LDAP: more then one mail entry per user - login fails

[eriCCsan]

Hi guys,

i just tried to implement a simple docker-compose with a generic test-ldap. It starts but not more. I cant login. I've tried a lot but nothing seems to work. The problem is always the same

For my test-ldap I use this: https://github.com/rroemhild/docker-test-openldap
The other containers a stright forward I guess (see my docker-compose below).

This is the Problem I face everytime I tried to login with a account

Session error. Please check you have cookies enabled. If the problem persists, try clearing your cache and cookies.

I follow the instruction with clearing enbaling and so on but it doesn't help.
I also set this ENV to true and false. Nothing helps. I googled a lot nothing helps. What is wrong? Anybody had the same problem?

SHARELATEX_SECURE_COOKIE=true

I always get a 403 on /login when i look at the chrome dev-tools.

What I assume?
I assume after starting a complete new docker-compose with the ldap and the overleaf-ldap to login with the [email protected] and the password professor. But this doesn't work for any reason.

Thank you very much for any help :)

P.S.
This is my docker-compose:

version: "3.9"

volumes:
  dev_overleaf_mongo_data: {}
  dev_overleaf_redis_data: {}
  dev_overleaf_data: {}


networks:
  dev_overleaf:
    driver: bridge
    name: dev_overleaf

services:

  mongo:
    image: mongo:5.0.5
    container_name: mongo
    networks:
      - dev_overleaf
    volumes:
      - dev_overleaf_mongo_data:/data/db

  redis:
    image: redis:6.2.6
    container_name: redis
    sysctls:
      - net.core.somaxconn=65535
    volumes:
      - dev_overleaf_redis_data:/data
    networks:
      - dev_overleaf

  mailhog:
    container_name: mailhog
    image: mailhog/mailhog:v1.0.1
    networks:
      - dev_overleaf
    ports:
      - 1025:1025 
      - 8025:8025 

  ldap-container:
    image: rroemhild/test-openldap
    container_name: ldap-container
    networks:
      - dev_overleaf
    ports:
      - 10389:10389

  overleaf:
    container_name: overleaf
    image: ldap-overleaf-sl:latest
    ports:
      - 80:80
    networks:
      - dev_overleaf
    volumes:
      - dev_overleaf_data:/var/lib/sharelatex
    environment:
      - SHARELATEX_APP_NAME=Overleaf
      - SHARELATEX_REDIS_HOST=redis
      - SHARELATEX_REDIS_PORT=6379
      - SHARELATEX_MONGO_HOST=mongo
      - SHARELATEX_MONGO_PORT=27017
      - SHARELATEX_MONGO_URL=mongodb://mongo/sharelatex
      - SHARELATEX_SITE_URL=http://localhost
      - SHARELATEX_NAV_TITLE=A-Title
      - [email protected]
      - [email protected]
      - SHARELATEX_EMAIL_SMTP_HOST=mailhog 
      - SHARELATEX_EMAIL_SMTP_PORT=1025
      - SHARELATEX_EMAIL_SMTP_SECURE=false
      - SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH=false
      - SHARELATEX_EMAIL_SMTP_IGNORE_TLS=true 
      - SHARELATEX_ALLOW_PUBLIC_ACCESS=true 
      - SHARELATEX_ALLOW_ANONYMOUS_READ_AND_WRITE_SHARING=true
      - SHARELATEX_SECURE_COOKIE=true
      - SHARELATEX_BEHIND_PROXY=false
      - LDAP_SERVER=ldap://ldap-container:10389
      - LDAP_BASE=dc=planetexpress,dc=com

      ### There are to ways get users from the ldap server 

      ## NO LDAP BIND USER:
      # Tries to bind with login-user (as uid) to LDAP_BINDDN
      - LDAP_BINDDN=uid=%u,ou=people,dc=planetexpress,dc=com

      ## Using a LDAP_BIND_USER/PW
      # LDAP_BIND_USER:
      # LDAP_BIND_PW:

      # Only allow users matching LDAP_USER_FILTER
      #LDAP_USER_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'

      # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true.
      # Admin Users can invite external (non ldap) users. This feature makes only sense
      # when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send
      # system wide messages.
      #LDAP_ADMIN_GROUP_FILTER: '(memberof=cn=ADMINGROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
      - ALLOW_EMAIL_LOGIN=false

      # All users in the LDAP_CONTACT_FILTER are loaded from the ldap server into contacts.
      #LDAP_CONTACT_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
      - LDAP_CONTACTS=false

      # Same property, unfortunately with different names in
      # different locations
      - ENABLED_LINKED_FILE_TYPES=url,project_file
      - ENABLE_CONVERSIONS=true 

[smhaller]

can you post also the content of your .env file?
And maybe have also a look at Issue #21

[eriCCsan]

yeah .env is pretty standard but for my test i haven't use it

MYDOMAIN=MYDOMAIN.TLD
[email protected]
MYDATA=/data
LOGIN_TEXT=username
COLLAB_TEXT=Direct share with collaborators is enabled only for activated users!
ADMIN_IS_SYSADMIN=true
VERSION=3.0.1

[smhaller]

A - i see: can you remove SHARELATEX_SECURE_COOKIE: 'true' and share the content of the web.log (from the sharelatex container) - mainly the part when you try to login ..

[eriCCsan]

I removed the SHARELATEX_SECURE_COOKIE ENV but nothing happens. The error message does not shown anymore.
Then i try to loggin it stick at Loggin in after 2min it timeout. No logs in the docker-container.

Where i find the web.log ?

[eriCCsan]

Both login with
email/password

[email protected]
professor

and uid/password

professor
professor

does not work.

[smhaller]

docker exec  -it NAMEofLdap-overleaf-sl /bin/bash
tail -f /var/log/sharelatex/web.log

How did you configure dap-overleaf-sl/nginx/sharelatex.conf

Are those accounts in the ldap? Please try accounts which are in the ldap directory server

[eriCCsan]

using the combination email/password

{"name":"web","hostname":"cc2825ab8f49","pid":155,"level":30,"rss":"138.02","heapTotal":"87.67","heapUsed":"71.83","external":"19.71","arrayBuffers":"18.12","msg":"process.memoryUsage()","time":"2022-03-26T13:23:00.937Z","v":0}
(node:155) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'replace' of undefined
    at Object.ldapAuth (/var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:287:52)
    at Object.authUserObj (/var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:108:29)
    at /var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:37:29
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4842:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4842:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/helpers/promiseOrCallback.js:24:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4865:21
    at /var/www/sharelatex/web/node_modules/mongoose/lib/query.js:4419:11
    at /var/www/sharelatex/web/node_modules/kareem/index.js:135:16
    at processTicksAndRejections (internal/process/task_queues.js:79:11)
    at runNextTicks (internal/process/task_queues.js:66:3)
    at processImmediate (internal/timers.js:434:9)
(node:155) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 4)

same for the uid/password combination

(node:155) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'replace' of undefined
    at Object.ldapAuth (/var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:287:52)
    at Object.authUserObj (/var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:108:29)
    at /var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:37:29
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4842:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4842:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/helpers/promiseOrCallback.js:24:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4865:21
    at /var/www/sharelatex/web/node_modules/mongoose/lib/query.js:4419:11
    at /var/www/sharelatex/web/node_modules/kareem/index.js:135:16
    at processTicksAndRejections (internal/process/task_queues.js:79:11)
    at runNextTicks (internal/process/task_queues.js:66:3)
    at processImmediate (internal/timers.js:434:9)
(node:155) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 5)

I tried something elase which does not exicts in the LDAP

(node:155) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'replace' of undefined
    at Object.ldapAuth (/var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:287:52)
    at Object.authUserObj (/var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:108:29)
    at /var/www/sharelatex/web/app/src/Features/Authentication/AuthenticationManager.js:37:29
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4842:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4842:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/helpers/promiseOrCallback.js:24:16
    at /var/www/sharelatex/web/node_modules/mongoose/lib/model.js:4865:21
    at /var/www/sharelatex/web/node_modules/mongoose/lib/query.js:4419:11
    at /var/www/sharelatex/web/node_modules/kareem/index.js:135:16
    at processTicksAndRejections (internal/process/task_queues.js:79:11)
    at runNextTicks (internal/process/task_queues.js:66:3)
    at processImmediate (internal/timers.js:434:9)
(node:155) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 6)

Every error looks the same it cant read property of replace from undefined. I didn't know of these logs they are greate. But how can i fix it whats missing?

[smhaller]

I see: can you set a LDAP_USER_FILTER...

[eriCCsan]

sure i can but whats the correct value?

I've tested: - LDAP_USER_FILTER='(&(ou=people,dc=planetexpress,dc=com)(uid=%u))'

It immediately teels me then i try different kombination that everything is wrong email/password or uid/password.

[eriCCsan]

In the logs i can see: Could not bind user: uid=professor,ou=people,dc=planetexpress,dc=com

[eriCCsan]

these are my current ENV's for the container in short:

      #- SHARELATEX_SECURE_COOKIE=true
      - SHARELATEX_BEHIND_PROXY=true
      - LDAP_SERVER=ldap://ldap-container:10389
      - LDAP_BASE=dc=planetexpress,dc=com

      ### There are to ways get users from the ldap server 

      ## NO LDAP BIND USER:
      # Tries to bind with login-user (as uid) to LDAP_BINDDN
      - LDAP_BINDDN=mail=%m,ou=people,dc=planetexpress,dc=com

      ## Using a LDAP_BIND_USER/PW
      # LDAP_BIND_USER:
      # LDAP_BIND_PW:

      # Only allow users matching LDAP_USER_FILTER
      #memberof=admin_staff,
      - LDAP_USER_FILTER='(&(memberof=cn=admin_staff,ou=people,dc=planetexpress,dc=com)(mail=%m))'
      - ALLOW_EMAIL_LOGIN=true

Do i need to set LDAP_BIND_USER and LDAP_BIND_PW ?
I've tried mail=%m and uid=%u but no difference in both places.

[eriCCsan]

after a while i've managed to set the correct ENVs

      #- SHARELATEX_SECURE_COOKIE=true
      - SHARELATEX_BEHIND_PROXY=true
      - ALLOW_EMAIL_LOGIN=true
      - LDAP_SERVER=ldap://ldap-container:10389
      - LDAP_BASE=dc=planetexpress,dc=com
      - LDAP_BIND_USER=cn=admin,dc=planetexpress,dc=com
      - LDAP_BIND_PW=GoodNewsEveryone
      - LDAP_USER_FILTER=(mail=%m)

I figured one bug which was if the user has more then one email the login fails you can see it in the professor account he has two mails. With one mail no problem.

You can close this. I solved it. Thanks for your support.

[smhaller]

I renamed the Issue to: LDAP: more then one mail entry per user - login fails. And l'll leave this open till its fixed.

Notes: This has to be fixed in ldap-overleaf-sl/sharelatex/AuthenticationManager.js (Line: 314).
As quick solution: I think we just can take the first mail address (because this is already after the Authentication process and only used for saving into the sharelatex db).

Additionally we could use this test ldap an the configuration from this issue to start solving issue #7.

[yzx9]

Posted by @Wurzelmann in #62:

We encountered a problem with users with multiple mail address entries, the LDAP server's response became a list instead of a string and did not work.

The following little patch to services/web/app/src/Features/Contacts/ContactController.js fixed this:

the line

entry['email'] = obj['mail']

should be:

entry['email'] = obj['uid'] + '@example.com'

This filters the results and works for us.

[smhaller]

this only holds if your uid is part of the email in a very specific way - for our ldap server this is really not true because we have users with mails addresses from different providers.

I think the following code-snippet would solve the multiple mail-adress issues:

// Check if 'mail' is an array with more than one entry
if (Array.isArray(obj['mail']) && obj['mail'].length > 1) {
  entry['email'] = obj['mail'][0]; // Use the first email if multiple are present
} else {
  entry['email'] = obj['mail']; // Use the single email directly
}