LDAP Group Filters not working in docker

[ptoulouse]

Here is my config:

      LDAP_ENABLE: "true"
      LDAP_PORT: 636
      LDAP_HOST: openldap
      LDAP_BASEDN: dc=example,dc=org
      LDAP_LOGIN_FALLBACK: "false"
      LDAP_AUTHENTIFICATION: "true"
      LDAP_AUTHENTIFICATION_USERDN: cn=readonly,dc=example,dc=org
      LDAP_AUTHENTIFICATION_PASSWORD: not_the_real_password
      LDAP_LOG_ENABLED: "true"
      LDAP_ENCRYPTION: ssl
      LDAP_REJECT_UNAUTHORIZED: "false"
      LDAP_USER_AUTHENTICATION: "false"
      LDAP_USER_SEARCH_SCOPE: sub
      LDAP_USER_SEARCH_FIELD: uid
      LDAP_GROUP_FILTER_ENABLE: "true"
      LDAP_GROUP_FILTER_OBJECTCLASS: groupOfUniqueNames
      LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE: cn
      LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE: uniqueMember
      LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT: dn
      LDAP_GROUP_FILTER_GROUP_NAME: wekan_admins
      LDAP_UNIQUE_IDENTIFIER_FIELD: uid
      LDAP_USERNAME_FIELD: uid
      LDAP_FULLNAME_FIELD: cn
      LDAP_EMAIL_FIELD: mail
      LDAP_SYNC_USER_DATA: "true"
      LDAP_SYNC_USER_DATA_FIELDMAP: '{"cn":"name", "mail":"email"}'
      LDAP_SYNC_ADMIN_STATUS: "true"
      LDAP_SYNC_ADMIN_GROUPS: wekan_admins

Logs:

...
[INFO] Authenticating "uid=john,ou=users,dc=example,dc=org"
[INFO] Authenticated "uid=john,ou=users,dc=example,dc=org"
[DEBUG] Group list filter LDAP: "(&(objectclass=groupOfUniqueNames)(uniqueMember=uid=john,ou=users,dc=example,dc=org))"
[ERROR] NoSuchObjectError: No Such Object 
[ERROR] NoSuchObjectError: No Such Object 
[INFO] Idle 
[INFO] Disconecting 
[INFO] Closed

From the OpenLDAP container, if I run ldapsearch it works:

root@openldap:/# ldapsearch -D "cn=readonly,dc=example,dc=org" -w "not_the_real_password" -b "dc=example,dc=org" -s sub '(&(objectclass=groupOfUniqueNames)(uniqueMember=uid=john,ou=users,dc=example,dc=org))'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (&(objectclass=groupOfUniqueNames)(uniqueMember=uid=john,ou=users,dc=example,dc=org))
# requesting: ALL
#
...
# wekan_admins, groups, example.org
dn: cn=wekan_admins,ou=groups,dc=example,dc=org
objectClass: top
objectClass: groupOfUniqueNames
cn: wekan_admins
description: Wekan Administrators
uniqueMember: uid=john,ou=users,dc=example,dc=org
...
# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

Am I missing something obvious? The debug trace is not verbose enough to see if the scope or the Base DN is correctly set for the group query.

[ptoulouse]

I can work around the group filter with a user filter using "memberOf" and removing all the LDAP_GROUP_FILTER variables.

LDAP_USER_SEARCH_FILTER: (ObjectClass=inetOrgPerson)(memberOf=cn=wekan_admins,ou=groups,dc=example,dc=org)

However, the group filter logic not working also means that the Sync Admin Status feature is not working. It looks like the first user to log in becomes Admin.

[tromlet]

I'm having a similar issue - using FreeIPA 4.6.6, not OpenLDAP. I'd like to get mine working so that I could upload a sanitized version of my config for other FreeIPA users to this page.

EDIT: I should add, I'm not using the Docker image - I'm using the Snap on CentOS 8. I'm going to try some of your efforts but based on my Googling, the admin status thing doesn't seem to work all that well.

[Sancretor]

Hi @ptoulouse

I just had the very same issue with the Wekan Docker container and the group filtering.
While having a look at my OpenLDAP Docker container logs, I understood that the two errors below in Wekan :

[ERROR] NoSuchObjectError: No Such Object
[ERROR] NoSuchObjectError: No Such Object

... are related to some errors in OpenLDAP.
It looks like on the login page, after checking the given user/password with OpenLDAP, Wekan binds the user you are trying to log in with its OpenLDAP session, and then searching the group using this same user, not the LDAP_AUTHENTIFICATION_USERDN.
The problem in my case is that only the LDAP_AUTHENTIFICATION_USERDN is able to search through my ldap tree, so I'm getting issues saying that no objects were found... which is obvious because my authenticated user can't search.

My workaround was to modify some JS files in this project to avoid this behaviour.
The goal is to use the LDAP_AUTHENTIFICATION_USERDN in order to search for groups, instead of the user to authenticate.
Here is my quick&dirty fix, if it can help you... I could also open a PR if needed.

In server/loginHandler.js, I had to replace this piece of code :

if (ldap.authSync(users[0].dn, loginRequest.ldapPass) === true) {
      if (ldap.isUserInGroup(loginRequest.username, users[0])) {
        ldapUser = users[0];
      } else {
        throw new Error('User not in a valid group');
      }
    } else {
      log_info('Wrong password for', loginRequest.username);
    }
  } catch (error) {
    log_error(error);
  }

by this one :

if (ldap.isUserInGroup(loginRequest.username, users[0])) {
  ldapUser = users[0];
} else {
  throw new Error('User not in a valid group');
}

if (ldap.authSync(users[0].dn, loginRequest.ldapPass) !== true) {
  ldapUser = null;
  log_info('Wrong password for', loginRequest.username)
}