Login with Active Directory User / LDAP Configuration

[DrEvilInFlames]

Hello everyone,

for the past days I've tried to hook up 4minitz to our Active Directory via LDAP configuration.
For the moment and after reading #348 up and downwards I'm totally lost.

After testing on the stable release I'm currenty using this docker :

Version: {
    "tag": "v1.1.0-develop",
    "branch": "develop",
    "commitlong": "8bb7c937b9e8bdb536ec918db67b287fc269cf62",
    "commitshort": "8bb7c937",
    "date": "2018-01-07"
}

And my configuration for LDAP looks like this :

"ldap": {
        "enabled": true,
        "propertyMap": {
            "username": "sAMAccountName",
            "longname": "cn",
            "email": "mail"
        },
        "//1": "Optional, will perform bind with these credentials before searching for users",
        "authentication": {
            "userDn": "cn=Global LDAP Helper, ou=ServiceUser, ou=DE-User, dc=ourdomain, dc=de",
            "password": "supersecretpassword"
        },
        "searchFilter": "(objectClass=user)",
        "serverDn": "DC=ourdomain,DC=de",
        "serverUrl": "ldap://dc1.ourdomain.de:389",
        "allowSelfSignedTLS": true,
        "whiteListedFields": [ "sAMAccountName", "cn", "department", "employeeNumber", "mail", "mailEnabled" ],
        "inactiveUsers": {"strategy": "userAccountControl"},
        "autopublishFields": [ "cn" ],
        "importCronTab": false
    },

From the 4minitz logfile I'm getting this :

LDAP bind failed with error
{"dn":"","code":49,"name":"InvalidCredentialsError","message":"80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\u0000"}

I'm confused cause the bind with the configured "userDn" setup within "authentication" never took place. Wireshark told me that only the username of my testuser that tried to login on the webinterface was submitted :

171	24.876221144	172.17.0.72	192.168.1.18	LDAP	134	bindRequest(1) "sAMAccountName=testuser,DC=ourdomain,DC=de" simple 
172	24.876638474	192.168.1.18	172.17.0.72	LDAP	176	bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580) 

I've also played with "bindWith": "dn", but that just led to "dn=testuser,DC=ourdomain,DC=de" simple which will never work cause the users dn is "dn=testuser,OU=Testing,OU=DE-Users,DC=ourdomain,DC=de"

What was also tested :

        "authentication": {
            "userDn": "globalldaphelper@ourdomain.de",
            "password": "supersecretpassword"
        },

        "authentication": {
            "userDn": "NETBIOS\globalldaphelper,
            "password": "supersecretpassword"
        },

        "authentication": {
            "userDn": "NETBIOS\\globalldaphelper,
            "password": "supersecretpassword"
        },

I've also tested "importOnLaunch": true, but that didn't seem to have any effects. Shouldn't there be any entries in the log if the import starts oder fails on some point? Wireshark didn't show any action either.

What am I missing?

Appreciate any help on this.

[migerh]

The docker image you are using is slightly out of date, importOnLaunch is not implemented there, at least according to this comparison:

8bb7c...develop

The authentication user is only used for importing users from LDAP into our own database be it with the import npm task (I guess that's not available in a docker container), importOnLaunch or the importCronTab. Could you please try the latter? If you set it to a string formatted in the known crontab syntax it will import it at the specified points in time. Choose one that is close to your current time, e.g. if it's 8:30, try "32 08 * * *". That import should use the user defined under authentication. After the import was run you should see an entry in your server log stating that some users were imported and none were updated.

[DrEvilInFlames]

Thank you migerh!

For testing I just used an every 5 minutes cron "importCronTab": "*/5 * * * *"

The settings for authentication worked this way :

        "authentication": {
            "userDn": "ldapreader@ourdomain.de",
            "password": "supersecretpassword"
        },

and I used this filter to just retrieve a set of users and not all the hundrets of users available :

"searchFilter": "(&(objectCategory=user)(objectClass=user)(memberOf=CN=4Minitz_Users,OU=4Minitz,OU=Groupsecurity,OU=DE-User,DC=ourdomain,DC=de))",

I monitored the request to LDAP with wireshark and the results matched perfectly. Bind was okay, each member of the group defined in the filter got returned with its attributes and at the end the unbind.

But no users were added to 4minitz ... instead the following was logged :
An error occurred: TypeError: db.collection is not a function

any suggestions on this?

[migerh]

Yes, the docker image is outdated. This issue is already fixed on develop, see #406.

Paging @derwok: We need a new docker image of develop or a new release.

[derwok]

Hi @DrEvilInFlames ,
sorry that you are struggeling with LDAP.
Meteor needs some userdata in its local (meteor) database to work correctly: username, mail address, access roles). So we must mirror this data from LDAP into our own DB. For this we created the importUsers.js server side helper tool. From then on we rely upon the LDAP cron import to keep this data up-to-date.

We had to overlapping issues here:

1. We did not consider the docker deployment usecase. Here you can't fire up the importUsers.js helper. It is simply not compiled into the docker image. STUPID US! One solution to initially populate the user DB is a short ldap-cron interval (like you did). But we also fixed this with the new setting "importOnLaunch": true,of the ldapsection. This setting is currently only available on the develop branch.

2. While the above fix is on its way from develop-branch to master/release-branch the mongoDB/JS developers decided to change their database API. We had to fix this with LDAP importCronTab creates "TypeError: db.collection is not a function" errors in serverside log #406

We just pushed a current docker image of the develop branch to docker hub. If you have time, please try a:

docker run -it --rm -v $(pwd)/4minitz_storage:/4minitz_storage -p 3100:3333 4minitz/4minitz:develop

When you do a docker images you should see something like:

REPOSITORY          TAG                  IMAGE ID            CREATED             SIZE
4minitz/4minitz     develop              9efab2c0d642        26 minutes ago      969MB

=> Please report, if your LDAP issue is solved with the current develop docker image.

On top we are planning to release a new stable/master version in the next couple of days...
So, stay tuned. And thanks for your patience. ;-)

[DrEvilInFlames]

Hi @derwok ,

thx for the new docker develop image
had some time today for testing.

I'm sorry to say that the problem seems not to be solved.
The following error showed up :
An error occurred: MongoError: database name must be a string

I've tried it with

        "importOnLaunch": true,
        "importCronTab": "*/5 * * * *"

and also only with

        "importOnLaunch": true

Both with a new and also with an "in use" mongodb with some local users.
Same error message.

Here's a longer output from the logfile :

*** Admin IDs:
    verylondidHere1234: admin
Version: {
    "tag": "v1.1.0-develop",
    "branch": "develop",
    "commitlong": "542e44c45b72461bf7ce8ecf289d5ee836f6aaa9",
    "commitshort": "542e44c4",
    "date": "2018-03-31"
}
*** ROOT_URL: https://4minitz.ourdomain.de
WebApp current working directory:/4minitz_bin/bundle/programs/server
Importing LDAP users on launch. Disable via settings.json ldap.importOnLaunch.
An error occurred: MongoError: database name must be a string

An another thing I discovered in the older an also in the current developer image :

If you are using SMTP to deliver your mails and your mailserver uses an selfsigned certificate mails can not be send. You will see the following in the logs :
Error: Error: unable to get local issuer certificate

I tested a bit with adding the certificate chain to /etc/ssl/certs on the host running the docker image and then map this to 4minitz but that didn't solve it. Looking around a while I found out that there is an parameter for SMTP in meteor framework to bypass this problem. It is ?tls.rejectUnauthorized=false that has to be added to the mailUrl

Full working SMTP config looks like this :

    "smtp": {
        "mailUrl": "smtp://mx01.ourdomain.de:25?tls.rejectUnauthorized=false"
    },

Maybe you want to add this information to the docs. If its already there and I missed it ... ignore it ;-)

[derwok]

Hi @DrEvilInFlames,
OK - This is new...

1.) in the host console, where you launch your docker container, there should be some output like this:

forked process: 15
child process started successfully, parent exiting
Waiting for mongodb to be ready...
Mongodb is ready.
** Setting MONGO_URL to default
MONGO_URL=mongodb://localhost:27017/

Could you copy&paste how your output looks like?

2.) Could you copy&paste your docker run command? Just to check if you make use of "-e MONGO_URL"?

3.) I have pushed a new develop/unstable image to docker hub. To make sure you get the right one, it has also tis tag: 4minitz/4minitz:gitcommit-7654d404. If you launch this with your current settings, in your 4Minitz log here: ./4minitz_storage/log/4minitz.log there yould now be a line stating the MONGO_URL that is used for the LDAP import like - MONGO_URL:. Could you check what 4Minitz tries to use?

Thanks for your patience.

[DrEvilInFlames]

Hey @derwok ,

just had a go with the new image and here are the results :

Inside container basedir: /4minitz_storage - OK
4minitz_settings.json found on your local host directory.
You may edit the settings file locally on your host.
Then restart this docker container.
about to fork child process, waiting until server is ready for connections.
forked process: 16
child process started successfully, parent exiting
Waiting for mongodb to be ready...
Mongodb is ready.
** Setting MONGO_URL to default
MONGO_URL=mongodb://localhost:27017/

***********************************
*-- Welcome to 4Minitz in Docker--*
*                                 *
* IF                              *
*   you launched the container    *
*   with the -p 3100:3333 option  *
* THEN                            *
*   You can open 4Minitz on your  *
*   host browser via:             *
*   http://localhost:3100         *
***********************************

******
Logging to /4minitz_storage/log/4minitz.log

******
To log in to your 4minitz server container:
    docker exec -it docker-13935 /bin/bash

******
You can stop this service by:
Ctrl+c or 'docker stop docker-13935'

2. my run commands :

docker run -it --rm -v $(pwd)/4minitz_storage:/4minitz_storage -p 3100:3333 4minitz/4minitz:develop
and with the new image i used :
docker run -it --rm -v $(pwd)/4minitz_storage:/4minitz_storage -p 3100:3333 4minitz/4minitz:gitcommit-7654d404

3. the logfile data :

------------------------------- New 4Minitz!
Note: you are using a pure-JavaScript implementation of bcrypt.
While this implementation will work correctly, it is known to be
approximately three times slower than the native implementation.
In order to use the native implementation instead, run

  meteor npm install --save bcrypt

in the root directory of your application.
Attachments upload feature: ENABLED
attachmentsStoragePath:/4minitz_storage/attachments
Document generation feature: ENABLED
Document Storage Path: /4minitz_storage/protocols
OK, has write access to attachmentsStoragePath
OK, has write access to Document Storage Path
*** Admin IDs:
    gC5pnEmEP2jpksAYt: admin
Version: {
    "tag": "v1.1.0-develop",
    "branch": "develop",
    "commitlong": "7654d404b3275bd9396c1b5a793f4f333ddcd961",
    "commitshort": "7654d404",
    "date": "2018-04-03"
}
*** ROOT_URL: http://4minitz.ourdomain.de
WebApp current working directory:/4minitz_bin/bundle/programs/server
MONGO_URL: mongodb://localhost:27017/
Importing LDAP users on launch. Disable via settings.json ldap.importOnLaunch.
An error occurred: MongoError: database name must be a string
------------------------------- STOP 4Minitz!

[derwok]

Hey @DrEvilInFlames,
I think we found the reason for the issue...
As @migerh already thought the root cause was (once again) the breaking API of the mongodb driver we use (see issue #406). But for the docker image we need some additional handling of setting a proper default MONGO_URL.

Could you please - once more - check the new test docker image (issue424) and report if LDAP import now works for you (or at least the MongoError: database name must be a string should be gone now):

docker run -it -v $(pwd)/4minitz_storage:/4minitz_storage -p 3100:3333 4minitz/4minitz:issue424

Thanks again for your patience.

[derwok]

P.S. We are on "the last mile" of building a new stable/master release v1.5 from the current develop over the weekend.

So if you could quickly report that LDAP eventually works for you with the above docker image, this fix would also make it in the release. That said: if the fix image works for you please wait for 1.5 release before using 4Minitz in production.

[DrEvilInFlames]

Thx for your work @derwok

I can confirm it works now.
Users are imported and LDAP users can login with their credentials.

I'll recheck the final v1.5 after release.
Again thanks for sorting this out.