Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v1.0.0b] - LDAP Not functional with AD on current nightly (3/23/2023) #2279

Closed
5 tasks done
LargoUsagi opened this issue Mar 23, 2023 · 9 comments · Fixed by #2288
Closed
5 tasks done

[v1.0.0b] - LDAP Not functional with AD on current nightly (3/23/2023) #2279

LargoUsagi opened this issue Mar 23, 2023 · 9 comments · Fixed by #2288

Comments

@LargoUsagi
Copy link

First Check

  • This is not a feature request
  • I added a very descriptive title to this issue.
  • I used the GitHub search to find a similar issue and didn't find it.
  • I searched the Mealie documentation, with the integrated search.
  • I already read the docs and didn't find an answer.

What is the issue you are experiencing?

As of latest nightly with changes to the LDAP_USER_FILTER I am seeing the new error that there are multiple users coming back.

ERROR: 23-Mar-23 15:33:54 [LDAP] Multiple users found with the provided user filter

When using the same filters via Get-ADUser -LDAPFilter 'expression' in powershell I am only sing a single result.

I would expect that if there where multiple responses it would at least take the first response in the set and attempt a bind to that.

It is also unclear if this was a breaking change to how this field worked before merging #2199 based on the discussion here #2228

Deployment

Other

Deployment Details

Kubernetes using containerd on linux.

Application works flawlessly outside of raised issue and worked for a few weeks before pulling latest nightly.
@cmintey
Copy link
Contributor

cmintey commented Mar 23, 2023

Can you please share your LDAP_USER_FILTER?

@LargoUsagi
Copy link
Author 

apiVersion: v1
kind: ConfigMap
metadata:
  name: mealie-config
data:
  PUID: "1000"
  PGID: "1000"
  ALLOW_SIGNUP: 'false'
  MAX_WORKERS: "1"
  WEB_CONCURRENCY: "1"
  BASE_URL: "https://foodlibrary.****"
  LDAP_AUTH_ENABLED: "true"
  LDAP_SERVER_URL: "ldap://****:389"
  LDAP_TLS_INSECURE: "true"
  LDAP_BASE_DN: "dc=****,dc=****,dc=****"
  LDAP_QUERY_BIND: "****"
  LDAP_QUERY_PASSWORD: "****"
  LDAP_ID_ATTRIBUTE: "sAMAccountName"
  LDAP_USER_FILTER: "(&(|({id_attribute}={input})({mail_attribute}={input}))(objectClass=user))"
  LDAP_ADMIN_FILTER: "(memberOf=cn=MealieAdmin,OU=Domain Groups,dc=****,dc=****,dc=****)"

I Have also removed it and tried the default, or used the objectClass of person.

This only returns one result

 Get-ADUser -LDAPFilter '(|(sAMAccountName=largousagi)(mail=largousagi))(objectClass=user)'

I also tested setting the user filter to match the admin filter of

(memberOf=cn=MealieAdmin,OU=Domain Groups,dc=****,dc=****,dc=****)

@cmintey
Copy link
Contributor

cmintey commented Mar 24, 2023

It looks like your filter is fine. The latest changes made it so that (|({id_attribute}={input})({mail_attribute}={input})) is not required anymore, but it shouldn't have been a breaking change. Can you please try the following filter in LDAP_USER_FILTER?

(&(objectCategory=person)(objectClass=user))

It seems like with Active Directory, you may need to specify both of these to get only user objects.

@LargoUsagi
Copy link
Author

image

image

Same results.

@cmintey
Copy link
Contributor

cmintey commented Mar 24, 2023

Can you try a standard ldapsearch with the full query? I don't really know why Get-ADUser is showing 1 result, but python-ldap is returning multiple...

ldapsearch -H ldap://<host>:389 -b <base_dn> -D <bind_user> -w <bind_password> "(&(|(sAMAccountName=largousagi)(mail=largousagi))(&(objectCategory=person)(objectClass=user)))"

@LargoUsagi
Copy link
Author

image

There is only a single user/person object in the result, I am assuming that is the numEntries field, removing the filter on the sAMAccountName/mail produces 60+ objects in the same search as seen here
image

@cmintey cmintey mentioned this issue Mar 24, 2023
Merged
@LargoUsagi
Copy link
Author

I just setup python and a test environment to debug the ldap snippets used in this project as well as the same library.

I will provide a more detailed debug in a few minutes.

@LargoUsagi
Copy link
Author

It appears that active directory is also returning the list of forests with this query

LDAP_USER_FILTER = "(&(|({id_attribute}={input})({mail_attribute}={input}))(objectClass=user))"

image

It also appears that the first result is in fact the user result, a more robust solution would be to itterate through the objects and see if the LDAP_ID_ATTRIBUTE has non unique members, then if the sort order changes it will not matter and you could throw the same error.

The other solution that could work is matching on the first object that returns containing the LDAP_ID_ATTRIBUTE and attempt a bind to that.

@cmintey
Copy link
Contributor

cmintey commented Mar 24, 2023

Okay that's good to know. Is this the result you get using the updated code in my draft PR? Specifically, line 64

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Fix] Filter out the LDAP entries which do not have a DN cmintey/mealie
2 participants
@LargoUsagi @cmintey