rc.1 external OIDC+LDAP setup, error on new user first login #5045
Comments
|
Another problem which may be related. When I logined as the {"error":{"code":"generalException","innererror":{"date":"2022-11-13T14:03:52Z","request-id":"78fac6ae-09f0-4ef4-824f-30aba4a7442b"},"message":"notSupported"}}
|
|
I can confirm this happening on https://ocis.ocis-ldap.latest.owncloud.works. If I add an user via the LDAP UI (not oC Web), the user can't log in because it doesn't get a default role. If I login as the admin users, I can list all users in the oC Web accounts management UI but can't change any user roles. |
|
probably introduce in #4890 |
micbar
added
the
Priority:p2-high
should be After starting ocis_ldap with |
|
But admin user cannot see users from external LDAP, cannot assign their roles either. Without a default role, they cannot login. |
If you're using graph to provision users they will immediately have a role assigned. So you must do it via the external ldap (so that the user is just there) |
How to assign roles to users in the external LDAP? What's the role attribute read by OCIS? Is there any docs about the OCIS LDAP schema? I thought OCIS will insert user data into its own database after checking external LDAP, and I can assign roles to users in OCIS after that. And I got the impression from: #4150 (comment) , that external users will get the default |
When using an external user management we need to allow users to self-assign the default role. This adds an explicit check for that to the settings service. This also means we no longer need to fiddle with the account id in the proxy upon first login. Fixes: owncloud#5045
When using an external user management we need to allow users to self-assign the default role. This adds an explicit check for that to the settings service. This also means we no longer need to fiddle with the account id in the proxy upon first login. Fixes: owncloud#5045
When using an external user management we need to allow users to self-assign the default role. This adds an explicit check for that to the settings service. This also means we no longer need to fiddle with the account id in the proxy upon first login. Fixes: owncloud#5045
Actually exactly that should be possible. The user with the id matching
When using an external LDAP server we don't require a specific schema. The roles and the role assignments are never, regardless for external or internal LDAP) stored in LDAP. We use a dedicated service for that which stores the data in the metadata storage.
OCIS does currently not maintain it's own database when an external LDAP server is used. If correctly setup you should be able to assign roles even before the first login (see above).
You are right. But there was a bug in rc1 that prevented that from working. It should be fixed once #5065 is merged. hth |
Wait, how does OCIS list the existing users from the external LDAP before they login for the first time? Will OCIS search with LDAP filter and get all the matching users from external LDAP?
My user management is empty, I though it's normal because they had not logged in yet, but they cannot login without the default role, causing circular dependencies. #5065 should solve this situation. |
Exactly. If you don't see them it might be a configuration issue. (That's why I asked for your helm config) |
|
My # -- Domain where oCIS is reachable for the outside world
externalDomain: owncloud.example.com
# Feature options.
# Enable or disable features of oCIS.
features:
# -- Enable basic authentication.
# Not recommended for production installations.
# basicAuthentication: false
# -- Create demo users on the first startup.
# Not recommended for production installations.
# demoUsers: false
# External user management
externalUserManagement:
# -- Enables external user management (and disables internal user management).
# Needs an external OpenID Connect Identity Provider and an external LDAP server.
# Need to set it to `false` temporarily so I can login as the initial admin account for the first time
# See: https://github.com/owncloud/ocis/issues/4150
# Also `PROXY_AUTOPROVISION_ACCOUNTS` must be set to `true` to automatically provision users that do not yet exist in the users service on-demand upon first sign-in.
enabled: true #false
# -- UUID of the initial admin user.
# If the given value matches a user's value from `features.externalUserManagement.oidc.userIDClaim`, the admin role will be assigned.
adminUUID: admin
# OpenID Connect Identity provider related settings.
oidc:
# -- Issuer URI of the OpenID Connect Identity Provider.
# If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option.
issuerURI: https://auth.example.com
# -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server.
userIDClaim: "preferred_username" # "sub"
# -- Attribute mapping of for the userIDClaim.
# Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`.
# Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.mail`.
# Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`.
userIDClaimAttributeMapping: userid
# LDAP related settings.
ldap:
# -- URI to connect to the LDAP secure server.
uri: ldaps://ldap.example.com
# -- Set only to false, if the certificate of your LDAP secure service is not trusted.
# If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef"
# certTrusted: true
# -- Disables SSL certificate checking for connections to the LDAP server.
# -- For self signed certificates, consider to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef"
# Not recommended for production installations.
# insecure: false
# -- DN of the user to use to bind to the LDAP server.
# The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`.
# The user needs to have permission to list users and groups.
bindDN: uid=owncloud,ou=people,dc=example,dc=com
user:
schema:
# -- LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID.
id: uid
# -- Set this to true if the defined `id` attribute for users is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the user ID`s.
idIsOctetString: false
# -- LDAP Attribute to use for the email address of users.
mail: mail
# -- LDAP Attribute to use for the displayname of users.
displayName: cn
# -- LDAP Attribute to use for username of users.
userName: uid
# -- Search base DN for looking up LDAP users.
baseDN: ou=people,dc=example,dc=com
# -- LDAP search scope to use when looking up users. Supported values are `base`, `one` and `sub`.
scope: sub
# -- Type of substring search filter to use for substring searches for users. Possible values: `initial` for doing prefix only searches, `final` for doing suffix only searches or `any` for doing full substring searches
substringFilterType: any
# -- LDAP filter to add to the default filters for user search like `(objectclass=ownCloud)`.
# filter:
# -- The object class to use for users in the default user search filter like `inetOrgPerson`.
objectClass: inetOrgPerson
group:
schema:
# -- LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID.
id: cn
# -- Set this to true if the defined `id` attribute for groups is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the group ID`s.
idIsOctetString: false
# -- LDAP Attribute to use for the email address of groups (can be empty).
mail: mail
# -- LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).
displayName: description
# -- LDAP Attribute to use for the name of groups.
groupName: cn
# -- LDAP Attribute that is used for group members.
member: member
# -- Search base DN for looking up LDAP groups.
baseDN: ou=groups,dc=example,dc=com
# -- LDAP search scope to use when looking up groups. Supported values are `base`, `one` and `sub`.
scope: sub
# -- LDAP filter to add to the default filters for group searches.
filter:
# -- The object class to use for groups in the default group search filter like `groupOfNames`.
objectClass: groupOfNames
# per-service configuration.
services:
# STORAGE-SYSTEM service.
storageSystem:
persistence:
# -- Enables persistence.
# Needs to be enabled on production installations.
# If not enabled, pod restarts will lead to data loss.
# Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
enabled: true
# -- Enables a initContainer to chown the volume.
# The initContainer is run as root.
# This is not needed if the driver applies the fsGroup from the securityContext.
chownInitContainer: true #false
# -- Storage class to use.
# Uses the default storage class if not set.
# Aliyun CNFS NAS doesn't support `xattrs` which is required
# See: https://github.com/owncloud/ocis/issues/4961#issuecomment-1301994318
# storageClassName: alibabacloud-cnfs-nas
storageClassName: alicloud-disk-topology
# -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
accessModes:
- ReadWriteMany
# -- Size of the persistent volume.
size: 20Gi # Require at least 20Gi
# -- Persistent volume annotations.
annotations: {
"helm.sh/resource-policy": keep
}
# # -- Persistent volume finalizers.
# finalizers:
# - kubernetes.io/pvc-protection
# # -- Persistent volume selector labels.
# selectorLabels: {}
# # -- Use an existing PersistentVolumeClaim for persistence.
# existingClaim:
# STORAGE-USERS service.
storageUsers:
storageBackend:
# -- Configures the storage driver. Possible values are "ocis" and "s3ng".
# The oCIS driver stores all data in the persistent volume if persistence is enabled.
# The S3NG driver stores all metadata in the persistent volume and uploads blobs to s3 if persistence is enabled.
driver: s3ng
driverConfig:
s3ng:
# https://blog.csdn.net/wwwwwwgame/article/details/120896339
# https://developer.aliyun.com/ask/321872?spm=a2c6h.13706215.ask-content.15.46086d124SyO7e
# -- S3 endpoint to use for the S3NG driver. Only used if driver is set to "s3ng".
# Use "https" to workaround Aliyun incompatibility error: Aws MultiChunkedEncoding is not supported, see:
endpoint: https://oss-cn-zhangjiakou-internal.aliyuncs.com
# -- S3 region to use for the S3NG driver. Only used if driver is set to "s3ng".
region: oss-cn-zhangjiakou
# -- S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng".
bucket: fusiongalaxy-owncloud
# -- S3 access key to use for the S3NG driver. Only used if driver is set to "s3ng".
# accessKey: lorem-ipsum # From .secret-values.yml
# -- S3 secret key to use for the S3NG driver. Only used if driver is set to "s3ng".
# secretKey: lorem-ipsum # From .secret-values.yml
maintenance:
# Expired uploads can be cleaned up automatically by enabling the clean up job.
cleanUpExpiredUploads:
# -- Enables a job, that cleans up expired uploads. Requires persistence to be enabled and RWX storage.
enabled: true
# -- Cron pattern for the job to be run. Defaults to every minute.
# schedule: "* * * * *"
persistence:
# -- Enables persistence.
# Needs to be enabled on production installations.
# If not enabled, pod restarts will lead to data loss.
# Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
enabled: true
# # -- Enables a initContainer to chown the volume.
# # The initContainer is run as root.
# # This is not needed if the driver applies the fsGroup from the securityContext.
chownInitContainer: true #false
# # -- Storage class to use.
# # Uses the default storage class if not set.
# storageClassName: alibabacloud-cnfs-nas
storageClassName: alicloud-disk-topology
# # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
# accessModes:
# - ReadWriteMany
# # -- Size of the persistent volume.
size: 100Gi
# -- Persistent volume annotations.
annotations: {
"helm.sh/resource-policy": keep
}
# # -- Persistent volume finalizers.
# finalizers:
# - kubernetes.io/pvc-protection
# # -- Persistent volume selector labels.
# selectorLabels: {}
# # -- Use an existing PersistentVolumeClaim for persistence.
# existingClaim:
# store service.
store:
persistence:
# -- Enables persistence.
# Needs to be enabled on production installations.
# If not enabled, pod restarts will lead to data loss.
# Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
enabled: true
# -- Enables a initContainer to chown the volume.
# The initContainer is run as root.
# This is not needed if the driver applies the fsGroup from the securityContext.
chownInitContainer: true #false
# -- Storage class to use.
# Uses the default storage class if not set.
# storageClassName: alibabacloud-cnfs-nas
storageClassName: alicloud-disk-topology # Require at least 20Gi
# -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
# accessModes:
# - ReadWriteMany
# -- Size of the persistent volume.
size: 20Gi
# -- Persistent volume annotations.
annotations: {
"helm.sh/resource-policy": keep
}
# # -- Persistent volume finalizers.
# finalizers:
# - kubernetes.io/pvc-protection
# # -- Persistent volume selector labels.
# selectorLabels: {}
# # -- Use an existing PersistentVolumeClaim for persistence.
# existingClaim:
# IDM service.
idm:
persistence:
# -- Enables persistence.
# Needs to be enabled on production installations.
# If not enabled, pod restarts will lead to data loss.
# Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
enabled: true
# -- Enables a initContainer to chown the volume.
# The initContainer is run as root.
# This is not needed if the driver applies the fsGroup from the securityContext.
chownInitContainer: true #false
# -- Storage class to use.
# Uses the default storage class if not set.
# storageClassName: alibabacloud-cnfs-nas
storageClassName: alicloud-disk-topology
# -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
# accessModes:
# - ReadWriteMany
# -- Size of the persistent volume.
size: 20Gi
# -- Persistent volume annotations.
annotations: {
"helm.sh/resource-policy": keep
}
# # -- Persistent volume finalizers.
# finalizers:
# - kubernetes.io/pvc-protection
# # -- Persistent volume selector labels.
# selectorLabels: {}
# # -- Use an existing PersistentVolumeClaim for persistence.
# existingClaim:
commonEnvOverride:
ACCOUNTS_DEMO_USERS_AND_GROUPS: false
# TODO: remove OCIS_URL in favor of NOTIFICATIONS_WEB_UI_URL
# after https://github.com/owncloud/ocis/pull/4998 was released
OCIS_URL: https://owncloud.example.com
NOTIFICATIONS_WEB_UI_URL: https://owncloud.example.com
# OIDC
## PROXY_OIDC_ISSUER: https://auth.example.com
## WEB_OIDC_AUTHORITY: https://auth.example.com
WEB_OIDC_CLIENT_ID: owncloud
# WEB_OIDC_METADATA_URL: https://auth.example.com/.well-known/openid-configuration
## STORAGE_OIDC_ISSUER: https://auth.example.com
# Need this because Authelia doesn't issue JWT based access tokens
# See: https://github.com/owncloud/ocis/issues/4895#issuecomment-1293136653
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none
# Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in.
# Need for external LDAP to work?
# PROXY_AUTOPROVISION_ACCOUNTS: true
# GRAPH_LDAP_SERVER_WRITE_ENABLED: true
# STORAGE_LDAP_IDP: https://ldap.example.com
# Defaults to `OCIS_URL`, causing problem when oCIS pod request itself
# because of `externalTrafficPolicy`=`Local`
STORAGE_FRONTEND_PUBLIC_URL: http://proxy:9200
# STORAGE_FRONTEND_PUBLIC_URL: http://localhost:9200
STORAGE_HOME_DRIVER: s3ng # This doesn't seems useful: https://github.com/search?q=org%3Aowncloud+%22storage_home_driver%22&type=code
# STORAGE_METADATA_DRIVER: ocis # keep metadata on ocis storage since this are only small files atm
# App registry
# STORAGE_APP_REGISTRY_MIMETYPES_JSON: /config/mimetypes.json
# Theme
# WEB_UI_THEME_SERVER: https://public.example.com
# WEB_UI_THEME_PATH: /internal/ocis-theme.json
|
|
maybe related to #5085 & owncloud/web#7986 |
|
OpenLDAP logs printed when I clicked User management: These two queries seems to be problematic and are finding 0 result: |
|
Should be, yes. Needs re testing in the next qa cycle. |
|
re-tested.
|
|
Thanks. Should I create a new issue or re-open this one? |
Hmm, this is on a different level. IdK where this error message comes from. Needs investigation. I only see this error in the LDAP code, but assigning a role to a user is not an LDAP operation. |
|
@ScharfViktor Which request shows this error message? |
|
Found it: This is weird. Why do we use the GraphAPI for Role Assignments? @kulmann @janackermann I thought we need to use the settings API for that purpose |
Role assignment works. Sorry for the confusion. the PATCH request remains to be solved |
@micbar User management failing to list any external LDAP users is not solved yet. |
Works on ocis.ocis-ldap.latest.owncloud.works where this patch is already deployed |
|
Now I'm confused again... #5065 is deployed on This doesn't match
If it works through the API, that's fine, but this has worked through the UI in the past and should work again. |
That is weird to me too. Needs some frontend changes. @kulmann Extra ticket in web? |
Yes please, thank you |
|
Web Ticket owncloud/web#8011 |
This is indeed weird. Looks a bit like a mis-configuration, but it might also be an issue with the helm charts. I need to take a deeper look. |
@NexZhu I was able to reproduce the problem. It seems to be caused by a bug in the user provider, which constructs a broken LDAP filter under certain circumstances. I'll open a new issue for this with some background and a possible workaround. |
Describe the bug
I'm testing
rc.1with external OIDC+LDAP setup, when a new user try to login,/ocs/v1.php/cloud/userreturned 500 error.proxyservice error log:Seems like a bug, user shouldn't need a role management permission to be assigned the
defaultrole.(The one user set in the helm chart
adminUUIDoption can login as the admin role)The text was updated successfully, but these errors were encountered: