v2 testing with ldap - default peers

[pasztorl]

Hi,

I'm continued testing the v2 version and I configured ldap user sync.
I also configured it to create default peer for the new users.

I found out that if the user is not in the admin group wg-portal can't create the default peer because of permission problem.
This is the expected operation? I hope not, because it would be great if I can sync new users from ldap (without admin rights) and they can log in and download the precreated client configuration.

In the second try I started to sync users from ldap with admin group. In this case I haven't got permission problem, but the default peer config not created.
Here is the log:

TRAC[0010] starting to synchronize users for idm        
TRAC[0010] fetched 1 raw ldap users...                  
TRAC[0010] SELECT * FROM `users` WHERE `users`.`identifier` = 'lenard.pasztor@xxx.yy' ORDER BY `users`.`identifier` LIMIT 1  duration=1.270231ms rows=0 src="/home/circleci/repo/internal/adapters/database.go:662"
TRAC[0010] SELECT * FROM `users` WHERE `users`.`identifier` = 'lenard.pasztor@xxx.yy' ORDER BY `users`.`identifier` LIMIT 1  duration="705.113µs" rows=0 src="/home/circleci/repo/internal/adapters/database.go:756"
TRAC[0010] INSERT INTO `users` (`created_by`,`updated_by`,`created_at`,`updated_at`,`identifier`,`email`,`source`,`provider_name`,`is_admin`,`firstname`,`lastname`,`phone`,`department`,`notes`,`password`,`disabled`,`disabled_reason`,`locked`,`locked_reason`) VALUES ('_WG_SYS_UNKNOWN_','_WG_SYS_UNKNOWN_','2024-02-23 22:33:51.311','2024-02-23 22:33:51.311','lenard.pasztor@xxx.yy','','db','',false,'','','','','','',NULL,'',NULL,'')  duration=1.123412ms rows=1 src="/home/circleci/repo/internal/adapters/database.go:756"
TRAC[0010] UPDATE `users` SET `created_by`='_WG_SYS_UNKNOWN_',`updated_by`='_WG_SYS_UNKNOWN_',`created_at`='2024-02-23 22:33:51.311',`updated_at`='2024-02-23 22:33:51.313',`email`='lenard.pasztor@xxx.yy',`source`='ldap',`provider_name`='',`is_admin`=true,`firstname`='Lenard',`lastname`='Pasztor',`phone`='',`department`='',`notes`='',`password`='',`disabled`=NULL,`disabled_reason`='',`locked`=NULL,`locked_reason`='' WHERE `identifier` = 'lenard.pasztor@xxx.yy'  duration=7.244356ms rows=1 src="/home/circleci/repo/internal/adapters/database.go:768"
ERRO[0010] handling new user event for lenard.pasztor@xxx.yy 
TRAC[0010] SELECT * FROM `users`                         duration="708.902µs" rows=2 src="/home/circleci/repo/internal/adapters/database.go:677"
TRAC[0010] SELECT * FROM `interface_addresses` WHERE `interface_addresses`.`interface_identifier` = 'wg0'  duration="800.626µs" rows=1 src="/home/circleci/repo/internal/adapters/database.go:284"
TRAC[0010] SELECT * FROM `cidrs` WHERE `cidrs`.`cidr` = '10.15.17.254/24'  duration="593.817µs" rows=1 src="/home/circleci/repo/internal/adapters/database.go:284"
TRAC[0010] SELECT * FROM `interfaces`                    duration=3.809194ms rows=1 src="/home/circleci/repo/internal/adapters/database.go:284"
INFO[0010] created 0 default peers for user lenard.pasztor@xxx.yy

Unfortunately there is no info about the error.

[pasztorl]

update: when i set up the peer defaults on the interface before the ldap sync starts i got this:

TRAC[0010] UPDATE `users` SET `created_by`='_WG_SYS_UNKNOWN_',`updated_by`='_WG_SYS_UNKNOWN_',`created_at`='2024-02-23 23:04:44.718',`updated_at`='2024-02-23 23:04:44.722',`email`='lenard.pasztor@xxx.yy',`source`='ldap',`provider_name`='',`is_admin`=true,`firstname`='Lenard',`lastname`='Pasztor',`phone`='',`department`='',`notes`='',`password`='',`disabled`=NULL,`disabled_reason`='',`locked`=NULL,`locked_reason`='' WHERE `identifier` = 'lenard.pasztor@xxx.yy'  duration=8.156765ms rows=1 src="/home/circleci/repo/internal/adapters/database.go:768"
...
ERRO[0010] failed to create default peer for lenard.pasztor@xxx.yy: failed to create default peer JvP7UY4bp2DZ5TQEUOy8oan1WkR3FMEeKAMHD8Nlxko= on interface wg0: creation not allowed: insufficient permissions 

So in this case the new user is admin, but it ends on the same permission problem.

[Sarevok933219]

@pasztorl please give your work config.yaml (without creds of course) as an example. I can't configure in on V2 alpha testing. I get an error:
"msg": "failed to synchronize LDAP users for Ctrlops LDAP: failed to setup LDAP connection: failed to bind to LDAP: LDAP Result Code 34 "Invalid DN Syntax": invalid DN",

[h44z]

this issue cannot be reproduced - default peers are created for admin and non-admin users

@Sarevok933219 a sample config could look like this:

core:
  admin_user: admin@wgportal.local
  admin_password: secret
  create_default_peer: true

advanced:
  log_level: debug
  log_pretty: true
  log_json: false
  config_storage_path: /etc/wireguard
  expiry_check_interval: 15m

statistics:
  collect_peer_data: false
  collect_audit_data: false
  collect_interface_data: false

database:
  debug: true
  type: sqlite
  dsn: data/sqlite.db

auth:
  callback_url_prefix: https://vpn.yourcompany.com/api/v0
  ldap:
    - id: ldap
      provider_name: Active Directory
      display_name: Login with</br>AD
      url: ldap://ad01.your-company.local:389
      bind_user: ldap_wireguard@your-company.local
      bind_pass: a-super-S3CRET-password
      base_dn: DC=YOURCOMPANY,DC=LOCAL
      login_filter: (&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2))
      admin_group: CN=WireGuardAdmins,OU=_O_ASampleGroup,DC=YOURCOMPANY,DC=LOCAL
      synchronize: true
      sync_filter: (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))
      registration_enabled: true