Baremetal instalation, problem with ldap

[Michal-Zacek]

Hello,
I have done baremetal instalation and Miso works perfectly with -Dsecurity.jdbc in setenv.sh, but if I change it to -Dsecurity.ldap and "/storage/miso/security.properties" to security.method:ldap, there is error in the catalina.out log and miso will not start.
Error:
Cannot convert value of type 'uk.ac.bbsrc.tgac.miso.core.security.LdapMappedAuthoritiesPopulator' to required type 'org.springframework.security.authentication.AuthenticationProvider': no matching editors or conversion strategy found.

Did I miss some steps in the configuration? I double check all baremetal guide, but I cannot find any more configuration related to ldap.
Thanks a lot for any help.
Best regards,
Michal

miso_ldap.log

[djcooke]

Hello. It looks like there may be an error in MISO's internal LDAP config. I'm looking into it today

[djcooke]

The fix is in #2227, which will be included in the next release. Once it gets merged, I'll post instructions that you can use to try it out before the release if you'd like.

[Michal-Zacek]

Hello,
thanks a lot, it was very fast. All I have to to do to fix it, is change one line in the miso-web/src/main/webapp/WEB-INF/ldap-security-config.xml file, ldapAuthPopulator --> ldapAuthProvider, then build ROOT.war and install it to Tomcat?
Best regards,
Michal

[djcooke]

Yes, you can try out the fix that way if you'd like. It is probably the simpler immediately-available option.

The other option would be to build and deploy the current develop branch now that the patch is merged. The problem with this is that you'd have to apply the new database migrations that are in develop, and that would put your database in a state where you wouldn't be able to simply migrate to the next release version.

The third option is to wait until Thursday when we prepare the next release.

Let us know when you try it out and whether there are any other problems. Thanks for reporting the problem too

[Michal-Zacek]

Hello,
Miso with LDAP is running, but I can't login with ldap user. If I try log with ldap user(mza) I get blank page and some errors in log. I tried summarize all relevant information in attached file.
Thanks.
Best regards,
Michal

miso_ldap_login_error.txt

[apmasell]

In the properties file, I think you want to do security.ldap.groupSearchFilter:member={0} which should achieve the same as what you have.

What objectClass are associated with a user record, say uid=mza,cn=users,cn=accounts,dc=img,dc=local? MISO is expecting objectClass: inetOrgPerson.

[Michal-Zacek]

ldapsearch -h fido2.img.local -x -D uid=l_ldap_ro,cn=users,cn=accounts,dc=img,dc=local -w xxxxxxxxx -b cn=accounts,dc=img,dc=local uid=mza | grep objectClass

objectClass: CiscoPerson
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: sambaSAMAccount
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
objectClass: pilotObject
objectClass: printingPerson

[avarsava]

Hi Michal,

That's very interesting that your user has inetorgperson yet is not being seen as one by MISO.

I've merged a feature into the develop branch that should clear the error you were seeing. If you could pull the latest code from develop, rebuild and deploy MISO, and try logging in again, that would be a great help for us to debug this issue.

Please let us know if you have any further questions or issues!

Regards,
Alexis

[Michal-Zacek]

Hello all,

with the develop version ldap login works ;-). Thank you so much. I have one last question, I hope. What LDAP attributes are mapped to Full name and Email address? For my test user (mza), the Full name is "mza" not "MichalZ Test_User" and the email is empty.
Thanks.
Best regards,
Michal

mza_ldap.txt

[djcooke]

Can you try modifying miso-web/src/main/webapp/WEB-INF/ldap-security-config.xml and edit the ldapAuthProvider bean to look like this:

<bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <constructor-arg>
      <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
        <constructor-arg ref="contextSource" />
        <property name="userSearch" ref="ldapUserSearch" />
      </bean>
    </constructor-arg>
    <constructor-arg ref="ldapAuthPopulator" />
    <property name="userDetailsContextMapper" ref="ldapInetOrgPersonMapper" />
  </bean>

(add the userDetailsContextMapper property)

I think with this change, you'll get the correct full name and email. Try rebuilding and deploying with that change and let us know if that does it. If so, we'll make sure this change gets into the next release

[Michal-Zacek]

Hello,

with this modification are full name and email correctly loaded from ldap. Everything seem work just fine, thanks again. I have only one small issue. Our users have more then one email address (mail is multivalued attribute) and the order in which ldap returns mail attributes is completely random. That's why we have "primary mail" (firstname.lastname@domain) stored in another ldap attribute "l", so would be possible to change "mail" to "l" as the source of email at Miso users detail?
Best regards,
Michal

[djcooke]

I think I have a fix that will allow you to specify a custom attribute for email. In security.properties, add this line:

security.ldap.emailAttribute:l

Then checkout, build, and deploy from the branch GH-2226_ldapFix. Let me know if that works for you.

[Michal-Zacek]

No change, still using mail attribute.
What I did:
systemctl stop tomcat.service
rm -fr /usr/share/tomcat/webapps/ROOT*
git clone --branch GH-2226_ldapFix https://github.com/miso-lims/miso-lims.git
cd miso-lims/
mvn clean package
cp miso-web/target/ROOT.war /usr/share/tomcat/webapps/
systemctl restart tomcat

Best regards,
Michal

[djcooke]

Did you add the line to your security.properties?

[Michal-Zacek]

Yes, to the /storage/miso/security.properties.

[djcooke]

For now, I have a PR in to fix full name and email retrieval using the regular mail attribute (#2238). I'll keep this issue open as a request to allow specifying a custom email attribute