environment (debug=false) was successfully cleared.  
 // Warming up the cache for the prod environment with debug                    
 // false                                                                       
 [OK] Cache for the "prod" environment (debug=false) was successfully warmed.

Checked /opt/kimai/var/log/dev.log, and the only log output gets logged on startup. Among the things to note:

[2019-07-04 23:22:25] php.INFO: User Deprecated: The "FOS\UserBundle\Model\UserInterface" interface extends "Symfony\Component\Security\Core\User\AdvancedUserInterface" that is deprecated since Symfony 4.1. {"exception":"[object] (ErrorException(code: 0): User Deprecated: The \"FOS\\UserBundle\\Model\\UserInterface\" interface extends \"Symfony\\Component\\Security\\Core\\User\\AdvancedUserInterface\" that is deprecated since Symfony 4.1. at /opt/kimai/vendor/symfony/debug/DebugClassLoader.php:199)"} []

I am tailing the log, and when I try log in with an ActiveDirectory user (both user and password are correct), there is no output logged.

from kimai2.

kevinpapst commented on July 30, 2024

First thing to do: create a local user (either via command line or login/registration form) and see if you can login with that one. It must work, if not something else is broken.

Then check https://xxxxx/en/about/debug and verify that is says: Environment: APP_ENV / dev

And please tail var/log/*.log (just in case you are still running in prod)

from kimai2.

kevinpapst commented on July 30, 2024

Oh and btw: do you have this in your local.yaml? Its not mentioned in your post above.

from kimai2.

bkraul commented on July 30, 2024

I have a local user called master. Per the docker-compose instructions, I set my APP_ENV=dev under environment. Destroyed the container. Started it again. Cleared and warmed up cache as per instructions.

Signed in as the local user.

This is the debug page:

And yes, I added that section after @tobybatch updated the readme.

from kimai2.

kevinpapst commented on July 30, 2024

Okay, that must be answered by @tobybatch as I am not fmailiar with the docker setup.

But in this case, are there no logs in var/log/prod.log? The LDAP component logs explicit search and bind commands. If they are logged in prod (which I am not sure about) you will see them...

Edit: do you have the security settings in local.yaml?

from kimai2.

bkraul commented on July 30, 2024

It is weird. The only log I see is dev.log (and again there is no information logged when attempting to log in) but you saw, my app says it is in prod mode.

This is my current local.yaml (sensitive info edited). This is for connecting to a Microsoft ActiveDirectory base.

kimai:
    ldap:
        connection:
            host: dc.mydomain.com
            username: cn=serviceaccount,dc=mydomain,dc=com
            password: MySuperSecurePass
            accountDomainName: mydomain.com
            accountDomainNameShort: MYDOMAIN
            accountFilterFormat: (&(objectClass=Person)(sAMAccountName=%s))
        user:
            baseDn: ou=Users,dc=mydomain,dc=com
            filter: (&(objectClass=person))
            usernameAttribute: samaccountname
            attributesFilter: (&(objectClass=Person))
            attributes:
                - { ldap_attr: mail, user_method: setEmail }
                - { ldap_attr: displayname, user_method: setAlias }
                - { ldap_attr: samaccountname,  user_method: setUsername }
        role:
            baseDn: dc=mydomain,dc=com
            filter: (&(objectClass=group))
            groups:
                - { ldap_value: Leads, role: ROLE_TEAMLEAD }
                - { ldap_value: Sysadmins, role: ROLE_SUPER_ADMIN }
                - { ldap_value: Users, role: ROLE_USER }

    user:
        registration: false
        password_reset: false

security:
    providers:
        chain_provider:
            chain:
                providers: [kimai_ldap]
    firewalls:
        secured_area:
            kimai_ldap: ~

from kimai2.

bkraul commented on July 30, 2024

If I can't get the docker one to work I guess I'll have to set me up a LAMP container and try the composer install. Hopefully I can get more debug info then.

from kimai2.

kevinpapst commented on July 30, 2024

Maybe thats faster, setting up Kimai locally on Mac or Linux is a matter of 5 minutes.
Then find the working LDAP/AD config and afterwards @tobybatch might jump in and help with the docker setup.

from kimai2.

tobybatch commented on July 30, 2024

@bkraul Can you connect to the docker using docker-compose exec NAME bash and check the contents of the /etc/apache2/sites-available/000-default file.

The prod docker uses the settings from their when running in apache.

You shouldn't need to restart the container to load the new settings but if you want to be super sure use:

```docker-compose up --build -d && docker-compose logs -f```

from kimai2.

bkraul commented on July 30, 2024

I am pretty sure I need to restart. local.yaml did not get picked up until then, in spite of cache clearing and warmup. Here is the contents of the conf file:

<VirtualHost *:8001>
        ServerAdmin webmaster@localhost
        DocumentRoot /opt/kimai/public

        SetEnv DATABASE_PREFIX
        SetEnv MAILER_FROM [email protected]
        SetEnv APP_ENV prod
        SetEnv APP_SECRET Superdupersecret
        SetEnv DATABASE_URL mysql://validmysqlurl
        SetEnv MAILER_URL smtp://validsmtpurl

        <Directory "/opt/kimai/public">
            Require all granted
                DirectoryIndex index.php
                AllowOverride All
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

As you can see, from my previous posts, my docker env var clearly states dev. But the container initialization always says prod.

from kimai2.

tobybatch commented on July 30, 2024

Updates in the container, I guess you are using vim. moby/moby#15793 (comment)

If you look at the inode number of the file you are editing:

ls -i local.yaml

then edit it and repeat the ls then the inode will be different. So to the OS the file is different.

It bugs the hell out of me too. If you find a fix (other than mounting the folder) please let me know.

from kimai2.

tobybatch commented on July 30, 2024

Your env is really weird. It's effectively the same as mine but you seem to run in dev. Can we check the hash on your docker image please?

tobias@dockerhost:kimai_00 $ docker images kimai/kimai2:1.0 --no-trunc
REPOSITORY          TAG                 IMAGE ID                                                                  CREATED             SIZE
kimai/kimai2        1.0                 sha256:fcaef567f2a56dd02679f553ad8077066f327ccb3bb5f66fed12bb5ef8bc50f5   47 hours ago        1.09GB

from kimai2.

bkraul commented on July 30, 2024

REPOSITORY          TAG                 IMAGE ID                                                                  CREATED             SIZE
kimai/kimai2        1.0                 sha256:6d3faa6a5d2db2938e5278fa1d5966e80e6db97f1765d565ff1d7e9582be93bd   23 hours ago        1.09GB

from kimai2.

tobybatch commented on July 30, 2024

Ha, yours is newer than my prod env. I'll pull and update mine, hang on a sec.

from kimai2.

tobybatch commented on July 30, 2024

OK, mine is still running in prod.

Can you check the contents of the //opt/kimai/.env file please. @kevinpapst Other then apache conf and .env is there anywhere else symfony can get the env from?

from kimai2.

kevinpapst commented on July 30, 2024

Well, it takes it from the environment if found (Apache or regular bash env for bin/console).
Fallback is the .env file.

But isn't the problem, that it is still running in prod?
@bkraul switched the docker APP_ENV to dev but the apache config still has APP_ENV=prod, so the changed config is not taken into account. Is the Apache config regenerated?

Besides: maybe its a bad idea in the first place, to use the docker-prod image to switch to dev mode?

from kimai2.

bkraul commented on July 30, 2024

I have used both 1.0 and latest from that image (not sure if they are different). To the best of my knowledge, there should be no need to put the env on the apache conf, because the docker container picks up the vars from the environment and sets them as env vars in the container.

@tobybatch my .env file has:

DATABASE_PREFIX=
[email protected]
APP_SECRET=MySuperDuperSecret
DATABASE_URL=mysql://validmyslurl
MAILER_URL=smtp://validsmtpurl

There seems to be no mention of the APP_ENV var.

from kimai2.

tobybatch commented on July 30, 2024

The apache env gets re-written when the startup.sh is called, so on a re-build I guess.

https://github.com/tobybatch/kimai2/blob/master/tags/1.0/startup.sh#L47

The console commands will pick up the env from OS.

@bkraul Do we currently have several issues?

Switch environments
LDAP not working
No log files

Is this right?

from kimai2.

bkraul commented on July 30, 2024

@tobybatch that is correct, but only with the docker image. LAMP install from official Kimai through composer works as intended. (Minus the LDAP auth which I am still trying to iron out, of course)

from kimai2.

bkraul commented on July 30, 2024

@kevinpapst what does this mean?

[2019-07-05 13:14:45] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"secured_area","authenticators":1} []
[2019-07-05 13:14:45] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []
[2019-07-05 13:14:45] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"secured_area","authenticator":"App\\Security\\TokenAuthenticator"} []

from kimai2.

kevinpapst commented on July 30, 2024

Nothing relevant to your issue. The guard authenticator kicks in when calling the Json-API.

from kimai2.

bkraul commented on July 30, 2024

For some reason, the bind security context is not getting created, even though I am positive the login information for the bind account is correct:

[2019-07-05 14:26:42] app.DEBUG: Zend\Ldap\Exception\LdapException: 0x31 (Invalid credentials; 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580): cn=ldapserviceaccount,dc=mydomain,dc=com...

    ldap:
        connection:
            host: dc.mydomain.com
            username: cn=ldapserviceaccount,dc=mydomain,dc=com
            password: correctPassword
            accountDomainName: mydomain.com
            accountDomainNameShort: MYDOMAIN
            accountFilterFormat: (&(objectClass=Person)(sAMAccountName=%s))

What am I missing here? By the way, I believe the Kimai documentation on LDAP for AD is incorrect. You cannot use a [email protected] notation, you get an error saying it must use the cn=user,dn=domain,dn=tld notation.

from kimai2.

kevinpapst commented on July 30, 2024

I will update the example about the username, after you found a working config.

This here https://www.infrasightlabs.com/common-error-codes-for-active-directory-authentication says :

data 52e = Invalid credentials = Returned when a valid username is supplied but an invalid password/credential is supplied. If this error is received, it will prevent most other errors from being displayed.

from kimai2.

bkraul commented on July 30, 2024

Yeah, I ended up in that post as well. I can't understand how the credentials are being interpreted as incorrect when I know for sure it is the right username and password. Question, would the APP_SECRET value have any bearing on how passwords are encoded before sending an LDAP request?

from kimai2.

kevinpapst commented on July 30, 2024

No, Kimai does not encrypt LDAP passwords.
You can add some debug infos here and see what is passed:
https://github.com/kevinpapst/kimai2/blob/master/src/Ldap/LdapDriver.php#L87

from kimai2.

bkraul commented on July 30, 2024

@kevinpapst, Has anyone ever reported a successful connection to Microsoft ActiveDirectory using Kimai2?

from kimai2.

kevinpapst commented on July 30, 2024

Yes, search the closed issues in the Kimai repo.

from kimai2.

bkraul commented on July 30, 2024

So I was looking at the function you suggested I track:

    public function bind(UserInterface $user, string $password): bool
    {
        $bindDn = $user->getUsername();
        try {
            $this->logDebug('{action}({bindDn}, ****)', [
                'action' => 'ldap_bind',
                'bindDn' => $bindDn,
            ]);
            $bind = $this->driver->bind($bindDn, $password);
            return $bind instanceof Ldap;
        } catch (LdapException $exception) {
            $this->ldapExceptionHandler($exception, $password);
        }
        return false;
    }

From this, when debugging is turned on, I should see an app.DEBUG message on the log showing a ldap_bind action. However, the only message I see before the error is a ldap_search debug event, never the bind. But the errors are clearly telling me there is a security context error. I'm so confused. I have been checking the issues on the kimai2 repo. Will keep trying.

from kimai2.

kevinpapst commented on July 30, 2024

Maybe I am wrong and it is not the "user bind", but the service-account bind:
https://github.com/kevinpapst/kimai2/blob/master/src/Ldap/LdapDriver.php#L64

from kimai2.

bkraul commented on July 30, 2024

The mystery has now been solved. The full DN string I was using for my ldap service account user apparently was incomplete AND incorrect (because of my sysadmin's OU requirements). When I put the full DN in, authentication and search worked, my user was imported and everything is operating.

@kevinpapst thank you for pointing me to the right debugging spots. I was able to add $this->driver->getOptions() to the debug output in the search function in order to see all that was being sent to the server.

I am torn between using the LAMP stack or using the docker container because of the APP_ENV situation, (which probably could use a separate issue) and because I am currenly using a php-nginx setup, which I prefer. I might create me a Dockerfile to suit my specific needs. @tobybatch , thank you for your prompt responses in spite of this VERY long thread.

This particular LDAP issue can now be closed if desired.

from kimai2.

tobybatch commented on July 30, 2024

@bkraul I'm really happy to work with you to produce an nginx solution. my original version of the docker used nginx but i had some issues with setting up the php.

I'd love to offer apache and nginx versions.

from kimai2.

bkraul commented on July 30, 2024

@tobybatch ok, so this is what I have got. This yields a fully operational Kimai2 set up on nginx. I have talked to @kevinpapst about some ways of making the initialization more graceful, but until then, this seems to work great for me. As mentioned, I prefer to use the webdevops/php-nginx image as my base, as it is well-updated, has extensive documentation and is well-organized (includes everything that is needed).

I have 2 versions, one based on ubuntu and based on alpine. I have not put this on a GitHub repo, this is my self-hosted one. Feel free to check it out. This implementation does require that the database be created beforehand (through like phpMyAdmin and such).

Attached is a usual docker-compose (using jwilder/nginx-proxy):

version: '3.7'
services:
  kimai:
    image: bkraul/kimai2:nginx-alpine
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./local.yaml:/app/config/packages/local.yaml
    environment:
      # nginx-proxy
      - VIRTUAL_HOST=kimai.mydomain.com
      - PHP_DATE_TIMEZONE=America/Chicago
      # kimai2
      - APP_ENV=prod
      - DATABASE_URL=mysql://validsqlurl
      - [email protected]
      - MAILER_URL=smtp://validsmtpurl
      - APP_SECRET=Superdupersecret
      # initial admin user
      - APP_ADMIN_USER=master
      - [email protected]
      - APP_ADMIN_PASS=masterPassword
    networks:
      - reverse-proxy

networks:
  reverse-proxy:
    external:
      name: reverse-proxy

from kimai2.

tobybatch commented on July 30, 2024

@bkraul Thanks, I'll take a look at those. I will try and offer an nginx version soon.

from kimai2.

KimaiV2 as Docker container with LDAP about kimai2 HOT 46 CLOSED

Comments (46)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent