Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create Ldap user directly at Teampass DB and restrict login to Group Ldap don't work #1539

Closed
andresguisado opened this issue Oct 7, 2016 · 5 comments
Closed

Create Ldap user directly at Teampass DB and restrict login to Group Ldap don't work #1539

andresguisado opened this issue Oct 7, 2016 · 5 comments

Comments

@andresguisado
Copy link

andresguisado commented Oct 7, 2016
edited
Loading

Steps to reproduce

  1. Poxix / OpenLDAP (RFC2307) Search Based - Ldap configuration:
  • Ldap server type: Poxix / OpenLDAP (RFC2307) Search Based
  • Class to search: inetOrgPerson
  • User attribute to search: uid
  • LDAP group to search: cn=Teampass,ou=Apps,dc=example,dc=com
  • LDAP bind DN: cn=Manager,dc=example,dc=com
  • LDAP bind password: XXXX
  • LDAP search base: ou=People,dc=example,dc=com
  • LDAP domain controller(s): server01
  • Use LDAP through SSL (LDAPS): NO
  • Use LDAP through TLS: NO
  • Teampass local users only: NO
  1. Try to log in and it doesn't work.

Expected behaviour

Ldap login should work.
1- Teampass should create ldap user in the Database at the first ldap login attempt.
2- Group Ldap filter should work too.If ldap user exist in People OU but doesn’t exist in Teampass Ldap group then ldap login should not be successful however if user exist in both it should be successful.

Actual behaviour

If ldap user doesn't exist in Teampass DB in advanced, Ldap login doesn't work.

If ldap user exists in Teampass DB in advanced, Ldap login works but group ldap filter doesn’t work.
Regarding to group filter, If ldap user exist in People OU but doesn’t exist in Teampass ldap group, the ldap login is successful too, user should exist in both to be successful.

Server configuration

Operating system:Centos7

Web server: Apache 2.4

Database: mysql 5.7

**PHP version:**PHP 5.6

Teampass version: v.2.1.26 (final release)

Updated from an older Teampass or fresh install: Fresh Install

Client configuration

**Browser:**Chrome Version 53.0.2785.143 (64-bit)

Operating system: Mac

Logs

LDAP log

* Ldap Log if user doesn't exist in Teampass in advanced, it doesn’t achieve login, never pass login page:

Oct  9 15:58:25 server01 slapd[18870]: conn=1708 fd=30 ACCEPT from IP=X.X.X.X:44194 (IP=0.0.0.0:389)
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=0 RESULT tag=97 err=0 text=
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=1 SRCH base="ou=People,dc=example,dc=com" scope=2 deref=0 filter="(&(uid=test.ldap)(objectClass=inetOrgPerson))"
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=1 SRCH attr=dn
Oct  9 15:58:25 server01 slapd[18870]: <= bdb_equality_candidates: (uid) not indexed
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=1 SEARCH RESULT tag=101 err=0 **nentries=1** text=
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=2 SRCH base=“cn=Teampass,ou=Apps,dc=example,dc=com" scope=2 deref=0 filter="(memberUid=test.ldap)"
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=2 SRCH attr=dn
Oct  9 15:58:25 server01 slapd[18870]: <= bdb_equality_candidates: (memberUid) not indexed
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=2 SEARCH RESULT tag=101 err=0 **nentries=0** text=
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=3 BIND anonymous mech=implicit ssf=0
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=3 BIND dn="uid=test.ldap,ou=People,dc=example,dc=com" method=128
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=3 BIND dn="uid=test.ldap,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=3 RESULT tag=97 err=0 text=
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 op=4 UNBIND
Oct  9 15:58:25 server01 slapd[18870]: conn=1708 fd=30 closed


* Ldap Log if user exists in Teampass in advanced and exists in People and Teampass group, it gets login correctly:

Oct  9 15:48:41 server01 slapd[18870]: conn=1702 fd=30 ACCEPT from IP=X.X.X.X:44142 (IP=0.0.0.0:389)
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=0 RESULT tag=97 err=0 text=
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=1 SRCH base="ou=People,dc=example,dc=com" scope=2 deref=0 filter="(&(uid=test.ldap)(objectClass=inetOrgPerson))"
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=1 SRCH attr=dn
Oct  9 15:48:41 server01 slapd[18870]: <= bdb_equality_candidates: (uid) not indexed
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=1 SEARCH RESULT tag=101 err=0 **nentries=1** text=
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=2 SRCH base=“cn=Teampass,ou=Apps,dc=example,dc=com" scope=2 deref=0 filter="(memberUid=test.ldap)"
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=2 SRCH attr=dn
Oct  9 15:48:41 server01 slapd[18870]: <= bdb_equality_candidates: (memberUid) not indexed
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=2 SEARCH RESULT tag=101 err=0 **nentries=1** text=
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=3 BIND anonymous mech=implicit ssf=0
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=3 BIND dn="uid=test.ldap,ou=People,dc=example,dc=com" method=128
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=3 BIND dn="uid=test.ldap,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=3 RESULT tag=97 err=0 text=
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 op=4 UNBIND
Oct  9 15:48:41 server01 slapd[18870]: conn=1702 fd=30 closed

* Ldap Log if user exists in Teampass in advanced and exists in People but doesn’t exist in Teampass group, it gets login correctly:

Oct  9 15:53:24 server01 slapd[18870]: conn=1706 fd=30 ACCEPT from IP=X.X.X.X:44168 (IP=0.0.0.0:389)
Oct  9 15:53:24 server01 slapd[18870]: conn=1706 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
Oct  9 15:53:24 server01 slapd[18870]: conn=1706 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
Oct  9 15:53:24 server01 slapd[18870]: conn=1706 op=0 RESULT tag=97 err=0 text=
Oct  9 15:53:24 server01 slapd[18870]: conn=1706 op=1 SRCH base="ou=People,dc=example,dc=com" scope=2 deref=0 filter="(&(uid=test.ldap)(objectClass=inetOrgPerson))"
Oct  9 15:53:24 server01 slapd[18870]: conn=1706 op=1 SRCH attr=dn
Oct  9 15:53:24 server01 slapd[18870]: <= bdb_equality_candidates: (uid) not indexed
Oct  9 15:53:24 server01 slapd[18870]: conn=1706 op=1 SEARCH RESULT tag=101 err=0 **nentries=1** text=
Oct  9 15:53:24 server01 slapd[18870]: conn=1706 op=2 SRCH base=“cn=Teampass,ou=Apps,dc=example,dc=com" scope=2 deref=0 filter="(memberUid=test.ldap)"
Oct  9 15:53:24 server01 slapd[18870]: conn=1706 op=2 SRCH attr=dn
Oct  9 15:53:24 server01 slapd[18870]: <= bdb_equality_candidates: (memberUid) not indexed
Oct  9 15:53:24 server01 slapd[18870]: conn=1706 op=2 SEARCH RESULT tag=101 err=0 **nentries=0** text=
Oct  9 15:53:24 server01 slapd[18870]: conn=1706 op=3 BIND anonymous mech=implicit ssf=0
Oct  9 15:53:24 server01 slapd[18870]: conn=1706 op=3 BIND dn="uid=test.ldap,ou=People,dc=example,dc=com" method=128
Oct  9 15:53:24 server01 slapd[18870]: conn=1706 op=3 BIND dn="uid=test.ldap,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0
Oct  9 15:53:24 server01 slapd[18870]: conn=1706 op=3 RESULT tag=97 err=0 text=
Oct  9 15:53:25 server01 slapd[18870]: conn=1706 op=4 UNBIND
Oct  9 15:53:25 server01 slapd[18870]: conn=1706 fd=30 closed

Webserver log

No errors.
@andresguisado andresguisado changed the title V2.1.26 Final Release - Poxix / OpenLDAP (RFC2307) Search Based Ldap login doesn't work - Poxix / OpenLDAP (RFC2307) Search Based Oct 9, 2016
@andresguisado andresguisado changed the title Ldap login doesn't work - Poxix / OpenLDAP (RFC2307) Search Based Ldap login and Filter Group doesn't work - Poxix / OpenLDAP (RFC2307) Search Based Oct 9, 2016
@andresguisado andresguisado changed the title Ldap login and Filter Group doesn't work - Poxix / OpenLDAP (RFC2307) Search Based Ldap login and Group Ldap Filter doesn't work - Poxix / OpenLDAP (RFC2307) Search Based Oct 9, 2016
@andresguisado andresguisado changed the title Ldap login and Group Ldap Filter doesn't work - Poxix / OpenLDAP (RFC2307) Search Based Ldap login and Group Ldap Filter don't work - Poxix / OpenLDAP (RFC2307) Search Based Oct 9, 2016
@andresguisado
Copy link
Author

Any help?

Issues:

  • ldap user doesn't exist in advance in the Teampass DB.
  • Restricting by Ldap group doesn't work.

Is there any configuration to say to Teampass to create the ldap user in the first login if it doesn't exist in the DB?

Did anybody get to restrict by Ldap group ?

Thanks.

@andresguisado
Copy link
Author

I have read this issue:

#1153

At v2.1.25 version was implemented a feature to create a user in Teampass DB directly when the user who tries to log in doesn't exist within DB.

it seems at v.2.1.26 it is not implemented?

Thanks.

@andresguisado andresguisado changed the title Ldap login and Group Ldap Filter don't work - Poxix / OpenLDAP (RFC2307) Search Based Create Ldap user directly at Teampass DB and restrict login to Group Ldap don't work Nov 1, 2016
@andresguisado
Copy link
Author

I have set "Teampass local users only" off in"LDAP settings" and when I try to access with ldap user which doesn't exist inTeampass DB it gets an infinite load looping, firebug says : 500 Internal Server Error but no errors.

At the logs server:

[Tue Nov 01 11:51:10.122572 2016] [:error] [pid 29913] [client X.X.X.X:22602] PHP Fatal error: Call to a member function user() on null in /var/www/html/teampass/sources/identify.php on line 395, referer: https://xxxxxxx/index.php?page=items

Thanks.

@peewster
Copy link

peewster commented Jan 11, 2017
edited
Loading

I have this exact same issue with the latest teampass version. (actually i don't know if this worked in previous versions)

I use openldap and it doesn't matter if the user belongs to a group or not. As long as the bind user is able to browse the root it will just create the user in the local TP db, and after that, ldap is no longer used for authentication and TP will use the local db for authentication.

filo891 added a commit to filo891/TeamPass that referenced this issue Apr 27, 2017
@filo891
Fix for issue nilsteampassnet#1539 verifying LDAP groups properly
3909749 
The user was able to log in using LDAP even if he was not in the required group.
@filo891
Copy link

filo891 commented Apr 27, 2017

See this pull request for a solution: #1742

@felixITSS felixITSS mentioned this issue Jan 31, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@peewster @nilsteampassnet @filo891 @andresguisado