-
Notifications
You must be signed in to change notification settings - Fork 10
Object Error after LDAP login #51
Comments
Login for LDAP etc uses email address as username. |
Unfortunately that seems not to be the case. This is the input of the log with using email address attached to that account:
Again, this had been working for months. It's not like it has never worked...And as you can see from the log in the original post, the authentication itself is working. It is once it gets back to wekan that it is erroring out. Really, all I need is a way to see the contents of that |
For Docker, this setting in docker-compose.yml:
And after you try login:
Did you delete old docker container when you upgraded?
Are you using newest docker-compose.yml from https://github.com/wekan/wekan ? |
Is there errors at mongodb?
Did you do backup and upgrade with |
Activated
I am using docker-compose, so I made sure to completely remove containers and redo. I also removed the image and re-pulled it just to be safe. Mongo is not reporting any error whatsoever, only successfull connections as per this log:
I have not verified that I am using the newest docker-compose.yml, but I am going to do that next and check for major changes. |
Do you have time to look at this? |
I'm assuming there is not an easy way that I can bash into the wekan-app container, issue a command, and see the result of |
If that object is array etc, it should maybe be changed to string or something. It would be nice that some Wekan LDAP user/contributor could help looking at this. I have not done Wekan LDAP code. |
I am really not sure this is tied to LDAP though. I am in the process of doing a backup/restore for good measure. UPDATE: backup/restore done per instructions. Made no difference. |
@xet7, how do I go about changing the array to string? If there was any way to force more detailed debug info, that would help. |
Also, I tried this with a brand new install (to discount the possibility of a corrupted db). The result was the same, still getting the same error. |
In general, array has many items. So in code with Javascript you read each array item an in loop do same thing to all variables. At https://github.com/wekan/wekan repo is |
Array means some of your LDAP fields has multiple values, like many email addresses etc. I think the reason why others don't have this error is that they only have one value on that field. You can also try to login with some other user. It's also possible that some of your LDAP settings are not correct. |
I will post those later today. However, here is the kicker, they have been working for months until recent wekan updates. Nothing has changed in the LDAP config. |
Here are my LDAP settings: # The default authentication method used if a user does not exist to create and authenticate. Can be set as ldap.
- DEFAULT_AUTHENTICATION_METHOD=ldap
#
# Enable or not the connection by the LDAP
- LDAP_ENABLE=true
#
# The port of the LDAP server
- LDAP_PORT=389
#
# The host server for the LDAP server
- LDAP_HOST=dc.mydomain.com
#
# The base DN for the LDAP Tree
- LDAP_BASEDN=ou=myou2,ou=myou1,dc=mydomain,dc=com
#
# Fallback on the default authentication method
- LDAP_LOGIN_FALLBACK=false
#
# Reconnect to the server if the connection is lost
- LDAP_RECONNECT=true
#
# Overall timeout, in milliseconds
- LDAP_TIMEOUT=10000
#
# Specifies the timeout for idle LDAP connections in milliseconds
- LDAP_IDLE_TIMEOUT=10000
#
# Connection timeout, in milliseconds
- LDAP_CONNECT_TIMEOUT=10000
#
# If the LDAP needs a user account to search
- LDAP_AUTHENTIFICATION=true
#
# The search user DN
- LDAP_AUTHENTIFICATION_USERDN=cn=serviceaccount,ou=Administrators,dc=mydomain,dc=com
#
# The password for the search user
- LDAP_AUTHENTIFICATION_PASSWORD=MySuperSecretPassword
#
# Enable logs for the module
- LDAP_LOG_ENABLED=true
#
# If the sync of the users should be done in the background
- LDAP_BACKGROUND_SYNC=false
#
# At which interval does the background task sync in milliseconds
- LDAP_BACKGROUND_SYNC_INTERVAL=100
#
- LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=false
#
- LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=false
#
# If using LDAPS: LDAP_ENCRYPTION=ssl
- LDAP_ENCRYPTION=false
#
# The certification for the LDAPS server. Certificate needs to be included in this docker-compose.yml file.
- LDAP_CA_CERT=-----BEGIN CERTIFICATE-----MIIE+G2FIdAgIC...-----END CERTIFICATE-----
#
# Reject Unauthorized Certificate
- LDAP_REJECT_UNAUTHORIZED=false
#
# Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed
- LDAP_USER_SEARCH_FILTER=
#
# base (search only in the provided DN), one (search only in the provided DN and one level deep), or sub (search the whole subtree)
- LDAP_USER_SEARCH_SCOPE=sub
#
# Which field is used to find the user, like uid / sAMAccountName
- LDAP_USER_SEARCH_FIELD=sAMAccountName
#
# Used for pagination (0=unlimited)
- LDAP_SEARCH_PAGE_SIZE=0
#
# The limit number of entries (0=unlimited)
- LDAP_SEARCH_SIZE_LIMIT=0
#
# Enable group filtering
- LDAP_GROUP_FILTER_ENABLE=false
- P_FILTER_GROUP_ID_ATTRIBUTE=
#
- LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE=
#
- LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT=
#
- LDAP_GROUP_FILTER_GROUP_NAME=
#
#LDAP_UNIQUE_IDENTIFIER_FIELD : This field is sometimes class GUID (Globally Unique Identifier). Example: guid
- LDAP_UNIQUE_IDENTIFIER_FIELD=
#
# LDAP_UTF8_NAMES_SLUGIFY : Convert the username to utf8
- LDAP_UTF8_NAMES_SLUGIFY=true
#
# LDAP_USERNAME_FIELD : Which field contains the ldap username. username / sAMAccountName
- LDAP_USERNAME_FIELD=sAMAccountName
#
# LDAP_FULLNAME_FIELD : Which field contains the ldap fullname. fullname / sAMAccountName
- LDAP_FULLNAME_FIELD=displayName
#
- LDAP_MERGE_EXISTING_USERS=false
#
# Allow existing account matching by e-mail address when username does not match
- LDAP_EMAIL_MATCH_ENABLE=true
#
# LDAP_EMAIL_MATCH_REQUIRE : require existing account matching by e-mail address when username does match
- LDAP_EMAIL_MATCH_REQUIRE=true
#
# LDAP_EMAIL_MATCH_VERIFIED : require existing account email address to be verified for matching
- LDAP_EMAIL_MATCH_VERIFIED=true
#
# LDAP_EMAIL_FIELD : which field contains the LDAP e-mail address
- LDAP_EMAIL_FIELD=mail
#-----------------------------------------------------------------
- LDAP_SYNC_USER_DATA=false
#
- LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"}
#
- LDAP_SYNC_GROUP_ROLES=''
#
# The default domain of the ldap it is used to create email if the field is not map correctly with the LDAP_SYNC_USER_DATA_FIELDMAP
# example :
- LDAP_DEFAULT_DOMAIN=mydomain.com
#
# Enable/Disable syncing of admin status based on ldap groups:
- LDAP_SYNC_ADMIN_STATUS=true
#
# Comma separated list of admin group names to sync.
- LDAP_SYNC_ADMIN_GROUPS= I know I sound like a broken record, but this WORKED just fine since the very first time I implemented it, it was only after recent wekan updates that it stopped working. |
Please uncomment
|
Please uncomment this:
|
If you want to set some LDAP group as admin, you need to define what LDAP group is admin in 2nd settings, otherwise everyone is admin. Or alternatively, uncomment both.
|
I would recommend that you use newest docker-compose.yml from https://github.com/wekan/wekan and add to it your current settings. Many Wekan users also like to disable bigevents to get less email notifications: |
Just additional note about this, this is because now Wekan has LDAP user sync with synced cron, and that variable needs to be not set at all for default sync interval, and in text date format if different sync schedule is set, it can not be 100 because then Wekan does not work, see wekan/wekan#2555 |
For some other Wekan user, Wekan works with these settings:
|
Performed all steps as directed, including using the updated docker-compose.yml from github. The result is the same (asterisks for privacy):
As you can see from the log, once again, the user is being authenticated by LDAP just fine. It seems that once it gets back to wekan to apply the login method, it fails, which yields the object I can't seem to get more info on. I am attaching a full copy of the compose file so that you can see I am using the updated one, with all subsequent suggestions applied (minus sensitive info, and environment customizations, of course). version: '2'
# Note: Do not add single quotes '' to variables. Having spaces still works without quotes where required.
#---------------------------------------------------------------------------------------------------------
# ==== CREATING USERS AND LOGGING IN TO WEKAN ====
# https://github.com/wekan/wekan/wiki/Adding-users
#---------------------------------------------------------------------------------------------------------
# ==== FORGOT PASSWORD ====
# https://github.com/wekan/wekan/wiki/Forgot-Password
#---------------------------------------------------------------------------------------------------------
# ==== Upgrading Wekan to new version =====
# NOTE: MongoDB has changed from 3.x to 4.x, in that case you need backup/restore with --noIndexRestore
# see https://github.com/wekan/wekan/wiki/Backup
# 1) Stop Wekan:
# docker-compose stop
# 2) Download new version:
# docker-compose pull wekan
# 3) If you have more networks for VPN etc as described at bottom of
# this config, download for them too:
# docker-compose pull wekan2
# 4) Start Wekan:
# docker-compose start
#----------------------------------------------------------------------------------
# ==== OPTIONAL: DEDICATED DOCKER USER ====
# 1) Optionally create a dedicated user for Wekan, for example:
# sudo useradd -d /home/wekan -m -s /bin/bash wekan
# 2) Add this user to the docker group, then logout+login or reboot:
# sudo usermod -aG docker wekan
# 3) Then login as user wekan.
# 4) Create this file /home/wekan/docker-compose.yml with your modifications.
#----------------------------------------------------------------------------------
# ==== RUN DOCKER AS SERVICE ====
# 1a) Running Docker as service, on Systemd like Debian 9, Ubuntu 16.04, CentOS 7:
# sudo systemctl enable docker
# sudo systemctl start docker
# 1b) Running Docker as service, on init.d like Debian 8, Ubuntu 14.04, CentOS 6:
# sudo update-rc.d docker defaults
# sudo service docker start
# ----------------------------------------------------------------------------------
# ==== USAGE OF THIS docker-compose.yml ====
# 1) For seeing does Wekan work, try this and check with your webbroser:
# docker-compose up
# 2) Stop Wekan and start Wekan in background:
# docker-compose stop
# docker-compose up -d
# 3) See running Docker containers:
# docker ps
# 4) Stop Docker containers:
# docker-compose stop
# ----------------------------------------------------------------------------------
# ===== INSIDE DOCKER CONTAINERS, AND BACKUP/RESTORE ====
# https://github.com/wekan/wekan/wiki/Backup
# If really necessary, repair MongoDB: https://github.com/wekan/wekan-mongodb/issues/6#issuecomment-424004116
# 1) Going inside containers:
# a) Wekan app, does not contain data
# docker exec -it wekan-app bash
# b) MongoDB, contains all data
# docker exec -it wekan-db bash
# 2) Copying database to outside of container:
# docker exec -it wekan-db bash
# cd /data
# mongodump
# exit
# docker cp wekan-db:/data/dump .
# 3) Restoring database
# # 1) Stop wekan
# docker stop wekan-app
# # 2) Go inside database container
# docker exec -it wekan-db bash
# # 3) and data directory
# cd /data
# # 4) Remove previos dump
# rm -rf dump
# # 5) Exit db container
# exit
# # 6) Copy dump to inside docker container
# docker cp dump wekan-db:/data/
# # 7) Go inside database container
# docker exec -it wekan-db bash
# # 8) and data directory
# cd /data
# # 9) Restore
# mongorestore --drop
# # 10) Exit db container
# exit
# # 11) Start wekan
# docker start wekan-app
#-------------------------------------------------------------------------
services:
wekandb:
#-------------------------------------------------------------------------------------
# ==== MONGODB AND METEOR VERSION ====
# a) For Wekan Meteor 1.8.x version at master branch, use mongo 4.x
image: mongo:4.0
# b) For Wekan Meteor 1.6.x version at devel branch.
# Only for Snap and Sandstorm while they are not upgraded yet to Meteor 1.8.x
#image: mongo:3.2.21
#-------------------------------------------------------------------------------------
container_name: wekan-db
restart: always
command: mongod --smallfiles --oplogSize 128
networks:
- default
expose:
- 27017
volumes:
- /root/docker-persist/wekan/db:/data/db
- /root/docker-persist/wekan/dump:/dump
wekan:
#-------------------------------------------------------------------------------------
# ==== MONGODB AND METEOR VERSION ====
# NOTE: Quay is currently not updated, use Docker Hub image below c)
# a) For Wekan Meteor 1.8.x version at master branch,
# using https://quay.io/wekan/wekan automatic builds
image: wekanteam/wekan
# b) Using specific Meteor 1.6.x version tag:
# image: quay.io/wekan/wekan:v1.95
# c) Using Docker Hub automatic builds https://hub.docker.com/r/wekanteam/wekan
#image: wekanteam/wekan
# image: wekanteam/wekan:v2.99
#-------------------------------------------------------------------------------------
container_name: wekan-app
restart: always
networks:
- default
- reverse-proxy
#-------------------------------------------------------------------------------------
# ==== BUILD wekan-app DOCKER CONTAINER FROM SOURCE, if you uncomment these ====
# ==== and use commands: docker-compose up -d --build
#build:
# context: .
# dockerfile: Dockerfile
# args:
# - NODE_VERSION=${NODE_VERSION}
# - METEOR_RELEASE=${METEOR_RELEASE}
# - NPM_VERSION=${NPM_VERSION}
# - ARCHITECTURE=${ARCHITECTURE}
# - SRC_PATH=${SRC_PATH}
# - METEOR_EDGE=${METEOR_EDGE}
# - USE_EDGE=${USE_EDGE}
#-------------------------------------------------------------------------------------
#ports:
# Docker outsideport:insideport. Do not add anything extra here.
# For example, if you want to have wekan on port 3001,
# use 3001:8080 . Do not add any extra address etc here, that way it does not work.
# remove port mapping if you use nginx reverse proxy, port 8080 is already exposed to wekan-tier network
#- 80:8080
environment:
# ---- begin jwilder/nginx-proxy vars ----
- VIRTUAL_HOST=dev-wekan.mydomain.com
- VIRTUAL_PORT=8080
# ---- end jwilder/nginx-proxy vars ----
- MONGO_URL=mongodb://wekandb:27017/wekan
#---------------------------------------------------------------
# ==== ROOT_URL SETTING ====
# Change ROOT_URL to your real Wekan URL, for example:
# If you have Caddy/Nginx/Apache providing SSL
# - https://example.com
# - https://boards.example.com
# This can be problematic with avatars https://github.com/wekan/wekan/issues/1776
# - https://example.com/wekan
# If without https, can be only wekan node, no need for Caddy/Nginx/Apache if you don't need them
# - http://example.com
# - http://boards.example.com
# - http://192.168.1.100 <=== using at local LAN
- ROOT_URL=https://dev-wekan.mydomain.com # <=== using only at same laptop/desktop where Wekan is installed
#---------------------------------------------------------------
# ==== EMAIL SETTINGS ====
# Email settings are required in both MAIL_URL and Admin Panel,
# see https://github.com/wekan/wekan/wiki/Troubleshooting-Mail
# For SSL in email, change smtp:// to smtps://
# NOTE: Special characters need to be url-encoded in MAIL_URL.
# You can encode those characters for example at: https://www.urlencoder.org
#- MAIL_URL=smtp://user:pass@mailserver.example.com:25/
- MAIL_URL='smtp://exchange.mydomain.com:25/?ignoreTLS=true'
- MAIL_FROM='Wekan Notifications <noreply.wekan@mydomain.com>'
#---------------------------------------------------------------
# ==== OPTIONAL: MONGO OPLOG SETTINGS =====
# https://github.com/wekan/wekan-mongodb/issues/2#issuecomment-378343587
# We've fixed our CPU usage problem today with an environment
# change around Wekan. I wasn't aware during implementation
# that if you're using more than 1 instance of Wekan
# (or any MeteorJS based tool) you're supposed to set
# MONGO_OPLOG_URL as an environment variable.
# Without setting it, Meteor will perform a pull-and-diff
# update of it's dataset. With it, Meteor will update from
# the OPLOG. See here
# https://blog.meteor.com/tuning-meteor-mongo-livedata-for-scalability-13fe9deb8908
# After setting
# MONGO_OPLOG_URL=mongodb://<username>:<password>@<mongoDbURL>/local?authSource=admin&replicaSet=rsWekan
# the CPU usage for all Wekan instances dropped to an average
# of less than 10% with only occasional spikes to high usage
# (I guess when someone is doing a lot of work)
# - MONGO_OPLOG_URL=mongodb://<username>:<password>@<mongoDbURL>/local?authSource=admin&replicaSet=rsWekan
#---------------------------------------------------------------
# ==== OPTIONAL: KADIRA PERFORMANCE MONITORING FOR METEOR ====
# https://github.com/edemaine/kadira-compose
# https://github.com/meteor/meteor-apm-agent
# https://blog.meteor.com/kadira-apm-is-now-open-source-490469ffc85f
#- APM_OPTIONS_ENDPOINT=http://<kadira-ip>:11011
#- APM_APP_ID=
#- APM_APP_SECRET=
#---------------------------------------------------------------
# ==== OPTIONAL: LOGS AND STATS ====
# https://github.com/wekan/wekan/wiki/Logs
#
# Daily export of Wekan changes as JSON to Logstash and ElasticSearch / Kibana (ELK)
# https://github.com/wekan/wekan-logstash
#
# Statistics Python script for Wekan Dashboard
# https://github.com/wekan/wekan-stats
#
# Console, file, and zulip logger on database changes https://github.com/wekan/wekan/pull/1010
# with fix to replace console.log by winston logger https://github.com/wekan/wekan/pull/1033
# but there could be bug https://github.com/wekan/wekan/issues/1094
#
# There is Feature Request: Logging date and time of all activity with summary reports,
# and requesting reason for changing card to other column https://github.com/wekan/wekan/issues/1598
#---------------------------------------------------------------
# ==== WEKAN API AND EXPORT BOARD ====
# Wekan Export Board works when WITH_API=true.
# https://github.com/wekan/wekan/wiki/REST-API
# https://github.com/wekan/wekan-gogs
# If you disable Wekan API with false, Export Board does not work.
- WITH_API=true
#---------------------------------------------------------------
# ==== PASSWORD BRUTE FORCE PROTECTION ====
#https://atmospherejs.com/lucasantoniassi/accounts-lockout
#Defaults below. Uncomment to change. wekan/server/accounts-lockout.js
#- ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE=3
#- ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD=60
#- ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW=15
#- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE=3
#- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD=60
#- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW=15
#---------------------------------------------------------------
# ==== STORE ATTACHMENT ON SERVER FILESYSTEM INSTEAD OF MONGODB ====
# https://github.com/wekan/wekan/pull/2603
#- ATTACHMENTS_STORE_PATH = <pathname> # pathname can be relative or fullpath
#---------------------------------------------------------------
# ==== RICH TEXT EDITOR IN CARD COMMENTS ====
# https://github.com/wekan/wekan/pull/2560
- RICHER_CARD_COMMENT_EDITOR=true
#---------------------------------------------------------------
# ==== CARD OPENED, SEND WEBHOOK MESSAGE ====
# https://github.com/wekan/wekan/issues/2518
- CARD_OPENED_WEBHOOK_ENABLED=false
#---------------------------------------------------------------
# ==== Allow to shrink attached/pasted image ====
# https://github.com/wekan/wekan/pull/2544
#-MAX_IMAGE_PIXEL=1024
#-IMAGE_COMPRESS_RATIO=80
#---------------------------------------------------------------
# ==== BIGEVENTS DUE ETC NOTIFICATIONS =====
# https://github.com/wekan/wekan/pull/2541
# Introduced a system env var BIGEVENTS_PATTERN default as "due",
# so any activityType matches the pattern, system will send out
# notifications to all board members no matter they are watching
# or tracking the board or not. Owner of the wekan server can
# disable the feature by setting this variable to "NONE" or
# change the pattern to any valid regex. i.e. '|' delimited
# activityType names.
# a) Default
#- BIGEVENTS_PATTERN=due
# b) All
#- BIGEVENTS_PATTERN=received|start|due|end
# c) Disabled
#- BIGEVENTS_PATTERN=NONE
#---------------------------------------------------------------
# ==== EMAIL DUE DATE NOTIFICATION =====
# https://github.com/wekan/wekan/pull/2536
# System timelines will be showing any user modification for
# dueat startat endat receivedat, also notification to
# the watchers and if any card is due, about due or past due.
#
# Notify due days, default 2 days before and after. 0 = due notifications disabled. Default: 2
#- NOTIFY_DUE_DAYS_BEFORE_AND_AFTER=2
#
# Notify due at hour of day. Default every morning at 8am. Can be 0-23.
# If env variable has parsing error, use default. Notification sent to watchers.
#- NOTIFY_DUE_AT_HOUR_OF_DAY=8
#-----------------------------------------------------------------
# ==== EMAIL NOTIFICATION TIMEOUT, ms =====
# Defaut: 30000 ms = 30s
#- EMAIL_NOTIFICATION_TIMEOUT=30000
#-----------------------------------------------------------------
# ==== CORS =====
# CORS: Set Access-Control-Allow-Origin header.
#- CORS=*
# CORS_ALLOW_HEADERS: Set Access-Control-Allow-Headers header. "Authorization,Content-Type" is required for cross-origin use of the API.
#- CORS_ALLOW_HEADERS=Authorization,Content-Type
# CORS_EXPOSE_HEADERS: Set Access-Control-Expose-Headers header. This is not needed for typical CORS situations
#- CORS_EXPOSE_HEADERS=*
#-----------------------------------------------------------------
# ==== MATOMO INTEGRATION ====
# Optional: Integration with Matomo https://matomo.org that is installed to your server
# The address of the server where Matomo is hosted.
#- MATOMO_ADDRESS=https://example.com/matomo
# The value of the site ID given in Matomo server for Wekan
#- MATOMO_SITE_ID=1
# The option do not track which enables users to not be tracked by matomo
#- MATOMO_DO_NOT_TRACK=true
# The option that allows matomo to retrieve the username:
#- MATOMO_WITH_USERNAME=true
#-----------------------------------------------------------------
# ==== BROWSER POLICY AND TRUSTED IFRAME URL ====
# Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside.
# Setting this to false is not recommended, it also disables all other browser policy protections
# and allows all iframing etc. See wekan/server/policy.js
- BROWSER_POLICY_ENABLED=true
# When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside.
#- TRUSTED_URL=https://intra.example.com
#-----------------------------------------------------------------
# ==== OUTGOING WEBHOOKS ====
# What to send to Outgoing Webhook, or leave out. Example, that includes all that are default: cardId,listId,oldListId,boardId,comment,user,card,commentId .
#- WEBHOOKS_ATTRIBUTES=cardId,listId,oldListId,boardId,comment,user,card,commentId
#-----------------------------------------------------------------
# ==== Debug OIDC OAuth2 etc ====
- DEBUG=true
#-----------------------------------------------------------------
# ==== OAUTH2 AZURE ====
# https://github.com/wekan/wekan/wiki/Azure
# 1) Register the application with Azure. Make sure you capture
# the application ID as well as generate a secret key.
# 2) Configure the environment variables. This differs slightly
# by installation type, but make sure you have the following:
#- OAUTH2_ENABLED=true
# OAuth2 login style: popup or redirect.
#- OAUTH2_LOGIN_STYLE=redirect
# Application GUID captured during app registration:
#- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
# Secret key generated during app registration:
#- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#- OAUTH2_SERVER_URL=https://login.microsoftonline.com/
#- OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
#- OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
#- OAUTH2_TOKEN_ENDPOINT=/oauth2/v2.0/token
# The claim name you want to map to the unique ID field:
#- OAUTH2_ID_MAP=email
# The claim name you want to map to the username field:
#- OAUTH2_USERNAME_MAP=email
# The claim name you want to map to the full name field:
#- OAUTH2_FULLNAME_MAP=name
# Tthe claim name you want to map to the email field:
#- OAUTH2_EMAIL_MAP=email
#-----------------------------------------------------------------
# ==== OAUTH2 KEYCLOAK ====
# https://github.com/wekan/wekan/wiki/Keycloak <== MAPPING INFO, REQUIRED
#- OAUTH2_ENABLED=true
# OAuth2 login style: popup or redirect.
#- OAUTH2_LOGIN_STYLE=redirect
#- OAUTH2_CLIENT_ID=<Keycloak create Client ID>
#- OAUTH2_SERVER_URL=<Keycloak server name>/auth
#- OAUTH2_AUTH_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/auth
#- OAUTH2_USERINFO_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/userinfo
#- OAUTH2_TOKEN_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/token
#- OAUTH2_SECRET=<keycloak client secret>
#-----------------------------------------------------------------
# ==== OAUTH2 DOORKEEPER ====
# https://github.com/wekan/wekan/issues/1874
# https://github.com/wekan/wekan/wiki/OAuth2
# Enable the OAuth2 connection
#- OAUTH2_ENABLED=true
# OAuth2 docs: https://github.com/wekan/wekan/wiki/OAuth2
# OAuth2 login style: popup or redirect.
#- OAUTH2_LOGIN_STYLE=redirect
# OAuth2 Client ID.
#- OAUTH2_CLIENT_ID=abcde12345
# OAuth2 Secret.
#- OAUTH2_SECRET=54321abcde
# OAuth2 Server URL.
#- OAUTH2_SERVER_URL=https://chat.example.com
# OAuth2 Authorization Endpoint.
#- OAUTH2_AUTH_ENDPOINT=/oauth/authorize
# OAuth2 Userinfo Endpoint.
#- OAUTH2_USERINFO_ENDPOINT=/oauth/userinfo
# OAuth2 Token Endpoint.
#- OAUTH2_TOKEN_ENDPOINT=/oauth/token
# OAUTH2 ID Token Whitelist Fields.
#- OAUTH2_ID_TOKEN_WHITELIST_FIELDS=""
# OAUTH2 Request Permissions.
#- OAUTH2_REQUEST_PERMISSIONS=openid profile email
# OAuth2 ID Mapping
#- OAUTH2_ID_MAP=
# OAuth2 Username Mapping
#- OAUTH2_USERNAME_MAP=
# OAuth2 Fullname Mapping
#- OAUTH2_FULLNAME_MAP=
# OAuth2 Email Mapping
#- OAUTH2_EMAIL_MAP=
#-----------------------------------------------------------------
# ==== LDAP: UNCOMMENT ALL TO ENABLE LDAP ====
# https://github.com/wekan/wekan/wiki/LDAP
# For Snap settings see https://github.com/wekan/wekan-snap/wiki/Supported-settings-keys
# Most settings work both on Snap and Docker below.
# Note: Do not add single quotes '' to variables. Having spaces still works without quotes where required.
#
# The default authentication method used if a user does not exist to create and authenticate. Can be set as ldap.
- DEFAULT_AUTHENTICATION_METHOD=ldap
#
# Enable or not the connection by the LDAP
- LDAP_ENABLE=true
#
# The port of the LDAP server
- LDAP_PORT=389
#
# The host server for the LDAP server
- LDAP_HOST=dc.mydomain.com
#
# The base DN for the LDAP Tree
- LDAP_BASEDN=ou=******,ou=******,dc=mydomain,dc=com
#
# Fallback on the default authentication method
#- LDAP_LOGIN_FALLBACK=false
#
# Reconnect to the server if the connection is lost
#- LDAP_RECONNECT=true
#
# Overall timeout, in milliseconds
#- LDAP_TIMEOUT=10000
#
# Specifies the timeout for idle LDAP connections in milliseconds
#- LDAP_IDLE_TIMEOUT=10000
#
# Connection timeout, in milliseconds
#- LDAP_CONNECT_TIMEOUT=10000
#
# If the LDAP needs a user account to search
- LDAP_AUTHENTIFICATION=true
#
# The search user DN
- LDAP_AUTHENTIFICATION_USERDN=CN=ldapserviceaccount,OU=*******,OU=*******,OU=******,DC=mydomain,DC=com
#
# The password for the search user
- LDAP_AUTHENTIFICATION_PASSWORD=ThisIsTheCorrectPassword
#
# Enable logs for the module
- LDAP_LOG_ENABLED=true
#
# If the sync of the users should be done in the background
#- LDAP_BACKGROUND_SYNC=false
#
# At which interval does the background task sync in milliseconds.
# Leave this unset, so it uses default, and does not crash.
# https://github.com/wekan/wekan/issues/2354#issuecomment-515305722
- LDAP_BACKGROUND_SYNC_INTERVAL=''
#
#- LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=false
#
#- LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=false
#
# If using LDAPS: LDAP_ENCRYPTION=ssl
#- LDAP_ENCRYPTION=false
#
# The certification for the LDAPS server. Certificate needs to be included in this docker-compose.yml file.
#- LDAP_CA_CERT=-----BEGIN CERTIFICATE-----MIIE+G2FIdAgIC...-----END CERTIFICATE-----
#
# Reject Unauthorized Certificate
#- LDAP_REJECT_UNAUTHORIZED=false
#
# Option to login to the LDAP server with the user's own username and password, instead of an administrator key. Default: false (use administrator key).
#- LDAP_USER_AUTHENTICATION="true"
#
# Which field is used to find the user for the user authentication. Default: uid.
#- LDAP_USER_AUTHENTICATION_FIELD="uid"
#
# Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed
#- LDAP_USER_SEARCH_FILTER=
#
# base (search only in the provided DN), one (search only in the provided DN and one level deep), or sub (search the whole subtree)
#- LDAP_USER_SEARCH_SCOPE=one
#
# Which field is used to find the user, like uid / sAMAccountName
- LDAP_USER_SEARCH_FIELD=sAMAccountName
#
# Used for pagination (0=unlimited)
#- LDAP_SEARCH_PAGE_SIZE=0
#
# The limit number of entries (0=unlimited)
#- LDAP_SEARCH_SIZE_LIMIT=0
#
# Enable group filtering
#- LDAP_GROUP_FILTER_ENABLE=false
#
# The object class for filtering. Example: group
#- LDAP_GROUP_FILTER_OBJECTCLASS=
#
#- LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE=
#
#- LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE=
#
#- LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT=
#
#- LDAP_GROUP_FILTER_GROUP_NAME=
#
# LDAP_UNIQUE_IDENTIFIER_FIELD : This field is sometimes class GUID (Globally Unique Identifier). Example: guid
#- LDAP_UNIQUE_IDENTIFIER_FIELD=
#
# LDAP_UTF8_NAMES_SLUGIFY : Convert the username to utf8
#- LDAP_UTF8_NAMES_SLUGIFY=true
#
# LDAP_USERNAME_FIELD : Which field contains the ldap username. username / sAMAccountName
- LDAP_USERNAME_FIELD=sAMAccountName
#
# LDAP_FULLNAME_FIELD : Which field contains the ldap fullname. fullname / sAMAccountName
- LDAP_FULLNAME_FIELD=cn
#
#- LDAP_MERGE_EXISTING_USERS=false
#
# Allow existing account matching by e-mail address when username does not match
#- LDAP_EMAIL_MATCH_ENABLE=true
#
# LDAP_EMAIL_MATCH_REQUIRE : require existing account matching by e-mail address when username does match
#- LDAP_EMAIL_MATCH_REQUIRE=true
#
# LDAP_EMAIL_MATCH_VERIFIED : require existing account email address to be verified for matching
#- LDAP_EMAIL_MATCH_VERIFIED=true
#
# LDAP_EMAIL_FIELD : which field contains the LDAP e-mail address
#- LDAP_EMAIL_FIELD=mail
#-----------------------------------------------------------------
#- LDAP_SYNC_USER_DATA=false
#
#- LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"}
#
- LDAP_SYNC_GROUP_ROLES=''
#
# The default domain of the ldap it is used to create email if the field is not map correctly with the LDAP_SYNC_USER_DATA_FIELDMAP
# example :
#- LDAP_DEFAULT_DOMAIN=mydomain.com
#
# Enable/Disable syncing of admin status based on ldap groups:
- LDAP_SYNC_ADMIN_STATUS=true
#
# Comma separated list of admin group names to sync.
- LDAP_SYNC_ADMIN_GROUPS=*******
#---------------------------------------------------------------------
# Login to LDAP automatically with HTTP header.
# In below example for siteminder, at right side of = is header name.
#- HEADER_LOGIN_ID=HEADERUID
#- HEADER_LOGIN_FIRSTNAME=HEADERFIRSTNAME
#- HEADER_LOGIN_LASTNAME=HEADERLASTNAME
#- HEADER_LOGIN_EMAIL=HEADEREMAILADDRESS
#---------------------------------------------------------------------
# ==== LOGOUT TIMER, probably does not work yet ====
# LOGOUT_WITH_TIMER : Enables or not the option logout with timer
# example : LOGOUT_WITH_TIMER=true
#- LOGOUT_WITH_TIMER=
#
# LOGOUT_IN : The number of days
# example : LOGOUT_IN=1
#- LOGOUT_IN=
#
# LOGOUT_ON_HOURS : The number of hours
# example : LOGOUT_ON_HOURS=9
#- LOGOUT_ON_HOURS=
#
# LOGOUT_ON_MINUTES : The number of minutes
# example : LOGOUT_ON_MINUTES=55
#- LOGOUT_ON_MINUTES=
#-------------------------------------------------------------------
depends_on:
- wekandb
#---------------------------------------------------------------------------------
# ==== OPTIONAL: SHARE DATABASE TO OFFICE LAN AND REMOTE VPN ====
# When using Wekan both at office LAN and remote VPN:
# 1) Have above Wekan docker container config with LAN IP address
# 2) Copy all of above wekan container config below, look above of this part above and all config below it,
# before above depends_on: part:
#
# wekan:
# #-------------------------------------------------------------------------------------
# # ==== MONGODB AND METEOR VERSION ====
# # a) For Wekan Meteor 1.8.x version at meteor-1.8 branch, .....
#
#
# and change name to different name like wekan2 or wekanvpn, and change ROOT_URL to server VPN IP
# address.
# 3) This way both Wekan containers can use same MongoDB database
# and see the same Wekan boards.
# 4) You could also add 3rd Wekan container for 3rd network etc.
# EXAMPLE:
# wekan2:
# ....COPY CONFIG FROM ABOVE TO HERE...
# environment:
# - ROOT_URL='http://10.10.10.10'
# ...COPY CONFIG FROM ABOVE TO HERE...
#---------------------------------------------------------------------------------
# OPTIONAL NGINX CONFIG FOR REVERSE PROXY
# nginx:
# image: nginx
# container_name: nginx
# restart: always
# networks:
# - wekan-tier
# depends_on:
# - wekan
# ports:
# - 80:80
# - 443:443
# volumes:
# - ./nginx/ssl:/etc/nginx/ssl/:ro
# - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
## Alternative volume config:
## volumes:
## - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
## - ./nginx/ssl/ssl.conf:/etc/nginx/conf.d/ssl/ssl.conf:ro
## - ./nginx/ssl/testvm-ehu.crt:/etc/nginx/conf.d/ssl/certs/mycert.crt:ro
## - ./nginx/ssl/testvm-ehu.key:/etc/nginx/conf.d/ssl/certs/mykey.key:ro
## - ./nginx/ssl/pphrase:/etc/nginx/conf.d/ssl/pphrase:ro
networks:
reverse-proxy:
external:
name: reverse-proxy |
When using LDAP or OIDC, you login with your email address. For example: |
You can try commenting out
|
OK. So I commented the 4 vars you recommended, and I successfully logged in. Then, out of curiosity, I un-commented all but the
So it would be safe to assume that the process that syncs the LDAP admin status to the wekan user admin flag is not working correctly, as shown by the output:
|
I suppose that for the time being I can live without that feature, as what was of utmost importance to me was to not lose the existing wekan data for my domain users, which seems achieved now, but I am curious as to what is going on there. Thanks for your help so far. |
That What do you think? |
I added a couple of dummy groups to the list, such:
The result is the same. Not sure if I am missing any quotes or anything like that to account for the space in one of the groups. |
I am not well-versed in node.js, but a simple javascript split operation returns result of the split as:
|
If you can try in dev environment (clone repo and start with meteor), you could add a file debug.js in the server folder with this content. import { inspect } from "util";
Meteor.startup(() => {
if (Meteor.isServer) {
const originalMeteorDebug = Meteor._debug;
Meteor._debug = function (message, stack) {
console.log('===== message =====', message);
console.log('===== stack =====', stack);
console.log(inspect(stack, {
showHidden: true,
depth: null,
maxArrayLength: null,
}));
return originalMeteorDebug.apply(this, arguments);
};
}
}); If all works, you will see the content of the exception object. |
Well, that's the, issue, I would do that but I do not develop in meteor, therefore I have no idea how to set up a meteor dev-env, though I am trying. But I was hopeful there would be a logging option that would return this when using the wekan docker image, which is what I am using. |
I have got the exact same behaviour in the snap version of Wekan. LDAP login successful (and new users created in Wekan) but:
I would love to apply the workaround and comment out the offending variable but I'm not sure how/where to do so because I don't set the variables by editing a file but on the command line like so:
Is there some way I can get rid of this variable entirely? Thanks, |
Yes:
Or alternatively:
That way there is no Object error, and sync works. Yes, I should remove this setting sometime. |
Hi @xet7 , I want to bump this issue as I am still seeing it in the latest version 7.49. Same exact symptoms as above, except the error is as follows:
|
Issue
Server Setup Information:
Problem description:
LDAP login takes place, but there is an error, and the login screen continues to appear. The log shows that the LDAP authentication happened successfully but then there is an error on the login action.
There had been no issues with the LDAP part of it. It is only after the last few updates. Any help would be appreciated, as I don't want to have to rebuild without first finding out what the problem is.
Steps to reproduce
Docker stdout log (asterisks for privacy)
The interesting thing is that I can't copy any more lines after that line, as there are some special characters in the object...
I have tried to figure out how to get more information from that exception, but I am at a loss.
The text was updated successfully, but these errors were encountered: