Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP debugging not possible within LXC container? #105

Open
rholighaus opened this issue Sep 18, 2019 · 11 comments
Open

LDAP debugging not possible within LXC container? #105

rholighaus opened this issue Sep 18, 2019 · 11 comments

Comments

@rholighaus
Copy link

I'm running wekan as a snap app within an unprivileged LXC Ubuntu 19.04 disco container unter Proxmox PVE 5.3. It's running well but I can't manage to LDAP to work. Unfortunately, I cannot see what Wekan is actually sending / receiving to/from the Active Directory server, no matter what I put into my config.

Here is my config:

{
        "default-authentication-method": "ldap",
        "ldap-authentication": true,
        "ldap-authentication-password": "xxxxxx",
        "ldap-authentication-userdn": "CN=Administrator,CN=Users,DC=mydomain,DC=local",
        "ldap-background-sync": true,
	"ldap-basedn": "OU=SHK Benutzer,DC=mydomain,DC=local",
	"ldap-default-domain": "mydomain",
	"ldap-email-field": "mail",
	"ldap-enable": true,
	"ldap-fullname-field": "cn",
	"ldap-host": "192.168.1.6",
	"ldap-internal-log-level": "debug",
	"ldap-log-enable": true,
	"ldap-log-enabled": true,
	"ldap-port": 389,
	"ldap-reject-unauthorized": true,
	"ldap-search-field": "sAMAccountName",
	"ldap-sync-user-data-fieldmap": {
		"cn": "name",
		"mail": "email"
	},
	"ldap-user-authentication": true,
	"ldap-user-authentication-field": "userPrincipalName",
	"ldap-user-search-field": "sAMAccountName",
	"ldap-user-search-scope": "sub",
	"ldap-username-field": "sAMAccountName",
	"loglevel": 5,
	"port": 80,
	"root-url": "http://192.168.100.129"
}

In my syslog, all I can see is this when trying to login:

Sep 18 14:51:24 snaptest wekan.wekan[42496]: [INFO] Init LDAP login "[email protected]"
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [WARN] Lookup for unset variable: LDAP_USER_ATTRIBUTES
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [INFO] Init setup
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [INFO] Connecting "ldap://192.168.1.6:389"
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [DEBUG] connectionOptions{ url: 'ldap://192.168.1.6:389',
Sep 18 14:51:24 snaptest wekan.wekan[42496]:   timeout: 10000,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:   connectTimeout: 10000,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:   idleTimeout: 10000,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:   reconnect: true,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:   log:
Sep 18 14:51:24 snaptest wekan.wekan[42496]:    Logger {
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      domain: null,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      _events: {},
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      _eventsCount: 0,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      _maxListeners: undefined,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      _level: 30,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      streams: [ [Object] ],
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      serializers: null,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      src: false,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      fields:
Sep 18 14:51:24 snaptest wekan.wekan[42496]:       { name: 'ldapjs',
Sep 18 14:51:24 snaptest wekan.wekan[42496]:         component: 'client',
Sep 18 14:51:24 snaptest wekan.wekan[42496]:         hostname: 'snaptest',
Sep 18 14:51:24 snaptest wekan.wekan[42496]:         pid: 43930 } } }
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [INFO] LDAP connected
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [ERROR] InvalidCredentialsError: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
Sep 18 14:51:24 snaptest wekan.wekan[42496]:  

I can take tcpdump logs and try to find out what Wekan sends to the directory server but that's kind of frustrating and there must be a better way. Any idea why I can't get decent log information?

@xet7
Copy link
Member

xet7 commented Sep 18, 2019

Config should also have:

"debug": true,

Snap logs to syslog. So to debug inside LXC container, you should first go inside of LXC container:

lxc exec ContainerNameHere -- /bin/bash

And then check syslog.

@rholighaus
Copy link
Author

rholighaus commented Sep 18, 2019

Thanks Lauri. I am debugging within the container and wekan dees write to /var/log/syslog, which you can see above.

Alas, it does not write LDAP debugging information there.

I have set "debug": true but it makes no difference. This is what I'm running:

root@snaptest:~# snap list
Name   Version  Rev   Tracking  Publisher   Notes
core   16-2.41  7713  stable    canonical*  core
wekan  3.44     632   beta      xet7        -

Latest configuration:

root@snaptest:~# snap get -d wekan
{
	"debug": true,
	"default-authentication-method": "ldap",
	"ldap-authentication": true,
	"ldap-authentication-password": "xxxxx",
	"ldap-authentication-userdn": "CN=Administrator,CN=Users,DC=mydomain,DC=local",
	"ldap-background-sync": true,
	"ldap-basedn": "OU=SHK Benutzer,DC=mydomain,DC=local",
	"ldap-default-domain": "mydomain.com",
	"ldap-email-field": "mail",
	"ldap-enable": true,
	"ldap-fullname-field": "cn",
	"ldap-host": "192.168.1.6",
	"ldap-internal-log-level": "debug",
	"ldap-log-enable": true,
	"ldap-log-enabled": true,
	"ldap-port": 389,
	"ldap-reject-unauthorized": true,
	"ldap-search-field": "sAMAccountName",
	"ldap-sync-user-data-fieldmap": {
		"cn": "name",
		"mail": "email"
	},
	"ldap-user-authentication": true,
	"ldap-user-authentication-field": "userPrincipalName",
	"ldap-user-search-field": "sAMAccountName",
	"ldap-user-search-scope": "sub",
	"ldap-username-field": "sAMAccountName",
	"loglevel": 5,
	"port": 80,
	"root-url": "http://192.168.100.129"
}

Running out of ideas here.

Here's the syslog output (again):

Sep 18 16:05:43 snaptest mongod.27019[47713]: [conn5] received client metadata from 127.0.0.1:39932 conn5: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:43 snaptest mongod.27019[47713]: [conn6] received client metadata from 127.0.0.1:39934 conn6: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:48 snaptest mongod.27019[47713]: [conn5] received client metadata from 127.0.0.1:39932 conn5: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:48 snaptest mongod.27019[47713]: [conn6] received client metadata from 127.0.0.1:39934 conn6: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [INFO] Init LDAP login "username"
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [WARN] Lookup for unset variable: LDAP_USER_ATTRIBUTES
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [INFO] Init setup
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [INFO] Connecting "ldap://192.168.1.6:389"
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [DEBUG] connectionOptions{ url: 'ldap://192.168.1.6:389',
Sep 18 16:05:49 snaptest wekan.wekan[46289]:   timeout: 10000,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:   connectTimeout: 10000,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:   idleTimeout: 10000,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:   reconnect: true,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:   log:
Sep 18 16:05:49 snaptest wekan.wekan[46289]:    Logger {
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      domain: null,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      _events: {},
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      _eventsCount: 0,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      _maxListeners: undefined,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      _level: 30,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      streams: [ [Object] ],
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      serializers: null,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      src: false,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      fields:
Sep 18 16:05:49 snaptest wekan.wekan[46289]:       { name: 'ldapjs',
Sep 18 16:05:49 snaptest wekan.wekan[46289]:         component: 'client',
Sep 18 16:05:49 snaptest wekan.wekan[46289]:         hostname: 'snaptest',
Sep 18 16:05:49 snaptest wekan.wekan[46289]:         pid: 47728 } } }
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [INFO] LDAP connected
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [ERROR] InvalidCredentialsError: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
Sep 18 16:05:49 snaptest wekan.wekan[46289]:  
Sep 18 16:05:53 snaptest mongod.27019[47713]: [conn5] received client metadata from 127.0.0.1:39932 conn5: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:53 snaptest mongod.27019[47713]: [conn6] received client metadata from 127.0.0.1:39934 conn6: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:58 snaptest mongod.27019[47713]: [conn5] received client metadata from 127.0.0.1:39932 conn5: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:58 snaptest mongod.27019[47713]: [conn6] received client metadata from 127.0.0.1:39934 conn6: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:59 snaptest wekan.wekan[46289]: [INFO] Idle
Sep 18 16:05:59 snaptest wekan.wekan[46289]: [INFO] Disconecting
Sep 18 16:05:59 snaptest wekan.wekan[46289]: [INFO] Closed

@xet7
Copy link
Member

xet7 commented Sep 18, 2019

It could be related to some settings. Please check current values at:
https://github.com/wekan/wekan/blob/master/docker-compose.yml

Also Univention appliance includes LDAP server and Wekan works with it:
https://github.com/wekan/wekan/wiki/Platforms

Wekan at Univention has this Docker template. I think setting depend on LDAP server.

version: '2'

services:

  wekandb:
    image: mongo:3.2.22
    container_name: wekan-db
    restart: always
    command: mongod --smallfiles --oplogSize 128
    expose:
      - 27017
    volumes:
      - /var/lib/univention-appcenter/apps/wekan/data/db:/data/db
      - /var/lib/univention-appcenter/apps/wekan/data/dump:/dump

  wekan:
    image: quay.io/wekan/wekan:v3.42
    container_name: wekan-app
    restart: always
    ports:
      - 8080:8080
    environment:
      - MONGO_URL=mongodb://wekandb:27017/wekan
      - ROOT_URL=@%@wekan/ROOT_URL@%@
      - ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE=@%@wekan/ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE@%@
      - MAIL_URL='smtp://@%@hostname@%@.@%@domainname@%@:25'
      - MAIL_FROM='Wekan Notifications <noreply.wekan@@%@domainname@%@>'
      - WITH_API=true
      - BROWSER_POLICY_ENABLED=true
      - DEFAULT_AUTHENTICATION_METHOD=ldap
      - LDAP_ENABLE=true
      - LDAP_PORT=@%@ldap/server/port@%@
      - LDAP_HOST=@%@ldap/server/name@%@
      - LDAP_BASEDN=@%@ldap/base@%@
      - LDAP_LOGIN_FALLBACK=false
      - LDAP_RECONNECT=true
      - LDAP_TIMEOUT=10000
      - LDAP_IDLE_TIMEOUT=10000
      - LDAP_CONNECT_TIMEOUT=10000
      - LDAP_AUTHENTIFICATION=true
      - LDAP_AUTHENTIFICATION_USERDN=@%@appcenter/apps/wekan/hostdn@%@
      - LDAP_LOG_ENABLED=true
      - LDAP_BACKGROUND_SYNC=false
      - LDAP_BACKGROUND_SYNC_INTERVAL=100
      - LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=false
      - LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=false
      - LDAP_ENCRYPTION=tls
      - LDAP_CA_CERT=@!@
import os
ca_file = '/etc/univention/ssl/ucsCA/CAcert.pem'
if os.path.isfile(ca_file):
	with open(ca_file, 'r') as fd:
		ca = fd.read().replace('\n', '')
		print(ca)@!@
      - LDAP_REJECT_UNAUTHORIZED=false
      - LDAP_USER_SEARCH_FILTER=(wekanActivated=TRUE)
      - LDAP_USER_SEARCH_SCOPE=sub
      - LDAP_USER_SEARCH_FIELD=uid
      - LDAP_SEARCH_PAGE_SIZE=0
      - LDAP_SEARCH_SIZE_LIMIT=0
      - LDAP_GROUP_FILTER_ENABLE=true
      - LDAP_GROUP_FILTER_OBJECTCLASS=univentionGroup
      - LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE=
      - LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE=uniqueMember
      - LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT=dn
      - LDAP_GROUP_FILTER_GROUP_NAME=
      - LDAP_UNIQUE_IDENTIFIER_FIELD=uidNumber
      - LDAP_UTF8_NAMES_SLUGIFY=true
      - LDAP_USERNAME_FIELD=uid
      - LDAP_FULLNAME_FIELD=displayName
      - LDAP_MERGE_EXISTING_USERS=false
      - LDAP_EMAIL_FIELD=mailPrimaryAddress
      - LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mailPrimaryAddress":"email"}
      - LDAP_DEFAULT_DOMAIN=@%@domainname@%@
      - LDAP_SYNC_ADMIN_STATUS=true
      - LDAP_SYNC_ADMIN_GROUPS=@!@
from univention.lib.misc import custom_groupname
print(custom_groupname('Domain Admins'))@!@
      - LDAP_AUTHENTIFICATION_PASSWORD=@!@
import os
pw_file = '/var/lib/univention-appcenter/apps/wekan/machine.secret'
if os.path.isfile(pw_file):
	with open(pw_file, 'r') as fd:
		pw = fd.read()
		print(pw)@!@
@!@
PREFIX = 'appcenter/env/wekan'
for key, value in configRegistry.items():
	if key.startswith(PREFIX) and key != PREFIX:
		print("      - %s=%s" % (key.split('/')[-1], value))
@!@

    depends_on:
      - wekandb

@xet7
Copy link
Member

xet7 commented Sep 18, 2019

In general, same LDAP settings should work both with Snap and Docker.

@rholighaus
Copy link
Author

Hi @xet7 I would prefer to get the logging to work instead of endless trial-and-error...
Any idea how to make it work?

@xet7
Copy link
Member

xet7 commented Sep 20, 2019

@rholighaus

Do you mean this?

lxc exec ContainerNameHere -- /bin/bash

sudo snap logs wekan.caddy

sudo snap logs wekan.wekan

sudo snap logs wekan.mongodb

@rholighaus
Copy link
Author

rholighaus commented Oct 4, 2019

Hi @xSET7 I know how to read the logfiles. What I'm saying is that LDAP is not logging debugging info. See my logfile excerpts further up in the thread.

I cannot debug ldap. Full stop. I think this is a bug and I'm trying to help fix it.

@xet7
Copy link
Member

xet7 commented Oct 4, 2019

Hmm? Well, LDAP code is here:
https://github.com/wekan/wekan/tree/master/packages/wekan-ldap

So I think, you just add there showing variables:

console.log variablename

Or alternatively, with checking that environment variable DEBUG=true is set.

Then you rebuild from source code:

git clone https://github.com/wekan/wekan
cd wekan
./rebuild-wekan.sh

Select 1 and Enter to install dependencies. Then:

./rebuild-wekan.sh

Select 2 to build Wekan. Then edit start-wekan.sh to have correct port.
If you use port 80, you need to add support for running at that port by running:

./releases/virtualbox/node-allow-port-80.sh

If you like to have meteor notice changed code files, and then rebuild, instead of start-wekan.sh you should use this kind of script:

cd wekan
WITH_API=true LDAPSETTING1=something ROOT_URL=something meteor --port 4000

To get lint / eslint to accept console.log, you may need to add some ignore rules, that you can find with find.sh script, that ignores those directories that are generated by build scripts and installed npm modules:

cd wekan
./find.sh eslint

@rholighaus
Copy link
Author

Hi @xet7,

thank you for your recommendation but a) I'm running the snap version (hence https://github.com/wekan/wekan-snap/issues) and b) I just want the software to tell me what it does so I can see where my settings may be incorrect.

I do everything according to the documentation but the syslog just says

Sep 18 16:05:49 snaptest wekan.wekan[46289]: [INFO] LDAP connected
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [ERROR] InvalidCredentialsError: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
Sep 18 16:05:49 snaptest wekan.wekan[46289]:  

which is what I've posted above. According to some searching, other people seem to face the same issue. No debugging information.

@xet7
Copy link
Member

xet7 commented Oct 4, 2019

Ooops sorry for my too technical answer. I did re-read this issue and it seems Wekan does not show enough details.

Do you know what are these settings?

Sep 18 16:05:49 snaptest wekan.wekan[46289]: [WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [WARN] Lookup for unset variable: LDAP_USER_ATTRIBUTES

@rholighaus
Copy link
Author

rholighaus commented Oct 5, 2019 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants