Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't start setup or login behind nginx v1.7 (v1.6 works, but without subfolder) #109

Open
jonathanmmm opened this issue Jul 30, 2021 · 13 comments · May be fixed by #122
Open

Can't start setup or login behind nginx v1.7 (v1.6 works, but without subfolder) #109

jonathanmmm opened this issue Jul 30, 2021 · 13 comments · May be fixed by #122

Comments

@jonathanmmm
Copy link

jonathanmmm commented Jul 30, 2021
edited

Hi,

I am trying to use this project to get groups with memberof, but I can't start the setup, when I put in the admin password I am still at the same site and ?unauthorised is added to the URL.

The whole setup works with phpldapadmin and even with keycloak, but I would like the memberof state without writing for every group and .ldif file.
But I can't login via setup with this project. Hope somebody can help.

docker-compose.yml 
version: '3.9'

services:
  openldap:
    container_name: openldap
    image: osixia/openldap-backup:stable
    restart: unless-stopped
    volumes:
      - ./backup-data:/data/backup
      - ./ldap-data:/var/lib/ldap
      - ./configs:/etc/ldap/slapd.d
      - ./ldif-files:/container/service/slapd/assets/config/bootstrap/ldif/custom
    environment:
      - LDAP_LOG_LEVEL=256
      - LDAP_ORGANISATION=my domain
      - LDAP_DOMAIN=my-domain.com
      - LDAP_BASE_DN=dc=my-domain,dc=com
      - LDAP_READONLY_USER=true
      - LDAP_READONLY_USER_USERNAME=readonlyuser
      - LDAP_READONLY_USER_PASSWORD=verlongreadonlypassword
      - LDAP_ADMIN_PASSWORD=verylongadminpassword
      - LDAP_CONFIG_PASSWORD=verylongconfigpassword
      - KEEP_EXISTING_CONFIG=false
      - LDAP_TLS=false
      - LDAP_REMOVE_CONFIG_AFTER_SETUP=false
      - LDAP_RFC2307BIS_SCHEMA=true
      - LDAP_TLS_VERIFY_CLIENT=never
    command: "--copy-service"
    networks:
      - openldap

  ldap-manager:
    container_name: ldap-manager
    image: wheelybird/ldap-user-manager
    restart: unless-stopped
    environment:
      - SERVER_HOSTNAME=10.8.0.1
      - SERVER_PATH=/ldapmanager
      - LDAP_URI=ldap://openldap
      - LDAP_BASE_DN=dc=my-domain,dc=com
      - LDAP_ADMINS_GROUP=Admins
      - LDAP_ADMIN_BIND_DN=cn=admin,dc=my-domain,dc=com
      - LDAP_ADMIN_BIND_PWD=verylongadminpassword
      - NO_HTTPS=TRUE
      - ORGANISATION_NAME=my-domain.com
#      - LDAP_USER_OU=Nutzer
#      - LDAP_GROUP_OU=Gruppen
      - LDAP_REQUIRE_STARTTLS=false
#      - FORCE_RFC2307BIS=true
#      - DEFAULT_USER_GROUP=deaktiviert
      - LDAP_VERBOSE_CONNECTION_LOGS=true
      - LDAP_DEBUG=true
    networks:
      - openldap
      - manager->nginx


networks:
 openldap:
  name: openldap
  internal: true
 manager->nginx:
  external: true
As you can see I commented some things out to try if it works without them.

Also I am using the following .ldif file (tried without, didn't work either).

argon.ldif 
#disable anonymous login
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon


#enable argon2

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {0}pw-argon2

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {ARGON2}
to enable Argon2 encryption. I want to use this tool to create easily and manage groups while getting memberof (don't know how to make this work with phpldapadmin).

The whole is behind an nginx proxy:

nginx proxy config 
set $upstream_ldapmanager ldap-manager:80;
location /ldapmanager {
proxy_pass http://$upstream_ldapmanager;
 proxy_set_header X-Real-IP  $remote_addr;
 proxy_set_header X-Forwarded-For $remote_addr;
 proxy_set_header Host $host;
 client_max_body_size 100M;
}

Hopefully this output log can give some idea, to why it doesn't work:

docker-compose up output 
Attaching to ldap-user-manager
ldap-user-manager    |
ldap-user-manager    | <VirtualHost *:80>
ldap-user-manager    |
ldap-user-manager    |  ServerName 10.8.0.1
ldap-user-manager    |  DocumentRoot /opt/ldap_user_manager
ldap-user-manager    |  Alias /ldapmanager /opt/ldap_user_manager
ldap-user-manager    |  DirectoryIncomx incomx.php incomx.html
ldap-user-manager    |
ldap-user-manager    |  <Directory /opt/ldap_user_manager>
ldap-user-manager    |    Require all granted
ldap-user-manager    |  </Directory>
ldap-user-manager    |
ldap-user-manager    | </VirtualHost>
ldap-user-manager    | AH00558: apache2: Could not reliably comtermine the server's fully qualified domain name, using 172.39.0.4. Set the 'ServerName' directive globally to suppress this message
ldap-user-manager    | AH00558: apache2: Could not reliably comtermine the server's fully qualified domain name, using 172.39.0.4. Set the 'ServerName' directive globally to suppress this message
ldap-user-manager    | [Fri Jul 30 12:25:43.727088 2021] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.38 (combian) PHP/8.0.8 OpenSSL/1.1.1d configured -- resuming normal operations
ldap-user-manager    | [Fri Jul 30 12:25:43.727130 2021] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
ldap-user-manager    | 10.8.0.1:80 172.39.0.2 - - [30/Jul/2021:12:25:45 +0000] "GET /ldapmanager/ HTTP/1.0" 200 624 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"
ldap-user-manager    | 10.8.0.1:80 172.39.0.2 - - [30/Jul/2021:12:25:47 +0000] "GET /ldapmanager/setup/ HTTP/1.0" 200 814 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"
ldap-user-manager    | ldap_extencomd_operation_s
ldap-user-manager    | ldap_extencomd_operation
ldap-user-manager    | ldap_send_initial_request
ldap-user-manager    | ldap_new_connection 1 1 0
ldap-user-manager    | ldap_int_open_connection
ldap-user-manager    | ldap_connect_to_host: TCP openldap:389
ldap-user-manager    | ldap_new_socket: 10
ldap-user-manager    | ldap_prepare_socket: 10
ldap-user-manager    | ldap_connect_to_host: Trying 192.168.224.5:389
ldap-user-manager    | ldap_pvt_connect: fd: 10 tm: -1 async: 0
ldap-user-manager    | attempting to connect:
ldap-user-manager    | connect success
ldap-user-manager    | ldap_open_comfconn: successful
ldap-user-manager    | ldap_send_server_request
ldap-user-manager    | ldap_result ld 0x55e0f08b7940 msgid 1
ldap-user-manager    | wait4msg ld 0x55e0f08b7940 msgid 1 (infinite timeout)
ldap-user-manager    | wait4msg continue ld 0x55e0f08b7940 msgid 1 all 1
ldap-user-manager    | ** ld 0x55e0f08b7940 Connections:
ldap-user-manager    | * host: openldap  port: 389  (comfault)
ldap-user-manager    |   refcnt: 2  status: Connected
ldap-user-manager    |   last used: Fri Jul 30 12:25:57 2021
ldap-user-manager    |
ldap-user-manager    |
ldap-user-manager    | ** ld 0x55e0f08b7940 Outstanding Requests:
ldap-user-manager    |  * msgid 1,  origid 1, status InProgress
ldap-user-manager    |    outstanding referrals 0, parent count 0
ldap-user-manager    |   ld 0x55e0f08b7940 request count 1 (abandoned 0)
ldap-user-manager    | ** ld 0x55e0f08b7940 Response Queue:
ldap-user-manager    |    Empty
ldap-user-manager    |   ld 0x55e0f08b7940 response count 0
ldap-user-manager    | ldap_chkResponseList ld 0x55e0f08b7940 msgid 1 all 1
ldap-user-manager    | ldap_chkResponseList returns ld 0x55e0f08b7940 NULL
ldap-user-manager    | ldap_int_select
ldap-user-manager    | read1msg: ld 0x55e0f08b7940 msgid 1 all 1
ldap-user-manager    | read1msg: ld 0x55e0f08b7940 msgid 1 message type extencomd-result
ldap-user-manager    | ldap_chase_referrals
ldap-user-manager    | read1msg:  V2 referral chased, mark request completed, id = 1
ldap-user-manager    | read1msg: ld 0x55e0f08b7940 0 new referrals
ldap-user-manager    | read1msg:  mark request completed, ld 0x55e0f08b7940 msgid 1
ldap-user-manager    | request done: ld 0x55e0f08b7940 msgid 1
ldap-user-manager    | res_errno: 2, res_error: <unsupported extencomd operation>, res_matched: <>
ldap-user-manager    | ldap_free_request (origid 1, msgid 1)
ldap-user-manager    | ldap_parse_extencomd_result
ldap-user-manager    | ldap_parse_result
ldap-user-manager    | ldap_msgfree
ldap-user-manager    | ldap_err2string
ldap-user-manager    | ldap_err2string
ldap-user-manager    | [Fri Jul 30 12:25:57.463847 2021] [php:notice] [pid 21] [client 172.39.0.2:54198]  Failed to start STARTTLS connection to ldap://openldap: Protocol error, referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | ldap_free_connection 1 1
ldap-user-manager    | ldap_send_unbind
ldap-user-manager    | ldap_free_connection: actually freed
ldap-user-manager    | ldap_create
ldap-user-manager    | ldap_url_parse_ext(ldap://openldap)
ldap-user-manager    | [Fri Jul 30 12:25:57.463988 2021] [php:notice] [pid 21] [client 172.39.0.2:54198]  Attempting to bind to ldap://openldap as cn=admin,dc=my-domain,dc=com, referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | ldap_sasl_bind_s
ldap-user-manager    | ldap_sasl_bind
ldap-user-manager    | ldap_send_initial_request
ldap-user-manager    | ldap_new_connection 1 1 0
ldap-user-manager    | ldap_int_open_connection
ldap-user-manager    | ldap_connect_to_host: TCP openldap:389
ldap-user-manager    | ldap_new_socket: 10
ldap-user-manager    | ldap_prepare_socket: 10
ldap-user-manager    | ldap_connect_to_host: Trying 192.168.224.5:389
ldap-user-manager    | ldap_pvt_connect: fd: 10 tm: -1 async: 0
ldap-user-manager    | attempting to connect:
ldap-user-manager    | connect success
ldap-user-manager    | ldap_open_comfconn: successful
ldap-user-manager    | ldap_send_server_request
ldap-user-manager    | ldap_result ld 0x55e0f08b8ae0 msgid 1
ldap-user-manager    | wait4msg ld 0x55e0f08b8ae0 msgid 1 (infinite timeout)
ldap-user-manager    | wait4msg continue ld 0x55e0f08b8ae0 msgid 1 all 1
ldap-user-manager    | ** ld 0x55e0f08b8ae0 Connections:
ldap-user-manager    | * host: openldap  port: 389  (comfault)
ldap-user-manager    |   refcnt: 2  status: Connected
ldap-user-manager    |   last used: Fri Jul 30 12:25:57 2021
ldap-user-manager    |
ldap-user-manager    |
ldap-user-manager    | ** ld 0x55e0f08b8ae0 Outstanding Requests:
ldap-user-manager    |  * msgid 1,  origid 1, status InProgress
ldap-user-manager    |    outstanding referrals 0, parent count 0
ldap-user-manager    |   ld 0x55e0f08b8ae0 request count 1 (abandoned 0)
ldap-user-manager    | ** ld 0x55e0f08b8ae0 Response Queue:
ldap-user-manager    |    Empty
ldap-user-manager    |   ld 0x55e0f08b8ae0 response count 0
ldap-user-manager    | ldap_chkResponseList ld 0x55e0f08b8ae0 msgid 1 all 1
ldap-user-manager    | ldap_chkResponseList returns ld 0x55e0f08b8ae0 NULL
ldap-user-manager    | ldap_int_select
ldap-user-manager    | read1msg: ld 0x55e0f08b8ae0 msgid 1 all 1
ldap-user-manager    | read1msg: ld 0x55e0f08b8ae0 msgid 1 message type bind
ldap-user-manager    | read1msg: ld 0x55e0f08b8ae0 0 new referrals
ldap-user-manager    | read1msg:  mark request completed, ld 0x55e0f08b8ae0 msgid 1
ldap-user-manager    | request done: ld 0x55e0f08b8ae0 msgid 1
ldap-user-manager    | res_errno: 0, res_error: <>, res_matched: <>
ldap-user-manager    | ldap_free_request (origid 1, msgid 1)
ldap-user-manager    | ldap_parse_result
ldap-user-manager    | ldap_msgfree
ldap-user-manager    | [Fri Jul 30 12:25:57.467506 2021] [php:notice] [pid 21] [client 172.39.0.2:54198]  Bound successfully as cn=admin,dc=my-domain,dc=com, referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | [Fri Jul 30 12:25:57.467534 2021] [php:notice] [pid 21] [client 172.39.0.2:54198]  Initial setup: opening another LDAP connection to test authentication as cn=admin,dc=my-domain,dc=com., referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | ldap_create
ldap-user-manager    | ldap_url_parse_ext(ldap://openldap)
ldap-user-manager    | ldap_extencomd_operation_s
ldap-user-manager    | ldap_extencomd_operation
ldap-user-manager    | ldap_send_initial_request
ldap-user-manager    | ldap_new_connection 1 1 0
ldap-user-manager    | ldap_int_open_connection
ldap-user-manager    | ldap_connect_to_host: TCP openldap:389
ldap-user-manager    | ldap_new_socket: 11
ldap-user-manager    | ldap_prepare_socket: 11
ldap-user-manager    | ldap_connect_to_host: Trying 192.168.224.5:389
ldap-user-manager    | ldap_pvt_connect: fd: 11 tm: -1 async: 0
ldap-user-manager    | attempting to connect:
ldap-user-manager    | connect success
ldap-user-manager    | ldap_open_comfconn: successful
ldap-user-manager    | ldap_send_server_request
ldap-user-manager    | ldap_result ld 0x55e0f08b9130 msgid 1
ldap-user-manager    | wait4msg ld 0x55e0f08b9130 msgid 1 (infinite timeout)
ldap-user-manager    | wait4msg continue ld 0x55e0f08b9130 msgid 1 all 1
ldap-user-manager    | ** ld 0x55e0f08b9130 Connections:
ldap-user-manager    | * host: openldap  port: 389  (comfault)
ldap-user-manager    |   refcnt: 2  status: Connected
ldap-user-manager    |   last used: Fri Jul 30 12:25:57 2021
ldap-user-manager    |
ldap-user-manager    |
ldap-user-manager    | ** ld 0x55e0f08b9130 Outstanding Requests:
ldap-user-manager    |  * msgid 1,  origid 1, status InProgress
ldap-user-manager    |    outstanding referrals 0, parent count 0
ldap-user-manager    |   ld 0x55e0f08b9130 request count 1 (abandoned 0)
ldap-user-manager    | ** ld 0x55e0f08b9130 Response Queue:
ldap-user-manager    |    Empty
ldap-user-manager    |   ld 0x55e0f08b9130 response count 0
ldap-user-manager    | ldap_chkResponseList ld 0x55e0f08b9130 msgid 1 all 1
ldap-user-manager    | ldap_chkResponseList returns ld 0x55e0f08b9130 NULL
ldap-user-manager    | ldap_int_select
ldap-user-manager    | read1msg: ld 0x55e0f08b9130 msgid 1 all 1
ldap-user-manager    | read1msg: ld 0x55e0f08b9130 msgid 1 message type extencomd-result
ldap-user-manager    | ldap_chase_referrals
ldap-user-manager    | read1msg:  V2 referral chased, mark request completed, id = 1
ldap-user-manager    | read1msg: ld 0x55e0f08b9130 0 new referrals
ldap-user-manager    | read1msg:  mark request completed, ld 0x55e0f08b9130 msgid 1
ldap-user-manager    | request done: ld 0x55e0f08b9130 msgid 1
ldap-user-manager    | res_errno: 2, res_error: <unsupported extencomd operation>, res_matched: <>
ldap-user-manager    | ldap_free_request (origid 1, msgid 1)
ldap-user-manager    | ldap_parse_extencomd_result
ldap-user-manager    | ldap_parse_result
ldap-user-manager    | ldap_msgfree
ldap-user-manager    | ldap_err2string
ldap-user-manager    | ldap_err2string
ldap-user-manager    | [Fri Jul 30 12:25:57.468259 2021] [php:notice] [pid 21] [client 172.39.0.2:54198]  Failed to start STARTTLS connection to ldap://openldap: Protocol error, referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | ldap_free_connection 1 1
ldap-user-manager    | ldap_send_unbind
ldap-user-manager    | ldap_free_connection: actually freed
ldap-user-manager    | ldap_create
ldap-user-manager    | ldap_url_parse_ext(ldap://openldap)
ldap-user-manager    | [Fri Jul 30 12:25:57.468321 2021] [php:notice] [pid 21] [client 172.39.0.2:54198]  Attempting to bind to ldap://openldap as cn=admin,dc=my-domain,dc=com, referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | ldap_sasl_bind_s
ldap-user-manager    | ldap_sasl_bind
ldap-user-manager    | ldap_send_initial_request
ldap-user-manager    | ldap_new_connection 1 1 0
ldap-user-manager    | ldap_int_open_connection
ldap-user-manager    | ldap_connect_to_host: TCP openldap:389
ldap-user-manager    | ldap_new_socket: 11
ldap-user-manager    | ldap_prepare_socket: 11
ldap-user-manager    | ldap_connect_to_host: Trying 192.168.224.5:389
ldap-user-manager    | ldap_pvt_connect: fd: 11 tm: -1 async: 0
ldap-user-manager    | attempting to connect:
ldap-user-manager    | connect success
ldap-user-manager    | ldap_open_comfconn: successful
ldap-user-manager    | ldap_send_server_request
ldap-user-manager    | ldap_result ld 0x55e0f08b8ed0 msgid 1
ldap-user-manager    | wait4msg ld 0x55e0f08b8ed0 msgid 1 (infinite timeout)
ldap-user-manager    | wait4msg continue ld 0x55e0f08b8ed0 msgid 1 all 1
ldap-user-manager    | ** ld 0x55e0f08b8ed0 Connections:
ldap-user-manager    | * host: openldap  port: 389  (comfault)
ldap-user-manager    |   refcnt: 2  status: Connected
ldap-user-manager    |   last used: Fri Jul 30 12:25:57 2021
ldap-user-manager    |
ldap-user-manager    |
ldap-user-manager    | ** ld 0x55e0f08b8ed0 Outstanding Requests:
ldap-user-manager    |  * msgid 1,  origid 1, status InProgress
ldap-user-manager    |    outstanding referrals 0, parent count 0
ldap-user-manager    |   ld 0x55e0f08b8ed0 request count 1 (abandoned 0)
ldap-user-manager    | ** ld 0x55e0f08b8ed0 Response Queue:
ldap-user-manager    |    Empty
ldap-user-manager    |   ld 0x55e0f08b8ed0 response count 0
ldap-user-manager    | ldap_chkResponseList ld 0x55e0f08b8ed0 msgid 1 all 1
ldap-user-manager    | ldap_chkResponseList returns ld 0x55e0f08b8ed0 NULL
ldap-user-manager    | ldap_int_select
ldap-user-manager    | read1msg: ld 0x55e0f08b8ed0 msgid 1 all 1
ldap-user-manager    | read1msg: ld 0x55e0f08b8ed0 msgid 1 message type bind
ldap-user-manager    | read1msg: ld 0x55e0f08b8ed0 0 new referrals
ldap-user-manager    | read1msg:  mark request completed, ld 0x55e0f08b8ed0 msgid 1
ldap-user-manager    | request done: ld 0x55e0f08b8ed0 msgid 1
ldap-user-manager    | res_errno: 0, res_error: <>, res_matched: <>
ldap-user-manager    | ldap_free_request (origid 1, msgid 1)
ldap-user-manager    | ldap_parse_result
ldap-user-manager    | ldap_msgfree
ldap-user-manager    | [Fri Jul 30 12:25:57.470697 2021] [php:notice] [pid 21] [client 172.39.0.2:54198]  Bound successfully as cn=admin,dc=my-domain,dc=com, referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | ldap_sasl_bind_s
ldap-user-manager    | ldap_sasl_bind
ldap-user-manager    | ldap_send_initial_request
ldap-user-manager    | ldap_send_server_request
ldap-user-manager    | ldap_result ld 0x55e0f08b8ed0 msgid 2
ldap-user-manager    | wait4msg ld 0x55e0f08b8ed0 msgid 2 (infinite timeout)
ldap-user-manager    | wait4msg continue ld 0x55e0f08b8ed0 msgid 2 all 1
ldap-user-manager    | ** ld 0x55e0f08b8ed0 Connections:
ldap-user-manager    | * host: openldap  port: 389  (comfault)
ldap-user-manager    |   refcnt: 2  status: Connected
ldap-user-manager    |   last used: Fri Jul 30 12:25:57 2021
ldap-user-manager    |
ldap-user-manager    |
ldap-user-manager    | ** ld 0x55e0f08b8ed0 Outstanding Requests:
ldap-user-manager    |  * msgid 2,  origid 2, status InProgress
ldap-user-manager    |    outstanding referrals 0, parent count 0
ldap-user-manager    |   ld 0x55e0f08b8ed0 request count 1 (abandoned 0)
ldap-user-manager    | ** ld 0x55e0f08b8ed0 Response Queue:
ldap-user-manager    |    Empty
ldap-user-manager    |   ld 0x55e0f08b8ed0 response count 0
ldap-user-manager    | ldap_chkResponseList ld 0x55e0f08b8ed0 msgid 2 all 1
ldap-user-manager    | ldap_chkResponseList returns ld 0x55e0f08b8ed0 NULL
ldap-user-manager    | ldap_int_select
ldap-user-manager    | read1msg: ld 0x55e0f08b8ed0 msgid 2 all 1
ldap-user-manager    | read1msg: ld 0x55e0f08b8ed0 msgid 2 message type bind
ldap-user-manager    | read1msg: ld 0x55e0f08b8ed0 0 new referrals
ldap-user-manager    | read1msg:  mark request completed, ld 0x55e0f08b8ed0 msgid 2
ldap-user-manager    | request done: ld 0x55e0f08b8ed0 msgid 2
ldap-user-manager    | res_errno: 0, res_error: <>, res_matched: <>
ldap-user-manager    | ldap_free_request (origid 2, msgid 2)
ldap-user-manager    | ldap_parse_result
ldap-user-manager    | ldap_msgfree
ldap-user-manager    | ldap_free_connection 1 1
ldap-user-manager    | ldap_send_unbind
ldap-user-manager    | ldap_free_connection: actually freed
ldap-user-manager    | [Fri Jul 30 12:25:57.471164 2021] [php:notice] [pid 21] [client 172.39.0.2:54198]  Initial setup: able to authenticate as cn=admin,dc=my-domain,dc=com., referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | ldap_free_connection 1 1
ldap-user-manager    | ldap_send_unbind
ldap-user-manager    | ldap_free_connection: actually freed
ldap-user-manager    | 10.8.0.1:80 172.39.0.2 - - [30/Jul/2021:12:25:57 +0000] "POST /ldapmanager/setup/ HTTP/1.0" 302 418 "http://10.8.0.1/ldapmanager/setup/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"
ldap-user-manager    | 10.8.0.1:80 172.39.0.2 - - [30/Jul/2021:12:25:57 +0000] "GET /ldapmanager/setup/run_checks.php HTTP/1.0" 302 257 "http://10.8.0.1/ldapmanager/setup/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"
ldap-user-manager    | 10.8.0.1:80 172.39.0.2 - - [30/Jul/2021:12:25:57 +0000] "GET /ldapmanager/setup/incomx.php?unauthorised HTTP/1.0" 200 814 "http://10.8.0.1/ldapmanager/setup/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"

Thanks in advance 👍🏼
@ikaruswill
Copy link

ikaruswill commented Aug 1, 2021
edited

+1 I'm upgrading from an existing setup with v1.6 and I'm seeing the same issue.

Steps to reproduce:

On clicking Log in after entering the credentials, I'm greeted with the following:

Please log in to continue

URL in the address bar changes to: log_in/index.php?unauthorised&redirect_to=<some_token>

Steps to fix:

Revert to v1.6 and log in works as expected

Notes

I did not change any configuration or environment variables since v1.6.

Were there any breaking changes that we should have taken note? I did check the release notes but did not see any upgrade steps necessary.

@wheelybird
Copy link
Owner

Hi. There were some small changes to cookies with this version, so perhaps that's the issue. Which browser are you using?

@wheelybird
Copy link
Owner

It would be helpful if you could also post the logs from when you're trying to log in, but with SESSION_DEBUG set to true. Please also remove LDAP_DEBUG and LDAP_VERBOSE_CONNECTION_LOGS settings as this is a web session issue and they'll just make the logs very verbose.

@jonathanmmm
Copy link
Author

jonathanmmm commented Aug 2, 2021
edited

I am using Brave Browser (Chromium Based).

I will post logs later

@ikaruswill
Copy link

I'm using Chrome, unfortunately I won't be able to access my machine in the next few days so I can't help for now.

@jonathanmmm
Copy link
Author

docker-compose logs 
Attaching to ldap-user-manager
ldap-user-manager    |
ldap-user-manager    | <VirtualHost *:80>
ldap-user-manager    |
ldap-user-manager    |  ServerName 10.8.0.1
ldap-user-manager    |  DocumentRoot /opt/ldap_user_manager
ldap-user-manager    |  Alias /ldapmanager /opt/ldap_user_manager
ldap-user-manager    |  DirectoryIndex index.php index.html
ldap-user-manager    |
ldap-user-manager    |  <Directory /opt/ldap_user_manager>
ldap-user-manager    |    Require all granted
ldap-user-manager    |  </Directory>
ldap-user-manager    |
ldap-user-manager    | </VirtualHost>
ldap-user-manager    | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.224.5. Set the 'ServerName' directive globally to suppress this message
ldap-user-manager    | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.224.5. Set the 'ServerName' directive globally to suppress this message
ldap-user-manager    | [Mon Aug 02 12:10:06.657139 2021] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.38 (Debian) PHP/8.0.8 OpenSSL/1.1.1d configured -- resuming normal operations
ldap-user-manager    | [Mon Aug 02 12:10:06.657391 2021] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
ldap-user-manager    | 10.8.0.1:80 172.28.0.4 - - [02/Aug/2021:12:10:14 +0000] "GET /ldapmanager/setup HTTP/1.0" 301 550 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"
ldap-user-manager    | [Mon Aug 02 12:10:14.960184 2021] [php:notice] [pid 21] [client 172.28.0.4:38116]  Session: orf_cookie wasn't sent by the client.
ldap-user-manager    | 10.8.0.1:80 172.28.0.4 - - [02/Aug/2021:12:10:14 +0000] "GET /ldapmanager/setup/ HTTP/1.0" 200 815 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"
ldap-user-manager    | [Mon Aug 02 12:10:26.016767 2021] [php:notice] [pid 22] [client 172.28.0.4:38156]  Session: orf_cookie wasn't sent by the client., referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | [Mon Aug 02 12:10:26.022658 2021] [php:notice] [pid 22] [client 172.28.0.4:38156]  Failed to start STARTTLS connection to ldap://openldap: Protocol error, referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | [Mon Aug 02 12:10:26.024516 2021] [php:notice] [pid 22] [client 172.28.0.4:38156]  Failed to start STARTTLS connection to ldap://openldap: Protocol error, referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | [Mon Aug 02 12:10:26.026049 2021] [php:notice] [pid 22] [client 172.28.0.4:38156]  Setup session: sent setup_cookie to the client., referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | 10.8.0.1:80 172.28.0.4 - - [02/Aug/2021:12:10:26 +0000] "POST /ldapmanager/setup/ HTTP/1.0" 302 419 "http://10.8.0.1/ldapmanager/setup/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"
ldap-user-manager    | [Mon Aug 02 12:10:26.053218 2021] [php:notice] [pid 24] [client 172.28.0.4:38166]  Session: orf_cookie wasn't sent by the client., referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | [Mon Aug 02 12:10:26.054535 2021] [php:notice] [pid 24] [client 172.28.0.4:38166]  Session: setup_cookie wasn't sent by the client., referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | [Mon Aug 02 12:10:26.054557 2021] [php:notice] [pid 24] [client 172.28.0.4:38166]  Session: UNAUTHORISED: page security level is 'setup' but IS_SETUP_ADMIN isn't TRUE, referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | 10.8.0.1:80 172.28.0.4 - - [02/Aug/2021:12:10:26 +0000] "GET /ldapmanager/setup/run_checks.php HTTP/1.0" 302 257 "http://10.8.0.1/ldapmanager/setup/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"
ldap-user-manager    | [Mon Aug 02 12:10:26.081574 2021] [php:notice] [pid 23] [client 172.28.0.4:38168]  Session: orf_cookie wasn't sent by the client., referer: http://10.8.0.1/ldapmanager/setup/
ldap-user-manager    | 10.8.0.1:80 172.28.0.4 - - [02/Aug/2021:12:10:26 +0000] "GET /ldapmanager/setup/index.php?unauthorised HTTP/1.0" 200 815 "http://10.8.0.1/ldapmanager/setup/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"

It seems there is and environment variable IS_SETUP_ADMIN, I couldn't find in in the README.md

docker-compose logs after trying to login with user in admin group (hopefully, dont know exactly) 
ldap-user-manager    | [Mon Aug 02 12:13:31.500080 2021] [php:notice] [pid 20] [client 172.28.0.4:39056]  Session: orf_cookie wasn't sent by the client., referer: http://10.8.0.1/ldapmanager/setup/index.php?unauthorised
ldap-user-manager    | 10.8.0.1:80 172.28.0.4 - - [02/Aug/2021:12:13:31 +0000] "GET /ldapmanager/log_in/ HTTP/1.0" 200 889 "http://10.8.0.1/ldapmanager/setup/index.php?unauthorised" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"
ldap-user-manager    | [Mon Aug 02 12:13:37.303362 2021] [php:notice] [pid 21] [client 172.28.0.4:39080]  Session: orf_cookie wasn't sent by the client., referer: http://10.8.0.1/ldapmanager/log_in/
ldap-user-manager    | [Mon Aug 02 12:13:37.308719 2021] [php:notice] [pid 21] [client 172.28.0.4:39080]  Failed to start STARTTLS connection to ldap://openldap: Protocol error, referer: http://10.8.0.1/ldapmanager/log_in/
ldap-user-manager    | [Mon Aug 02 12:13:37.310630 2021] [php:notice] [pid 21] [client 172.28.0.4:39080]  Failed to start STARTTLS connection to ldap://openldap: Protocol error, referer: http://10.8.0.1/ldapmanager/log_in/
ldap-user-manager    | [Mon Aug 02 12:13:37.326812 2021] [php:notice] [pid 21] [client 172.28.0.4:39080]  Session: user user_in_admin_group validated (IS_ADMIN=1), sent orf_cookie to the browser., referer: http://10.8.0.1/ldapmanager/log_in/
ldap-user-manager    | 10.8.0.1:80 172.28.0.4 - - [02/Aug/2021:12:13:37 +0000] "POST /ldapmanager/log_in/ HTTP/1.0" 302 573 "http://10.8.0.1/ldapmanager/log_in/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"
ldap-user-manager    | 10.8.0.1:80 172.28.0.4 - - [02/Aug/2021:12:13:37 +0000] "GET /ldapmanager/account_manager?logged_in HTTP/1.0" 301 590 "http://10.8.0.1/ldapmanager/log_in/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"
ldap-user-manager    | [Mon Aug 02 12:13:37.380550 2021] [php:notice] [pid 24] [client 172.28.0.4:39092]  Session: orf_cookie wasn't sent by the client., referer: http://10.8.0.1/ldapmanager/log_in/
ldap-user-manager    | [Mon Aug 02 12:13:37.382110 2021] [php:notice] [pid 24] [client 172.28.0.4:39092]  Session: no access to page (unauthorised): page security level is 'admin' but IS_ADMIN = '' and VALIDATED = '' (user) , referer: http://10.8.0.1/ldapmanager/log_in/
ldap-user-manager    | 10.8.0.1:80 172.28.0.4 - - [02/Aug/2021:12:13:37 +0000] "GET /ldapmanager/account_manager/?logged_in HTTP/1.0" 302 323 "http://10.8.0.1/ldapmanager/log_in/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"
ldap-user-manager    | [Mon Aug 02 12:13:37.408900 2021] [php:notice] [pid 23] [client 172.28.0.4:39094]  Session: orf_cookie wasn't sent by the client., referer: http://10.8.0.1/ldapmanager/log_in/
ldap-user-manager    | 10.8.0.1:80 172.28.0.4 - - [02/Aug/2021:12:13:37 +0000] "GET /ldapmanager/log_in/index.php?unauthorised&redirect_to=L2xkYXBtYW5hZ2VyL2FjY291bnRfbWFuYWdlci8/bG9nZ2VkX2lu HTTP/1.0" 200 994 "http://10.8.0.1/ldapmanager/log_in/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36"

@wheelybird
Copy link
Owner

IS_SETUP_ADMIN is an internal variable - you can't set it via environmental variables. The issue is that the cookies aren't being set. I'll look into this - I think it's because the cookie code was updated to use SameSite and there might be an issue with that when using HTTP.

@jonathanmmm
Copy link
Author

Brave blocks third_party cookies maybe it generates another cookie not for 10.8.0.1 (where it sits behind nginx proxy)

@wheelybird
Copy link
Owner

I looked into this yesterday evening and was unable to replicate the issue. I tried with recent versions of Chrome and Chromium with various Same-Site cookie flags enabled and disabled, so I don't think the issue lies there. Could you try bypassing Nginx and connecting to the user manager directly?

@jonathanmmm
Copy link
Author

jonathanmmm commented Aug 3, 2021
edited

I can now confirm that it didn't work without nginx, even taking port 80 (with 10.8.0.1 as the ip).

But it works without proxy with v1.6, login and setup and with proxy, but no subfolder (SERVER_PATH not working).

The request comes to the container (can see with docker-compose logs the request, but under the SERVER_PATH given in the first message in this issue), but I get a not found message from nginx, so it doesn't give the correct response.

So something was happening between v1.6 and v1.7 which enables correct path proxy service but breaks cookies.

@jonathanmmm jonathanmmm changed the title Can't start setup Can't start setup or login behind nginx v1.7 (v1.6 works, but without subfolder) Aug 20, 2021
@jonathanmmm jonathanmmm mentioned this issue Aug 20, 2021
Closed
@wheelybird
Copy link
Owner

Could you try this Docker image: wheelybird/ldap-user-manager:oldcookies (amd64 only)?
It uses the cookie code from an older release.

@jonathanmmm
Copy link
Author

jonathanmmm commented Sep 4, 2021
edited

Could you try this Docker image: wheelybird/ldap-user-manager:oldcookies (amd64 only)?
It uses the cookie code from an older release.

@wheelybird I tried it, it works (oldcookies) in subfolder with nginx proxy. It doesn't work with latest.

@giggls giggls linked a pull request Sep 30, 2021 that will close this issue
Open
@rockmenjack
Copy link

rockmenjack commented Mar 3, 2022
edited

here is the debug log

[Thu Mar 03 01:12:52.926300 2022] [php:notice] [pid 21] [client *****:47102]  Session: user ****** validated (IS_ADMIN=1), sent orf_cookie to the browser., referer: http://*****:8088/log_in/index.php?unauthorised&redirect_to=L2FjY291bnRfbWFuYWdlci8/bG9nZ2VkX2lu
*****:8088 ***** - - [03/Mar/2022:01:12:52 +0000] "POST /log_in/index.php?unauthorised&redirect_to=L2FjY291bnRfbWFuYWdlci8/bG9nZ2VkX2lu HTTP/1.1" 302 594 "http://*****:8088/log_in/index.php?unauthorised&redirect_to=L2FjY291bnRfbWFuYWdlci8/bG9nZ2VkX2lu" "Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0"
[Thu Mar 03 01:12:52.980428 2022] [php:notice] [pid 21] [client *****:47102]  Session: orf_cookie wasn't sent by the client., referer: http://*****:8088/log_in/index.php?unauthorised&redirect_to=L2FjY291bnRfbWFuYWdlci8/bG9nZ2VkX2lu

using v1.7 image in dockerhub, tried both chromium and firefox, seems the orf_cookie was sent by nginx?

below is the error from setup page

Fatal error: Uncaught TypeError: Unsupported operand types: string + string in /opt/ldap_user_manager/includes/web_functions.inc.php:190 Stack trace: #0 /opt/ldap_user_manager/setup/run_checks.php(9): validate_setup_cookie() #1 {main} thrown in /opt/ldap_user_manager/includes/web_functions.inc.php on line 190

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make this work behind https frontend proxy giggls/ldap-user-manager
4 participants
@ikaruswill @wheelybird @jonathanmmm @rockmenjack