XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Existing AD Users Cannot Login to XOCE but New Users Can

    Scheduled Pinned Locked Moved Xen Orchestra
    18 Posts 3 Posters 1.4k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • olivierlambertO Offline
      olivierlambert Vates πŸͺ Co-Founder CEO
      last edited by olivierlambert

      Hi,

      As stated in the doc, always start by using the latest commit on master: https://xen-orchestra.com/docs/community.html#report-a-bug

      K 1 Reply Last reply Reply Quote 0
      • K Offline
        kagbasi-wgsdac @olivierlambert
        last edited by kagbasi-wgsdac

        @olivierlambert My apologies. I've updated and retested, the issue persists.

        MY ENVIRONMENT:
        xo-server 5.114.1 / Xen Orchestra, commit 01ba1 / xo-web 5.117.1

        I think I may have found the problem, if someone can confirm that would be awesome. Turns out if the number of groups the user belongs to exceeds seven (7), LDAP authentication fails. I arrived at this conclusion by creating a new user (by copying the failing user) and removing the groups, one by one (testing in between each removal) until I was successful.

        Unfortunately, I was not able to successfully reproduce the problem in the reverse (i.e., by adding the same user to eight (8) security groups). I even added it to more groups, and authentication still succeeds. Which seems to suggest that something is cached on the Linux side. I performed some additional tests as follows:

        TEST #1:

        • Created new user and added them to seven (7) security groups - LDAP Auth Successful
        • Added an eight security group to the same user and retested - LDAP Auth Successful

        TEST #2:

        • Created a new user and added them to eight (8) security groups - LDAP Auth Successful

        TEST #3:

        • Created a new user and added them to nine (9) security groups - LDAP Auth Successful

        I repeated the above tests until I got to TEST #9 (where the user was added to fifteen security groups), and still couldn't reproduce the problem.

        I attempted to read through the plugin's code on GitHub, but couldn't make sense of it (due to my limited understanding of JavaScript).

        So, a couple of questions:

        • Is there a limit to how many security groups a user can belong to?
        • Is the initial successful query being cached and re-used, somehow? If so, where can I find and clear it?
        1 Reply Last reply Reply Quote 0
        • olivierlambertO Offline
          olivierlambert Vates πŸͺ Co-Founder CEO
          last edited by

          On "Linux side", it's not Linux but a NodeJS library that handles the LDAP protocol. @julien-f do you think it worth opening a bug report on the passport Github project?

          K 1 Reply Last reply Reply Quote 0
          • K Offline
            kagbasi-wgsdac @olivierlambert
            last edited by

            @olivierlambert Aah, good to know. That explains why I couldn't find any instances of winbind or SSSD...lol.

            Anyway, I'm willing to help in any capacity to help further this along. So please let me know if you need me to pull any logs or screenshots, and I'll gladly do it.

            1 Reply Last reply Reply Quote 0
            • K Offline
              kagbasi-wgsdac
              last edited by kagbasi-wgsdac

              @olivierlambert This issue still persists. I've updated my XOCE instance; I am currently at the following versions:

              • xo-server: v5.118.0
              • xo-web: v5.121.0
              • Commit: 996ab
              • auth-ldap: v0.10.7

              Should I file a bug report? (I found a similar issue: https://github.com/vatesfr/xen-orchestra/issues/3846)

              lravelo created this issue in vatesfr/xen-orchestra

              closed LDAP plugin AcceptSecurityContext error #3846

              1 Reply Last reply Reply Quote 0
              • olivierlambertO Offline
                olivierlambert Vates πŸͺ Co-Founder CEO
                last edited by

                Did you read the issue you posted? Maybe you have the same problem πŸ™‚

                K 1 Reply Last reply Reply Quote 0
                • K Offline
                  kagbasi-wgsdac @olivierlambert
                  last edited by

                  @olivierlambert LOL, of course I did.

                  I considered the possibility of account lockouts but I've carefully checked each time the test failed and neither the bind account nor the test account were locked.

                  1 Reply Last reply Reply Quote 0
                  • olivierlambertO Offline
                    olivierlambert Vates πŸͺ Co-Founder CEO
                    last edited by

                    So next step is to try with XOA. It's weird because we don't have other reports, and usually with LDAP, the context is almost everything (configuration, accounts, groups…)

                    K 1 Reply Last reply Reply Quote 0
                    • K Offline
                      kagbasi-wgsdac @olivierlambert
                      last edited by

                      @olivierlambert

                      As instructed, I deployed XOA, grabbed a trial license, and updated it to the latest version then tried again; same results. Getting the following error for my admin account (same one I use to log into every other workstation on the network😞

                      Code: -32000
                      Message: could not authenticate user
                      {
                        "message": "could not authenticate user",
                        "name": "Error",
                        "stack": "Error: could not authenticate user\n    at /usr/local/lib/node_modules/xo-server-auth-ldap/src/index.js:254:15\n    at default.testPlugin (file:///usr/local/lib/node_modules/xo-server/src/xo-mixins/plugins.mjs:280:5)\n    at Xo.test (file:///usr/local/lib/node_modules/xo-server/src/api/plugin.mjs:109:3)\n    at Api.#callApiMethod (file:///usr/local/lib/node_modules/xo-server/src/xo-mixins/api.mjs:417:20)"
                      }
                      

                      If I then use one of the test accounts I had created AFTER I started noticing the failed attempts (i.e., after 05/15/2023), it works.

                      Plugin test
                      The test appears to be working.
                      

                      Prior to testing, I logged into the Domain Controller and verified that the service account I'm using to bind to AD was not locked. I'm willing to send whatever screenshots or outputs you need if it helps to get to the bottom of this.

                      1 Reply Last reply Reply Quote 0
                      • olivierlambertO Offline
                        olivierlambert Vates πŸͺ Co-Founder CEO
                        last edited by

                        @julien-f can you remind me the name of the CLI tool to debug wrong LDAP config?

                        julien-fJ K 2 Replies Last reply Reply Quote 0
                        • julien-fJ Offline
                          julien-f Vates πŸͺ Co-Founder XO Team @olivierlambert
                          last edited by

                          @olivierlambert xo-server-auth-ldap.

                          1 Reply Last reply Reply Quote 1
                          • K Offline
                            kagbasi-wgsdac @olivierlambert
                            last edited by

                            @olivierlambert

                            I had already posted the output of the test-cli.js utility at the beginning of this thread, however, if you want I can do it again just to re-confirm things. Just let me know, thanks.

                            1 Reply Last reply Reply Quote 0
                            • olivierlambertO Offline
                              olivierlambert Vates πŸͺ Co-Founder CEO
                              last edited by

                              Okay so to me it's either a weird configuration thing or a library problem in your context.

                              I don't know what else to do form a community point of view. You might ask on Passport library if the problem rings a bell.

                              @julien-f is there anything else you think we can do as far it is community support?

                              K 1 Reply Last reply Reply Quote 0
                              • K Offline
                                kagbasi-wgsdac @olivierlambert
                                last edited by

                                @olivierlambert I am very grateful for the assistance thus far. I definitely understand that your time is money, and I'm willing to approach my Church Leadership with a request to purchase the Enterprise License. However, do you offer any discounts off the annual subscription for Non-Profits Organizations? I'd be happy to take this discussion offline if you prefer (kagbasi at wgsdac.org).

                                Secondly, is this the correct GitHub project for the passport library you mentioned: https://github.com/vesse/passport-ldapauth/issues ? If so, I'll try posting a question there as well, as you've suggested.

                                julien-fJ 1 Reply Last reply Reply Quote 0
                                • olivierlambertO Offline
                                  olivierlambert Vates πŸͺ Co-Founder CEO
                                  last edited by

                                  Checking with @julien-f

                                  1 Reply Last reply Reply Quote 0
                                  • julien-fJ Offline
                                    julien-f Vates πŸͺ Co-Founder XO Team @kagbasi-wgsdac
                                    last edited by

                                    @kagbasi-wgsdac From what I understand, there is no issue in the XO plugin itself (because it's working in many cases), it appears to be related to your LDAP/AD configuration, and unfortunately we cannot help regarding this as each LDAP/AD can be configured differently 😬

                                    The library we are using to connect to LDAP is https://github.com/ldapts/ldapts but I don't think that will help because it's more likely something on your server's side.

                                    K 1 Reply Last reply Reply Quote 0
                                    • K Offline
                                      kagbasi-wgsdac @julien-f
                                      last edited by

                                      @julien-f Hmm, that's a bit disappointing that there isn't much you guys can do to help. No worries, I'll keep testing. My AD environment works fine, since the accounts in question are not locked and are being used daily. The only place they're failing is in XOCE or XOA.

                                      It's gotta be something with how the library is handling characters in either the username or the password. I'll keep testing until I can find a repeatable pattern.

                                      Thanks to both you and @olivierlambert for the help thus far.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post