Hello all. I am attempting to create a config ... LLDAP #troubleshooting

Join Discord

Hello all. I am attempting to create a config ...

# troubleshooting

blisterpack

09/01/2023, 5:06 PM

Hello all. I am attempting to create a config file with the book management software jelu, but am struggling.

Needle

09/01/2023, 5:06 PM

Here's a brand new thread for you! Please keep the discussion for this problem in this thread.

blisterpack

09/01/2023, 5:07 PM

The documentation on github for ldap implementation is in two parts: the backend code -- https://github.com/bayang/jelu/blob/66b38c1bd66503037602b5e08f5317ad38d0a8ea/src/main/kotlin/io/github/bayang/jelu/config/JeluProperties.kt#L65-L73 and random snippets of implementation in a sample file -- https://github.com/bayang/jelu/blob/66b38c1bd66503037602b5e08f5317ad38d0a8ea/src/main/resources/application-dev.yml#L20-L27

nitnelave

09/01/2023, 5:07 PM

Hi! What do you have so far?

blisterpack

09/01/2023, 5:10 PM

Right now, my current config is

Copy code

ldap:
      enabled: true
      url: "ldap://LLDAP:3890/dc=home,dc=lab"
      userSearchFilter: "(memberof=cn=<existing_group_in_lldap>,ou=groups,dc=home,dc=lab)"
      userSearchBase: "ou=people,dc=home,dc=lab"
      userDN: "cn=admin,ou=people,dc=home,dc=lab"
      password: "<super secret password>"

blisterpack

09/01/2023, 5:11 PM

However, the error that keeps coming up is

Property 'userDn' not set - anonymous context will be used for read-write operations

blisterpack

09/01/2023, 5:11 PM

which means when attempting to login,

login error, backend seems down or unreachable

blisterpack

09/01/2023, 5:13 PM

Any ideas? (Thanks also for your SUPER fast response on git!)

blisterpack

09/01/2023, 5:18 PM

I'm currently combing the example configs on the LLDAP git to try and find anything like this one.

nitnelave

09/01/2023, 5:19 PM

Hmm, the error seems very Jelu-specific. Jelu is complaining that the userDN property is not set, and it won't try to log in properly until it is

nitnelave

09/01/2023, 5:21 PM

Looking at the code, I'm guessing it's simply a question of casing 😄 The error is complaining about

userDn

and you're specifying

userDN

. Spot the difference!

blisterpack

09/01/2023, 5:21 PM

Oh geez.

blisterpack

09/01/2023, 5:21 PM

lol. Let me fix that. haha

blisterpack

09/01/2023, 5:21 PM

I swear, doesn't matter how many times you look at something. 🙂

blisterpack

09/01/2023, 5:23 PM

Same error even with

userDn: cn=admin,ou=people,dc=home,dc=lab

changed.

nitnelave

09/01/2023, 5:25 PM

Still getting

Property userDn not set

nitnelave

09/01/2023, 5:26 PM

and in the context of the full yaml, it's

jelu.auth.ldap.userDn

blisterpack

09/01/2023, 5:26 PM

Yes, same error still.

blisterpack

09/01/2023, 5:27 PM

Yes ,that is correct. correct casing included. 🙂

blisterpack

09/01/2023, 5:29 PM

Copy code

jelu:
  auth:
    ldap:
      enabled: true
      url: "ldap://LLDAP:3890/dc=home,dc=lab"
      userSearchFilter: "(memberof=cn=requesters,ou=groups,dc=home,dc=lab)"
      userSearchBase: "ou=people,dc=home,dc=lab"
      userDn: "cn=admin,ou=people,dc=home,dc=lab"
      password: "password"

nitnelave

09/01/2023, 5:36 PM

Hmm, I tried to have a look at the code, but there are too many injections to be able to follow, too much annotation magic, and a lot of logic implemented in the Spring Framework that I don't know at all. Your best chance is to talk to the owner, I think

blisterpack

09/01/2023, 5:37 PM

Thanks again. I will do that. If all is successful, I will add this config to the repository here.

blisterpack

09/01/2023, 5:37 PM

Thank you!

blisterpack

09/02/2023, 3:40 AM

I'm still on the hunt to solve this. The developer wasn't super helpful, as he/she didn't seem to have a lot of knowledge about lldap.

blisterpack

09/02/2023, 3:40 AM

However, I think I have made progress.

blisterpack

09/02/2023, 5:07 AM

After more tinkering with the yaml, I can get a password to accept for a user and group listings to happen:

Copy code

jelu:
  auth:
    ldap:
      enabled: true
      url: "ldap://LLDAP:3890/dc=home,dc=lab"
      userSearchFilter: "(uid={0})"
      userSearchBase: "ou=people"
      userDn: "cn=admin,ou=people,dc=home,dc=lab"
      password: "sweet_password"

blisterpack

09/02/2023, 5:08 AM

The log (and subsequent errors) are here:

Copy code

INFO     LDAP session [ 26.2ms | 0.11% / 100.00% ]
INFO     ┝━ LDAP request [ 26.2ms | 0.12% / 99.88% ]
DEBUG    │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=my_user,ou=people,dc=home,dc=lab", cred: Simple("********") }), ctrl: [] }
DEBUG    │  ┝━ do_bind [ 26.2ms | 0.05% / 99.76% ]
DEBUG    │  │  ┝━ 🐛 [debug]: DN: uid=my_user,ou=people,dc=home,dc=lab
DEBUG    │  │  ┝━ bind [ 26.0ms | 0.01% / 99.07% ]
DEBUG    │  │  │  ┝━ get_password_file_for_user [ 28.8µs | 0.11% ]
DEBUG    │  │  │  ┕━ passwords_match [ 25.9ms | 98.94% ]
DEBUG    │  │  ┝━ get_user_groups [ 170µs | 0.65% ]
DEBUG    │  │  │  ┝━ 🐛 [debug]:  | user_id: UserId("my_user")
DEBUG    │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2023-08-20T12:47:32, uuid: Uuid("e6b15fce-fd99-387e-bcd2-a24971e9bcc1") }, GroupDetails { group_id: GroupId(6), display_name: "requests", creation_date: 2023-08-29T11:35:55, uuid: Uuid("fb552d4b-6875-3b95-8d31-9a70d29b2951") }, GroupDetails { group_id: GroupId(4), display_name: "calibre_web", creation_date: 2023-08-28T15:39:55, uuid: Uuid("23ab1e77-fdf4-328c-93f8-d84d3df11d3d") }, GroupDetails { group_id: GroupId(5), display_name: "vaultwarden", creation_date: 2023-08-29T11:35:45, uuid: Uuid("5e892e73-98be-3ea7-987c-7d1eb618f74c") }}
DEBUG    │  │  ┕━ 🐛 [debug]: Success!
DEBUG    │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
ERROR    ┝━ 🚨 [error]: Unsupported control oid | o: 2.16.840.1.113730.3.4.2
ERROR    ┝━ 🚨 [error]: Failed to parse ldapcontrol
INFO     ┕━ LDAP request [ 2.10µs | 0.01% ]
DEBUG       ┕━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: UnbindRequest, ctrl: [] }

blisterpack

09/02/2023, 5:09 AM

I'll stop tinkering until I hear back, as I'm not sure I will be able to make much more progress on my own. Thanks!

nitnelave

09/02/2023, 8:31 AM

Ah yeah, you won't get much further with tinkering...

nitnelave

09/02/2023, 8:32 AM

There was a similar issue recently, our underlying ldap parsing library doesn't support many controls, and this client sends an unsupported one.

nitnelave

09/02/2023, 8:55 AM

It seems to be the same control as reported in https://github.com/kanidm/ldap3/issues/28

blisterpack

09/02/2023, 9:31 AM

Gotcha! Thanks. This would be something I would need to ask jelu to fix, then, correct?

nitnelave

09/02/2023, 9:31 AM

No, that's on us

nitnelave

09/02/2023, 9:31 AM

They're sending a perfectly valid message

nitnelave

09/02/2023, 9:32 AM

It's just that we don't support it (yet)

blisterpack

09/02/2023, 9:32 AM

No worries, then. Super appreciative of what you have already, as it is the foundation of user management in my UnRaid server.

blisterpack

09/02/2023, 9:32 AM

Thanks for all you are doing here!

nitnelave

09/02/2023, 9:32 AM

Glad to hear it! And if you like the project and you feel like it, you can support it!

nitnelave

09/04/2023, 1:22 PM

By the way, could I ask you to get a tcpdump pcap file from the login attempt? When you get the

Unsupported control oid | o: 2.16.840.1.113730.3.4.2

message. That way we can check all the controls that are requested and if there's more than one that we don't support, we can add them all at once.

nitnelave

09/10/2023, 8:31 PM

The fix was merged in the lday library, and LLDAP has updated to use it, so you can give it a try!

Previous Next