Unable to log in via basic CKAN authentication after installing LDAP extension #71
Comments
|
Hi @reedv - the extension definitely supports the functionality you quote ( If we assume the error message is correct then there wouldn't be anything in the logs as the error is a user error - Unfortunately, there's not much for me to go on here and it may not even be a problem in the LDAP extension at all! |
|
Yes, I can log in using the system CKAN credentials when I remove the I agree, it is odd (but again, the fact that it works after removing the Note that I've modified my search.py file for the extension to look as described here (#70 (comment)), but again I see nothing in the logs pointing to this piece of code (plus the fact that the plugin is removed in this case). |
|
Testing again (which failed and produced that same "Bad username or password" error message in the UI) and checking the logs around this timestamp in (did not notice these earlier because they are not error messages). These are the only things that seemed related, but really IDK how to interpret this. |
|
There are three places in the extension code where you might get a 'Bad username or password' error (all in login.py). If you temporarily change the error messages (e.g. to 'bad username 1', 'bad username 2', etc.), you can see where it's stopping and we might be able to help further. (Alternatively, if you have a debugger set up, stepping through the code in login.py would probably be very helpful). |
|
IC, interesting. I get what you're saying (the different |
|
Editing the login.py file to include more descriptive error messages like... .
.
.
elif ldap_user_dict:
# There is an LDAP user, but the auth is wrong. There could be a
# CKAN user of the same name if the LDAP user had been created
# later - in which case we have a conflict we can't solve.
if toolkit.config['ckanext.ldap.ckan_fallback']:
exists = _helpers.ckan_user_exists(login)
if exists['exists'] and not exists['is_ldap']:
return _helpers.login_failed(error=toolkit._(
'Username conflict. Please contact the site administrator.'))
return _helpers.login_failed(error=toolkit._('Bad username or password. LDAP, but auth is wrong'))
elif toolkit.config['ckanext.ldap.ckan_fallback']:
# No LDAP user match, see if we have a CKAN user match
try:
user_dict = _helpers.get_user_dict(login)
# We need the model to validate the password
user = User.by_name(user_dict['name'])
except toolkit.ObjectNotFound:
user = None
if user and user.validate_password(password):
return _helpers.login_success(user.name, came_from=came_from)
else:
return _helpers.login_failed(
error=toolkit._('Bad username or password. No LDAP match, checked CKAN'))
else:
return _helpers.login_failed(error=toolkit._('Bad username or password. Catchall'))
.
.
....and running sudo rm -rf /usr/lib/ckan/default/lib/python2.7/site-packages/ckanext_ldap*
sudo /usr/lib/ckan/default/bin/python install...I see that it is throwing the final "catchall" error (which is odd since I'd expect my system user to be caught in the "No LDAP user match, see if we have a CKAN user match" section of the code). Attempting to look at the Had thought the problem was that your extension's Note that the user's name is "admin" and they are a sysadmin user, IDK if that would be messing anything up with the _helpers.py file (I doubt it). I'd like to examine the |
|
You need to set |
|
Well, that worked, thanks. How did you figure that out / what was your chain of reasoning (ie. how could I have figured that out from the debugging into provided)? Also for future reference, how can I print things to the ckan logs? |
|
If it was set to true, you would've seen the behaviour you expected - i.e. it would follow the second You have to use the Example of using log messages: then: ckanext-ldap/ckanext/ldap/routes/_helpers.py Line 202 in afded53 There are several loggers in the Lines 28 to 30 in afded53 |
Description
A clear and concise description of what the bug is.
Docs say that extension...
...but when attempting to sign in as a user (a sysadmin) account that was created via...
...am given a "Bad username or password" error.
Expected Behaviour
What you expected to happen instead.
Expect to be able to log into CKAN web UI with non-ldap users that were created on the system via
ckanCLI.To Reproduce
Steps to reproduce the bug.
ckan -c /etc/ckan/default/ckan.ini sysadmin add admin email=myadmin@myorg.org name=adminckanext-ldapextensionError Log
Paste any relevant error logs below:
Could not see anything in the
/var/log/ckan/ckan-uwsgi.stderr.logor/var/log/ckan/ckan-worker.stderr.logfiles that seemed related to this or indicating any errors at all from around the timestamp that this testing was done, but can provide more logged info if there is anything specific to look for.Screenshots
Add screenshots to illustrate the bug if you want.
Your Setup
Anything Else?
...
The text was updated successfully, but these errors were encountered: