XO Community Edition - Ldap Plugin not working ?

kagbasi-ngc

@olivierlambert said in XO Community Edition - Ldap Plugin not working ?:

If there's no issue in XOA but XO from the source, it's very likely an environment problem, because we don't have any specific LDAP code difference between source and XOA.

What exactly do you mean by this?

I'm not a developer, so in almost all cases I defer to you - @olivierlambert - and the other knowledgeable members of the Vates team. However, in this case, I'm struggling to accept your logic. If by environment you're referring to the Active Directory configuration, then - at least - in my environment, that is the common denominator (i.e., the variable that hasn't changed). The fact that XOA works against the same AD domain but XOCE doesn't (unless a user's security groups are limited to no more than 2), hints to me that something is different in how the LDAP plugin is being implemented in XOA. Now, I didn't compile it myself but relied on @ronivay's install script, so it's very possible that perhaps there's something in how he compiles that's causing the issue - but I feel it important to emphasize that the AD environment hasn't changed - at least in my environment.

I have other systems that are authenticating against the same AD backend, that I'm not having any issues with. If you guys can dedicate some time to troubleshooting this issue, I'm available to assist in any way possible (even if it means burning the midnight oil - just let me know).

olivierlambert

No, the environment is everything different between XOA and XO from the source:

• the VM your run it
• the version of it and dependencies
• anything else that could makes a diff

We have 0 difference in the XO code itself, so it could be anything around it.

kagbasi-ngc

@olivierlambert thank you sir. So what's the path forward?

What do you need from the community to help you dedicate some developer resources to solving this problem, as it's clearly not impacting just one person.

olivierlambert

It's not a problem on XO's side, so to me it's all about trying to understand your difference between XOA and the version you use. I would ask the provider of the 3rd party script, since that's where you are installing XO.

kagbasi-ngc

@olivierlambert That's fair, I'll bring it up there. I'll also find some time and build XOCE myself (using the instructions you provide in your documentation) and see if the problem follows.

kagbasi-ngc

@olivierlambert So, as luck would have it, I left work early to get ahead of a snow storm. When I got home, I decided to spin up a Debian 12 VM and build XO from sources myself while the kids were doing homework (by following the instructions here - https://docs.xen-orchestra.com/installation#from-the-sources).

In a nutshell, I was able to replicate the problem. My test user account could only authenticate successfully AFTER I reduced its group membership in Active Directory to two. Out of curiosity, I incremented the group membership by one and then tested, and kept doing that until I arrived at a max of six. The minute I added the seventh group, authentication failed. This is happening on both this new instance of XOCE and the existing instance I have in production on my church's small network.

Both instances are up-to-date (git commit 8f877).

Here's the console output of the VM while running the tests:

2025-02-11T23:42:17.461Z xo:api WARN admin@admin.net | plugin.test(...) [34ms] =!> Error: could not authenticate user
2025-02-11T23:44:14.072Z xo:api WARN admin@admin.net | plugin.test(...) [14ms] =!> Error: could not authenticate user
2025-02-11T23:45:07.777Z xo:xo-server-auth-ldap INFO successfully bound as CN=yAgbasi\, Kismet,OU=Privileged Users,OU=Users,OU=WGSDAC,DC=wgsdac,DC=net => ykagbasi authenticated
2025-02-11T23:45:07.783Z xo:xo-server-auth-ldap INFO syncing groups...
2025-02-11T23:45:07.898Z xo:xo-server-auth-ldap INFO done syncing groups

PLUGIN CLI (SUCCESSFUL)
So I tried the plugin's test-cli and this is the output. I'm curious as to why the objectGUID value is mangled.

root@XO2:~/xen-orchestra/packages/xo-server-auth-ldap/dist# node test-cli.js
? URI ldap://x.x.x.x:389
? fill optional Certificate Authorities? No
? fill optional Check certificate? No
? fill optional Use StartTLS? No
? Base OU=WGSDAC,DC=wgsdac,DC=net
? fill optional Credentials? Yes
? Credentials > dn CN=xxXenOrchestra Service Account,OU=Service Accounts,OU=Users,OU=WGSDAC,DC=wgsdac,DC=net
? Credentials > password SUPERSECRETPASSWORD
? fill optional User filter? Yes
? User filter (&(sAMAccountName={{name}})(memberOf=CN=IT_XenOrchestra_Admins,OU=Groups,OU=WGSDAC,DC=wgsdac,DC=net))
? ID attribute sAMAccountName
? fill optional Synchronize groups? Yes
? Synchronize groups > Base OU=Groups,OU=WGSDAC,DC=wgsdac,DC=net
? Synchronize groups > Filter (objectClass=group)
? Synchronize groups > ID attribute dn
? Synchronize groups > Display name attribute cn
? Synchronize groups > Members mapping > Group attribute member
? Synchronize groups > Members mapping > User attribute dn
configuration saved in ./ldap.cache.conf
? Username ykagbasi
? Password [hidden]
2025-02-12T00:06:49.730Z xo:xo-server-auth-ldap DEBUG attempting to bind with as CN=xxXenOrchestra Service Account,OU=Service Accounts,OU=Users,OU=WGSDAC,DC=wgsdac,DC=net...
2025-02-12T00:06:49.741Z xo:xo-server-auth-ldap DEBUG successfully bound as CN=xxXenOrchestra Service Account,OU=Service Accounts,OU=Users,OU=WGSDAC,DC=wgsdac,DC=net
2025-02-12T00:06:49.741Z xo:xo-server-auth-ldap DEBUG searching for entries...
2025-02-12T00:06:49.746Z xo:xo-server-auth-ldap DEBUG 1 entries found
2025-02-12T00:06:49.746Z xo:xo-server-auth-ldap DEBUG attempting to bind as CN=yAgbasi\, Kismet,OU=Privileged Users,OU=Users,OU=WGSDAC,DC=wgsdac,DC=net
2025-02-12T00:06:49.748Z xo:xo-server-auth-ldap INFO successfully bound as CN=yAgbasi\, Kismet,OU=Privileged Users,OU=Users,OU=WGSDAC,DC=wgsdac,DC=net => ykagbasi authenticated
2025-02-12T00:06:49.749Z xo:xo-server-auth-ldap DEBUG {
  "dn": "CN=yAgbasi\\, Kismet,OU=Privileged Users,OU=Users,OU=WGSDAC,DC=wgsdac,DC=net",
  "objectClass": [
    "top",
    "person",
    "organizationalPerson",
    "user"
  ],
  "cn": "yAgbasi, Kismet",
  "sn": "yAgbasi",
  "c": "US",
  "l": "Severn",
  "st": "MD",
  "description": "For Testing Xen Orchestra LDAP Auth failures",
  "postalCode": "21144",
  "givenName": "Kismet",
  "distinguishedName": "CN=yAgbasi\\, Kismet,OU=Privileged Users,OU=Users,OU=WGSDAC,DC=wgsdac,DC=net",
  "instanceType": "4",
  "whenCreated": "20230716100123.0Z",
  "whenChanged": "20250211234414.0Z",
  "displayName": "Kismet yAgbasi",
  "uSNCreated": "1222253",
  "memberOf": "CN=IT_XenOrchestra_Admins,OU=Groups,OU=WGSDAC,DC=wgsdac,DC=net",
  "uSNChanged": "6046408",
  "co": "United States",
  "department": "Communications Department",
  "company": "Washington-Ghanaian SDA Church",
  "name": "yAgbasi, Kismet",
  "objectGUID": "mX�_���F�.�i�lq�",
  "userAccountControl": "512",
  "badPwdCount": "0",
  "codePage": "0",
  "countryCode": "840",
  "badPasswordTime": "0",
  "lastLogoff": "0",
  "lastLogon": "0",
  "pwdLastSet": "133837909104346381",
  "primaryGroupID": "513",
  "objectSid": "\u0001\u0005\u0000\u0000\u0000\u0000\u0000\u0005\u0015\u0000\u0000\u0000�A�\u0015�d�G�:��q\u0006\u0000\u0000",
  "adminCount": "1",
  "accountExpires": "9223372036854775807",
  "logonCount": "0",
  "sAMAccountName": "ykagbasi",
  "sAMAccountType": "805306368",
  "userPrincipalName": "ykagbasi@wgsdac.org",
  "lockoutTime": "0",
  "objectCategory": "CN=Person,CN=Schema,CN=Configuration,DC=wgsdac,DC=net",
  "dSCorePropagationData": [
    "20230716110107.0Z",
    "16010101000000.0Z"
  ],
  "lastLogonTimestamp": "133837910540472258"
}
root@XO2:~/xen-orchestra/packages/xo-server-auth-ldap/dist#

olivierlambert

And with a fresh XOA you do not have the problem, even on latest?

kagbasi-ngc

@olivierlambert I have an XOA instance on the Stable channel (v5.102.1) which I'd pulled down earlier to troubleshoot another issue with you, however, my trial has ended so all the plugins have been unloaded.

I can test if you'll reactivate my trial (kagbasi at wgsdac.org). Let me know.

olivierlambert

Trial extended

kagbasi-ngc

@olivierlambert Thanks.

XOA Test results:

• On Stable v5.102.1 - issue persists. Auth failure occurs with AD group membership at 7.

• On Latest v5.103.1 - issue persists. Auth failure occurs with AD group membership at 7.

I can make a screen recording of my testing, if that helps lend more credibility? Just let me know, thanks.

olivierlambert

Ah and now it's logical then I believe you, this is possibly a bug in XO if you have it both on sources and XOA.

Worth opening a Github issue!

kagbasi-ngc

@olivierlambert Awesome, glad I could convince ya . I will submit a Github issue shortly, thanks again.

kagbasi-ngc

@olivierlambert I have just submitted a Github issue for this - https://github.com/vatesfr/xen-orchestra/issues/8351

Thanks again for indulging me.

kismetgerald-ngc created this issue in vatesfr/xen-orchestra

open LDAP/Active Directory Authentication Fails if User is Member of More than 6 Groups #8351

Chico008

hi, just made a test today after updating to commit 5a501

in my filter i got this :
(&(sAMAccountName={{name}})(memberOf=CN="Admins du domaine"))
because i only want my domain admins to login.

test failed.

but, if i only use filter &(sAMAccountName={{name}}))
test works
event with my domain admin account who is member of 4 groups.

now how can i set my filter to only allow domain admin 'Admins du domaine' to be able to login as XO admin ?
also tried with full DN (CN=Admins du domaine,CN=Users,DC=company,DC=net) but not working either

kagbasi-ngc

@Chico008 Don't know if this might help you or not.

I generally avoid having spaces inside my Group names. Not sure if somehow the double quotes isn't being handled properly. Anyway, this is what my user filter looks like:

(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUP-HERE>))

Earlier today, I figured out how to filter against multiple groups (with help from Serverfault). This user filter checks if the user is a member of GROUPA or GROUPB:

(|(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUPA-HERE>))(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUPB-HERE>)))

In either case, for me at least, neither user can login if they are a member of more than 2 groups in AD.

Chico008

@kagbasi-ngc
just tried with a group name having no space, still the same for me.
my user only have 3 groups memberships.

thing is, it only failed if i want to filter memberof.

if in filter i only put : (&(sAMAccountName={{name}}))
anyone in my AD can login to xcp, even those having 6 groups member, and that's not that i want.

(&(sAMAccountName={{name}})(memberOf=SG-XCP_Admin))
not working, still having the could not authenticate user

Code: -32000

Message: could not authenticate user

{
  "message": "could not authenticate user",
  "name": "Error",
  "stack": "Error: could not authenticate user\n    at /opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:246:15\n    at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n    at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n    at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:175:22)\n    at Task.run (/opt/xen-orchestra/@vates/task/index.js:159:20)\n    at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)"
}

kagbasi-ngc

@Chico008 I suspect it's failing because memberOf must have the full Distinguished Name (DN) of the group, not just the group name.

Chico008

@kagbasi-ngc

tries this a while ago, but my default group are in OU having , or () in their name (i know it's very bad but it's been there before my arrival)

tried with a security group in a simple OU
this time it worked using fully DN.