LDAP configuration acts like it saves, but then reverts after refresh

[vaskokj]

I think I could debug this if I could find the logs but can't seem to find where Minio keeps LDAP logging.

No matter, when I configure the settings, and hit Save. the configuration saves, shows the settings, but when I click refresh it shows "LDAP Enabled No".

Click on Identity --> LDAP

I configure Minio LDAP to my LDAP server:
Server Insecure: Enabled
Server Address: freeipa.example.com:389
Lookup Bind DN: uid=miniobind,cn=users,cn=accounts,dc=example,dc=com
Lookup Bind Password:
User DN Search Base: cn=users,cn=accounts,dc=example,dc=com
User DN Search Filter: (uid=%s)

click "Save" I get forwarded to a page that shows the configuration with all the same settings, and the banner up top "The server is restarting."

"LDAP Enabled"
Yes
Server Address
freeipa.example.com:389
Lookup Bind Password:

etc...

I hit refresh button and then it shows
"LDAP Eanbled"
No

Expected Behavior

When I click Save I would expect that the settings would be saved and the LDAP authenticaiton would work but something seems to be silently erroring.

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Enable Minio in TrueNAS
Login
Configure LDAP per instructions above.

Context

Regression

Your Environment

• Version used (minio --version):
  minio version RELEASE.2023-07-21T21-12-44Z (commit-id=d004c4538643eb05ea69b919557d5cf7cc332fae)
  Runtime: go1.19.11 linux/amd64
  License: GNU AGPLv3 https://www.gnu.org/licenses/agpl-3.0.html
  Copyright: 2015-2023 MinIO, Inc.
• Server setup and configuration: FreeNAS Scale 22.12.3.3
• Operating System and version (uname -a): Linux minio-84488457df-6x2sp 5.15.107+truenas Full restructure in accordance with minio#1 SMP Tue Jul 25 00:05:02 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

[prakashsvmx]

I checked this.
There is no functional impact and it is just a cosmetic issue..
looks like we need a better/logic way to decide if LDAP is enabled or not.

If LDAP is disabled explicitly, then it is possible to identify in UI with enable=off but when it is default or enabled explicitly, this flag is not set to true. so the flag is not available and not returned.

e.g:

➜ mc idp ldap disable local22              
Successfully applied new settings.
Please restart your server 'mc admin service restart local22'.


➜ mc admin config get local22 identity_ldap
identity_ldap enable=off server_addr=localhost:1389 srv_record_name= user_dn_search_base_dn=dc=min,dc=io user_dn_search_filter=(uid=%s) group_search_filter=(&(objectclass=groupOfNames)(member=%d)) group_search_base_dn=ou=swengg,dc=min,dc=io tls_skip_verify=off server_insecure=on server_starttls=off lookup_bind_dn=cn=admin,dc=min,dc=io 

 ➜ mc idp ldap enable local22               
Successfully applied new settings.
Please restart your server 'mc admin service restart local22'.

 ➜ mc admin service restart local22         
Restart command successfully sent to `local22`. Type Ctrl-C to quit or wait to follow the status of the restart process.
Restarted `local22` successfully in 1 seconds

 ➜ mc admin config get local22 identity_ldap
identity_ldap server_addr=localhost:1389 srv_record_name= user_dn_search_base_dn=dc=min,dc=io user_dn_search_filter=(uid=%s) group_search_filter=(&(objectclass=groupOfNames)(member=%d)) group_search_base_dn=ou=swengg,dc=min,dc=io tls_skip_verify=off server_insecure=on server_starttls=off lookup_bind_dn=cn=admin,dc=min,dc=io 

[bexsoft]

Hi @vaskokj!

We implemented a change in Console v0.36.0 for this (#2985), this change is released in MinIO RELEASE.2023-08-16T20-17-30Z.

Can you please help us to test in the latest version and check if issue is still reproducible on your side?

Thank you in advance

[vaskokj]

I checked this. There is no functional impact and it is just a cosmetic issue.. looks like we need a better/logic way to decide if LDAP is enabled or not.

If LDAP is disabled explicitly, then it is possible to identify in UI with enable=off but when it is default or enabled explicitly, this flag is not set to true. so the flag is not available and not returned.

e.g:

➜ mc idp ldap disable local22              
Successfully applied new settings.
Please restart your server 'mc admin service restart local22'.


➜ mc admin config get local22 identity_ldap
identity_ldap enable=off server_addr=localhost:1389 srv_record_name= user_dn_search_base_dn=dc=min,dc=io user_dn_search_filter=(uid=%s) group_search_filter=(&(objectclass=groupOfNames)(member=%d)) group_search_base_dn=ou=swengg,dc=min,dc=io tls_skip_verify=off server_insecure=on server_starttls=off lookup_bind_dn=cn=admin,dc=min,dc=io 

 ➜ mc idp ldap enable local22               
Successfully applied new settings.
Please restart your server 'mc admin service restart local22'.

 ➜ mc admin service restart local22         
Restart command successfully sent to `local22`. Type Ctrl-C to quit or wait to follow the status of the restart process.
Restarted `local22` successfully in 1 seconds

 ➜ mc admin config get local22 identity_ldap
identity_ldap server_addr=localhost:1389 srv_record_name= user_dn_search_base_dn=dc=min,dc=io user_dn_search_filter=(uid=%s) group_search_filter=(&(objectclass=groupOfNames)(member=%d)) group_search_base_dn=ou=swengg,dc=min,dc=io tls_skip_verify=off server_insecure=on server_starttls=off lookup_bind_dn=cn=admin,dc=min,dc=io 

@bexsoft

The cosmetic issue might be a component but I don't think this is just cosmetic.

Once I click "Save" after entering the LDAP information, it forwards me to a page that shows LDAP is enabled and all of the settings I just entered.

If I click "Refresh" it sends me back to the "Configuration" page where the "Password" field is empty and is making me fill it in.
If I click "Entities" tab I can type in the "Users", "Groups" fields, but no results are returned.
It is impossible to go back to the Entities tab if you navigate away from it, without entering in the Bind Password again.

I'm unsure on where the logs would be for this to determine what errors are being thrown on my LDAP settings.

I'm more concerned with why LDAP isn't functioning. It doesn't seem that the ticket you linked is related.

[bexsoft]

@vaskokj Ok, Will review the behavior that you are describing

[vaskokj]

@bexsoft can you point me to where the logs that would be relevant for the LDAP settings to know if something is failing?

[vaskokj]

@bexsoft @prakashsvmx

I tried it under the below version on a standalone machine in docker and certainly the interaction of the LDAP interface in the web GUI is different than the version included with TrueNAS, but as I mentioned the LDAP system still certainly non-functional. Either I have some small nuance wrong with my LDAP settings that I'm putting into the field(s) in Minio OR there is some bug with the way Minio LDAP is operating.

The following version gives the interaction of the following:

Login to webGUI with ROOTUSER --> click on Identity --> LDAP --> fill in fields, get sent to table that shows , LDAP Enabled, server Address, Lookup bind Password, etc. Click on "Entities" tab and can "search" for a user, but no user is returned. I navigate away from the screen by clicking "Buckets" click on "LDAP" under Identity and it shows "LDAP Enabled: No". Click "Enable LDAP", server reboots, and then same issue again, navigate away, navigate back to LDAP section, and then again "LDAP Enabled: No".

I do not feel this is just a UI glitch either as nothing else is functioning related to LDAP either. I can't query for the users, and according to my LDAP server, it doesn't seem the Minio server is ever querying the LDAP server.

Where are the logs related to this inside of Minio? Any thoughts/recommendation on how to debug this?

                "io.buildah.version": "1.29.0",
                "version": "RELEASE.2023-09-04T19-57-37Z"

[bexsoft]

Hi @vaskokj!

We were able to reproduce your issue in the UI of the latest version of MinIO, we are debugging and will send a fix for this soon.

Can you please try to add this configuration using the mc idp ldap add command in a terminal?, You can find more information of LDAP in https://min.io/docs/minio/windows/operations/external-iam/configure-ad-ldap-external-identity-management.html.

Please remember that in case this issue is urgent, you can subscribe to Subnet so that our 24/7 support team may help you faster.