hubot wont authenticate agains ldap

[giray]

while the bot is able to login via the webinterface

[Fri Oct 09 2015 14:17:55 GMT+0200 (CEST)] WARNING No services ROCKETCHAT_URL provided to Hubot, using localhost:3000
[Fri Oct 09 2015 14:17:55 GMT+0200 (CEST)] INFO Connecting To: localhost:3000
[Fri Oct 09 2015 14:17:55 GMT+0200 (CEST)] INFO Successfully Connected!
[Fri Oct 09 2015 14:17:55 GMT+0200 (CEST)] INFO testbot
[Fri Oct 09 2015 14:17:55 GMT+0200 (CEST)] INFO Logging In
[Fri Oct 09 2015 14:17:55 GMT+0200 (CEST)] ERROR hubot-heroku-alive included, but missing HUBOT_HEROKU_KEEPALIVE_URL. `heroku config:set HUBOT_HEROKU_KEEPALIVE_URL=$(heroku apps:info -s  | grep web_url | cut -d= -f2)`
[Fri Oct 09 2015 14:17:56 GMT+0200 (CEST)] INFO hubot-redis-brain: Using default redis on localhost:6379
[Fri Oct 09 2015 14:17:56 GMT+0200 (CEST)] ERROR Unable to Login: [object Object] Reason: User has no password set

and this is what I capture via tcpdump

{"error":403,"reason":"User has no password set","message":"User has no password set [403]","errorType":"Meteor.Error"}}

[Sing-Li]

1. yes, hubot is a key part of our (scalable) integration and extension mechanism for the core 'chat' platform - as such, they typically do helpful work invisibly in the room where they service ; there is currently no need or use case for a 'bot disguised as regular user' scenario ; essentially, bot should always login as system user via controlled 'back-door' means

2. which instructions are you following to get the bot running? are you using docker? (I'm asking because most of our documented workflows would have excluded the HEROKU problem)

[giray]

1. So I do NOT need to create a user? Given I needed to specify ROCKETCHAT_PASSWORD.
   Given that it did NOT connect, I created a user. Where do I set the user/pw on the rocketchat side?

2. Followed instructions from https://github.com/RocketChat/hubot-rocketchat section "New install". This is not a docker instance, but a CentOS box

[geekgonecrazy]

@giray simplest way would be to create a local rocket.chat user instead of using a ldap user it will likely work.

[giray]

@geekgonecrazy that doesn't quite work if you enable ldap authentication. I'm not sure on how to create a 'system users' as @Sing-Li has described.

[geekgonecrazy]

@giray We need to allow for local user creation with ldap. I think the solution might be to disable ldap add the user then re-enable ldap.

I'll try and get one of the guys that worked on the ldap piece to take a look and see what we can do for bots.

[giray]

@geekgonecrazy disabling ldap, creating local user and re-enable ldap seems to work

[geekgonecrazy]

@giray I know that feels hacky. But glad you at least have it working.

[teon]

+1 - I'm logging into the hubot/bot account with the browser/client - but when using hubot docker it just says:
ERROR Unable to Login: [object Object] Reason: User has no password set

[geekgonecrazy]

@RocketChat/core

Right now we're using Asteroid Login Method:

login: (username, password) =>
        @logger.info "Logging In"
        # promise returned
        return @asteroid.loginWithPassword username, password

From: https://github.com/RocketChat/hubot-rocketchat/blob/master/src/rocketchat_driver.coffee#L41

It looks like that method is calling the meteor method login with a payload like:

{
  password: 'password',
  user: {
    username: 'username',
    email: undefined
  }
}

Call found here: https://github.com/mondora/asteroid/blob/master/src/core/login.js#L123

Do we know what the payload should look like for ldap authentication? Or is there another meteor method that needs called instead if its an ldap authentication?

[sampaiodiego]

I think to login with LDAP you should call Meteor.loginWithLDAP function.. look here

[geekgonecrazy]

@sampaiodiego ah! So what kind of options would need passed as the 3rd parameter?

@teon / @giray: So provided we can make this work. Would you be ok with having to set an environment variable like: LDAP=true to login with ldap?

But the case still needs to be made....

Should hubot really login with ldap? Or should hubot only ever really log in as a user created specifically for the bot in rocket.chat? We can improve that process to make it easier and we plan to.

Can either of you make a case as to why use ldap vs rocket.chat specific user?

[teon]

@geekgonecrazy - problem with LDAP auth provider is that when you are trying to change password for a selected user - it tries to edit it in LDAP and not Rocket.Chat as you would expect/or are suggesting. Thus there is no possibility to have local and LDAP accounts in parallel...

[giray]

@geekgonecrazy our problem was that once you switch over to ldap, you are not able to get back to the local accounts. I'm fine with not being able to change passwords. LDAP=true as env var would be great.

[teon]

@geekgonecrazy - exactly as @giray wrote ;-) you need to know we have LDAP enabled ;-)

[geekgonecrazy]

@teon / @giray

So you would rather have the bot as a user on your ldap server instead of maybe being able to create a local user in like a bot section of the Rocket.Chat config?

Maybe a as easy as clicking Create Bot and specifying a name, and it spitting out a username and password?

I just want to make sure LDAP is for sure something that is practical for the bot to be able to do. If it would be better in the long run to go the other route, then we can put more effort there.

[teon]

@geekgonecrazy it would be much better if Rocket.Chat would enable LDAP + local accounts - I could have accounts for bots or other people that are not (and will not be) in our company LDAP..

[geekgonecrazy]

@teon this is kind of what I suspected. I used to do some sys admin stuff and I don't think I would have ever wanted to create an ldap user for a bot.

Unless.... the bot needed to login to other systems on the network? Is this even feasible? Or would you expect to have to pass the credentials in another way to the bot to connect to that other system?

[giray]

@geekgonecrazy you want to have central control of all accounts, that does not mean that you bot "service" accounts is able to log in anywhere else. If you allow local accounts you may loose control / overview of accounts on large sites.

[engelgabriel]

Guys, please vote for this PR mondora/asteroid#87

[engelgabriel]

Can you guys try the hubot-rocketchat@0.0.26

Now you can set the environment variable ROCKETCHAT_AUTH=ldap

[engelgabriel]

Only works with the branch develop of Rocket.Chat and will be merged on the 0.15.0

[teon]

@engelgabriel works! thanks! will hubot-gitsy also work?

[Sing-Li]

Yes. hubot-gitsy is independent of the adapter (hubot-rocketchat). Closing, verified by @teon.

[gearlles]

I need this fix, but I'm waiting for the release. What do I need to get it working? (please, update the docs)

• Rocket.Chat 0.15.0 (not released yet)
• hubot-rocketchat 0.0.26
• Set ROCKETCHAT_AUTH=ldap

Am I missing something?

[engelgabriel]

Rocket.Chat 0.15.0 is released.

https://github.com/RocketChat/Rocket.Chat/releases/tag/0.15.0

[gearlles]

I get the following error

hubot@13457f30d4c6:~$ bin/hubot -a rocketchat
[Wed Jan 27 2016 14:09:02 GMT+0000 (UTC)] INFO Starting Rocketchat adapter...
[Wed Jan 27 2016 14:09:02 GMT+0000 (UTC)] INFO Once connected to rooms I will respond to the name: rocketbot
[Wed Jan 27 2016 14:09:02 GMT+0000 (UTC)] INFO Connecting To: <removed-ip>
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] ERROR Error: listen EADDRINUSE
  at exports._errnoException (util.js:746:11)
  at Server._listen2 (net.js:1156:14)
  at listen (net.js:1182:10)
  at net.js:1280:9
  at dns.js:85:18
  at process._tickCallback (node.js:355:11)

[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] INFO Successfully connected!
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] INFO general
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] INFO Logging In
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] ERROR Unable to Login: {"error":400,"reason":"Unrecognized options for login request","message":"Unrecognized options for login request [400]","errorType":"Meteor.Error"} Reason: Unrecognized options for login request
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] ERROR If joining GENERAL please make sure its using all caps.
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] ERROR If using LDAP, turn off LDAP, and turn on general user registration with email                                  verification off.
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] ERROR {"error":400,"reason":"Unrecognized options for login request","message":"Unrecognized options for login request [400]","errorType":"Meteor.Error"}
[Wed Jan 27 2016 14:09:03 GMT+0000 (UTC)] ERROR Unable to complete setup. See https://github.com/RocketChat/hubot-rocketchat for more info.

LDAP is on and email verification is off. I tried running bin/hubot -a rocketchat with LDAP off and email verification off, but I get the same error. All enviroment variables are set:

hubot@13457f30d4c6:~$ echo $ROCKETCHAT_ROOM
GENERAL
hubot@13457f30d4c6:~$ echo $ROCKETCHAT_USER
bot
hubot@13457f30d4c6:~$ echo $ROCKETCHAT_PASSWORD
bot
hubot@13457f30d4c6:~$ echo $ROCKETCHAT_AUTH
ldap

The bot was created on LDAP and was able to authenticate.

[engelgabriel]

EADDRINUSE means that the port number which listen() tries to bind the server to is already in use.
So, in your case, there must be a server already running on the port you are trying to use for inbound connections to your hubbot.

But thats unrelated to the "Unrecognized options for login request". You must be running an old version or Rocket.Chat.

Check on your version of https://demo.rocket.chat/api/info to se the version.

[gearlles]

@engelgabriel Ok, thank you. It's working!