[BUG] LDAP Fails to create user account files #141
Description
I am duplicating the eXist-db issue eXist-db/exist#5942 reported by @clemchst here as it is related to security, and so I consider it to be of high priority for Elemental too.
Description of the bug
We are trying to configure eXistDB to use our Active Directory server as main auth source.
To do that we tried both the Active Directory and LDAP extension.
The Active Directory one seems to not work at all (it is looking for LDAP configuration instead of its own ID).
Then LDAP one looks more promising and I think we are very very close to get it working.. but still it fails at creating the user account xml file ! (that is my understanding, I might be wrong of course).
The working part at the moment:
- the group list is updated (confirmed in the configuration UI and in the db)
- when selecting Owner in eXide, users are there ! (all of them)
But when I go to main configuration user list, it tries to get them from the server, and is looping infinitely on the 1st one, then Error 500 on the GUI is received. Logs seems to shows that it is looping forever on creating the user db file .
Expected behavior
We should see the full user list without errors.
Logs (anonymized)
[ At the first attempt, groups are created properly. Verified in the log and in the dB itself]
(LdapContextFactory.java [getLdapContext]:148) - Initializing LDAP context using URL [ldaps://fr.mycompany.priv:636] and username [[email protected]] with pooling [enabled]
(LDAPRealm.java [getAccount]:482) - Get request for account '[email protected]'.
(LDAPRealm.java [getAccount]:501) - LDAP search return '< !! FULL LDAP RESPONSE, seems ok !!>'.
(LDAPRealm.java [getAccount]:512) - LDAP search for primary group by SID '<...GROUP_ID...>', found 'Domain [email protected]'.
(LDAPRealm.java [lamycompany$createAccountInDatabase$1]:334) - Saving account '[email protected]'.
(MutableCollection.java [getDocument]:676) - Document foo@fr.mycompany.priv.xml not found!
(Configurator.java [save]:1292) - Storing configuration /db/system/security/LDAP/accounts/foo@fr.mycompany.priv.xml
(WebAppClassLoader.java [getResource]:460) - getResource META-INF/services/org.apache.xerces.xni.parser.XMLParserConfiguration null
(MutableCollection.java [validateXMLResourceInternal]:1570) - Scanning document /db/system/security/LDAP/accounts/foo@fr.mycompany.priv.xml
[ Loop ! restart step one forever (actually stops because of timeout) ]Context
- Java: [16.0.2]
- OS: [Ubuntu Focal]
Additional context
- LDAP query works on the machine using ldapsearch
- AD certificates have been added to java cert store
LDAP configuration file (anonymized)
- axschema is commented out because it fails to get the schema (this existdb server is offline).
- I tried several variations of ssl / ldaps, this configuration works (in the logs I do get answers from the AD with all the expected data).
- I tried to simplify the search-filter but I really don't think that is the issue because I do get the answer.
- The documentation is a poor help here... the sample configuration file is not explained, doesn't match the sample in the source folder, and also doesn't match the source code ...
- I tried with only one user, filtering using search-filter-prefix or whitelist, same behavior.
- I tried to search for person instead of user, same issue.
<security-manager xmlns="http://exist-db.org/Configuration" version="2.1">
<authentication-entry-point>/authentication/login</authentication-entry-point>
<!--<events></events>-->
<realm id="LDAP" version="1.0" principals-are-case-insensitive="true">
<context>
<authentication>simple</authentication>
<use-ssl>true</use-ssl>
<!--<principal-pattern></principal-pattern>-->
<url>ldaps://fr.mycompany.priv:636</url>
<domain>fr.mycompany.priv</domain>
<search>
<base>dc=fr,dc=mycompany,dc=priv</base>
<default-username>[email protected]</default-username>
<default-password>SOMEPASSWORD</default-password>
<account>
<search-filter-prefix>(&(objectClass=user)(memberof=CN=SOMEGROUP,OU=Groupes,DC=fr,DC=mycompany,DC=priv))</search-filter-prefix>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="primaryGroupID">primaryGroupID</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<!--<search-attribute key="name">userPrincipalName</search-attribute>-->
<search-attribute key="dn">distinguishedName</search-attribute>
<search-attribute key="memberOf">memberOf</search-attribute>
<!--
<metadata-search-attribute key="http://axschema.org/contact/email">mail</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/first">givenName</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson/last">sn</metadata-search-attribute>
<metadata-search-attribute key="http://axschema.org/namePerson">name</metadata-search-attribute>
-->
<!--
<whitelist>
<principal>SOMEUSER_FOR_TEST</principal>
</whitelist>
-->
<!--
<blacklist>
<principal></principal>
</blacklist>
-->
</account>
<group>
<search-filter-prefix>objectClass=group</search-filter-prefix>
<search-attribute key="member">member</search-attribute>
<search-attribute key="primaryGroupToken">primaryGroupToken</search-attribute>
<search-attribute key="objectSid">objectSid</search-attribute>
<search-attribute key="name">sAMAccountName</search-attribute>
<search-attribute key="dn">distinguishedName</search-attribute>
<whitelist>
<principal>Domain Users</principal>
<principal>SOMEGROUP</principal>
</whitelist>
<!--<blacklist></blacklist>-->
</group>
</search>
<transformation>
<add-group>group.users</add-group>
</transformation>
</context>
</realm>
</security-manager>