-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add unexpected exception log when bind user can authenticate, but doesn't exist in LDAP #9516
Comments
@MiniDigger Not sure I quite understand? The bind user needs to be bound to fetch user info on login/refresh, so we know their DN to be a kinda ground truth of a value that should exist. So on healthcheck, we do a search to find that ground truth, and handle the appropriate error if connection has been lost. If the bind user dn doesn't exist, then there is a problem in your configuration? |
talked to aidenfoxx on discord. |
ok, my bind user is indeed not in my ldap (that would have been too easy). idk how exactly it works, but its possible to transfer the bind user into ldap to solve that issue (it seems like the sysplex stuff access the underlying storage (ibm racf, ancient mainframe tech) directly) so this issue is not really an issue then I guess. would still be cool to have some kind of logging if end is called but searchEntry isnt, because while this totally should not happen, it clearly can happen is your setup is weird enough :D |
We could just an a reject on "end" if with an But this feels like a real edge case so I'm not too worried right now. |
yeah, error is fine, just should point to the health check so you can find out what went wrong yourself without digging too long. |
@MiniDigger @rijkvanzanten I added #9527 to handle this, but I couldn't reproduce the issue on my side. For me when querying a record that doesn't exist I get a |
It's a weird pseudo object I guess. Many thanks, hopefully this will save somebody else some headaches |
Fixed in #9527 |
Preflight Checklist
Describe the Bug
If the ldap user you use to search in ldap is in a different subtree than the users you want to allow to login into directus, the ldap health check fails to find a user and thus login never works. (We separate between technical users and organisational/"real" users)
I think the health check should not fail if the bind user has not been found in the user dn.
if I add
my config works as expected (if you ignore the fact that my user has two cn attributes and only the second one is the one used for my dn.....).
if thats something that that you would want to have upstream, I can polish it up and PR it.
To Reproduce
have a ldap bind user in a different group than ldap directus users
Errors Shown
No response
What version of Directus are you using?
9.0.0
What version of Node.js are you using?
14
What database are you using?
pg 13
What browser are you using?
chrome
What operating system are you using?
windows 10
How are you deploying Directus?
locally
The text was updated successfully, but these errors were encountered: