Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCIS_LDAP_USER_SCHEMA_USER_TYPE no usable. #10474

Closed
blicknix opened this issue Nov 5, 2024 · 8 comments · Fixed by #10512
Closed

OCIS_LDAP_USER_SCHEMA_USER_TYPE no usable. #10474

blicknix opened this issue Nov 5, 2024 · 8 comments · Fixed by #10512
Assignees
Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug

Comments

@blicknix
Copy link

blicknix commented Nov 5, 2024

Describe the bug

With OCIS_LDAP_USER_SCHEMA_USER_TYPE: "ownCloudUserType" set as variable and the user given the Guest status, he is not able to login anymore with the error http: panic serving 172.19.0.1:33558: runtime error: index out of range [0] with length 0

Steps to reproduce

  1. Use Docker Compose with stable image owncloud/ocis:5.0.7
  2. Add the ownCloudUserType attribute to Marie with value "Guest"
  3. Login with Marie

Expected behavior

Marie should be able to login without an error.

Actual behavior

Marie is not able to login and is getting an access denied.

ocis-1         | 2024/11/05 15:46:23 http: TLS handshake error from 172.19.0.1:33550: remote error: tls: unknown certificate
ocis-1         | {"level":"info","service":"auth-machine","pkg":"rgrpc","traceid":"15e1ee4d7b9c9483d6933c29969ea756","time":"2024-11-05T15:46:23Z","line":"github.com/cs3org/reva/v2@v2.19.7/internal/grpc/services/authprovider/authprovider.go:141","message":"user idp:\"https://localhost:9200\" opaque_id:\"f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c\" type:USER_TYPE_GUEST  authenticated"}
ocis-1         | {"level":"info","service":"storage-system","pkg":"rgrpc","traceid":"a4d0d2e65834d38107f24d96397f8804","time":"2024-11-05T15:46:23Z","line":"github.com/cs3org/reva/v2@v2.19.7/internal/grpc/services/authprovider/authprovider.go:141","message":"user idp:\"internal\" opaque_id:\"ef9e3c8f-233e-4673-9859-f49c61bedc57\" type:USER_TYPE_PRIMARY  authenticated"}
ocis-1         | 2024/11/05 15:46:23 http: panic serving 172.19.0.1:33558: runtime error: index out of range [0] with length 0
ocis-1         | goroutine 1561 [running]:
ocis-1         | net/http.(*conn).serve.func1()
ocis-1         |        net/http/server.go:1903 +0xbe
ocis-1         | panic({0x44bc8c0?, 0xc002828fa8?})
ocis-1         |        runtime/panic.go:770 +0x132
ocis-1         | github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.createHome.checkRoleQuotaLimit(...)
ocis-1         |        github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/create_home.go:109
ocis-1         | github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.createHome.ServeHTTP({{0x470f380, 0xc001a6fec0}, {{{0x471e2d0, 0xc000d8a440}, 0x1, {0x0, 0x0}, {0xc001426600, 0x12, 0x1f4}, ...}}, ...}, ...)
ocis-1         |        github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/create_home.go:63 +0x655
ocis-1         | github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.Policies.func1.1({0x78b6d45ec278?, 0xc0032590c0?}, 0x0?)
ocis-1         |        github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/policies.go:52 +0x277
ocis-1         | net/http.HandlerFunc.ServeHTTP(0xc001fac320?, {0x78b6d45ec278?, 0xc0032590c0?}, 0x4482080?)
ocis-1         |        net/http/server.go:2171 +0x29
ocis-1         | github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.selectorCookie.ServeHTTP({{0x470db38, 0xc0027941e0}, {{{0x471e2d0, 0xc000d8a440}, 0x1, {0x0, 0x0}, {0xc001426600, 0x12, 0x1f4}, ...}}, ...}, ...)
ocis-1         |        github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/selector_cookie.go:36 +0x266
ocis-1         | github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.accountResolver.ServeHTTP({{0x4711940, 0xc0025ec1e0}, {{{0x471e2d0, 0xc000d8a440}, 0x1, {0x0, 0x0}, {0xc001426600, 0x12, 0x1f4}, ...}}, ...}, ...)
ocis-1         |        github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/account_resolver.go:169 +0x8da
ocis-1         | github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.Authentication.func1.1({0x78b6d45ec278, 0xc0032590c0}, 0xc001d39200)
ocis-1         |        github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/authentication.go:77 +0x446
ocis-1         | net/http.HandlerFunc.ServeHTTP(0x4732fd0?, {0x78b6d45ec278?, 0xc0032590c0?}, 0x6540c80?)
ocis-1         |        net/http/server.go:2171 +0x29
ocis-1         | github.com/owncloud/ocis/v2/services/proxy/pkg/router.Middleware.func1.1({0x78b6d45ec278, 0xc0032590c0}, 0xc001d390e0)
ocis-1         |        github.com/owncloud/ocis/v2/services/proxy/pkg/router/router.go:32 +0x23f
ocis-1         | net/http.HandlerFunc.ServeHTTP(0x0?, {0x78b6d45ec278?, 0xc0032590c0?}, 0xc002800e48?)
ocis-1         |        net/http/server.go:2171 +0x29
ocis-1         | github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.OIDCWellKnownRewrite.func1.1({0x78b6d45ec278, 0xc0032590c0}, 0x11?)
ocis-1         |        github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/oidc_well-known.go:45 +0x2a3
ocis-1         | net/http.HandlerFunc.ServeHTTP(0xc00195c690?, {0x78b6d45ec278?, 0xc0032590c0?}, 0xc002800f01?)
ocis-1         |        net/http/server.go:2171 +0x29
ocis-1         | github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.HTTPSRedirect.func1({0x78b6d45ec278, 0xc0032590c0}, 0xc001d390e0)
ocis-1         |        github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/https_redirect.go:17 +0x136
ocis-1         | net/http.HandlerFunc.ServeHTTP(0x6248040?, {0x78b6d45ec278?, 0xc0032590c0?}, 0xc001478bd0?)
ocis-1         |        net/http/server.go:2171 +0x29
ocis-1         | github.com/owncloud/ocis/v2/services/proxy/pkg/command.loadMiddlewares.AccessLog.func37.1({0x78b6d45ec278, 0xc003259040}, 0xc001d390e0)
ocis-1         |        github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:21 +0x130
ocis-1         | net/http.HandlerFunc.ServeHTTP(0x4732fd0?, {0x78b6d45ec278?, 0xc003259040?}, 0x3daa6a8?)
ocis-1         |        net/http/server.go:2171 +0x29
ocis-1         | github.com/go-chi/chi/v5/middleware.RequestID.func1({0x78b6d45ec278, 0xc003259040}, 0xc001d38c60)
ocis-1         |        github.com/go-chi/chi/v5@v5.0.12/middleware/request_id.go:76 +0x20e
ocis-1         | net/http.HandlerFunc.ServeHTTP(0xc001d38c60?, {0x78b6d45ec278?, 0xc003259040?}, 0x30?)
ocis-1         |        net/http/server.go:2171 +0x29
ocis-1         | github.com/go-chi/chi/v5/middleware.RealIP.func1({0x78b6d45ec278, 0xc003259040}, 0xc001d38c60)
ocis-1         |        github.com/go-chi/chi/v5@v5.0.12/middleware/realip.go:36 +0x95
ocis-1         | net/http.HandlerFunc.ServeHTTP(0x41c50c0?, {0x78b6d45ec278?, 0xc003259040?}, 0x6?)
ocis-1         |        net/http/server.go:2171 +0x29
ocis-1         | github.com/owncloud/ocis/v2/services/proxy/pkg/command.loadMiddlewares.Instrumenter.func36.1({0x472da70, 0xc0023c09c0}, 0xc001d38c60)
ocis-1         |        github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/metrics.go:20 +0x17c
ocis-1         | net/http.HandlerFunc.ServeHTTP(0x28012f0?, {0x472da70?, 0xc0023c09c0?}, 0x472abe0?)
ocis-1         |        net/http/server.go:2171 +0x29
ocis-1         | github.com/owncloud/ocis/v2/ocis-pkg/middleware.TraceContext.func1({0x472da70, 0xc0023c09c0}, 0xc001d38b40)
ocis-1         |        github.com/owncloud/ocis/v2/ocis-pkg/middleware/tracing.go:19 +0x168
ocis-1         | net/http.HandlerFunc.ServeHTTP(0x4732fd0?, {0x472da70?, 0xc0023c09c0?}, 0x472abe0?)
ocis-1         |        net/http/server.go:2171 +0x29
ocis-1         | github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.tracer.ServeHTTP({{0x470db38?, 0xc0025df458?}, {0x471eaa0?, 0xc00067e900?}}, {0x472da70, 0xc0023c09c0}, 0xc001d38a20)
ocis-1         |        github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/tracing.go:50 +0x474
ocis-1         | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*middleware).serveHTTP(0xc001b70ea0, {0x4726778, 0xc0015e5340}, 0xc001d385a0, {0x470f420, 0xc00270ea80})
ocis-1         |        go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.49.0/handler.go:225 +0x1243
ocis-1         | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.NewMiddleware.func1.1({0x4726778?, 0xc0015e5340?}, 0x4e33af?)
ocis-1         |        go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.49.0/handler.go:83 +0x35
ocis-1         | net/http.HandlerFunc.ServeHTTP(0x4733b9?, {0x4726778?, 0xc0015e5340?}, 0xc002801b68?)
ocis-1         |        net/http/server.go:2171 +0x29
ocis-1         | net/http.serverHandler.ServeHTTP({0xc00195c630?}, {0x4726778?, 0xc0015e5340?}, 0x6?)
ocis-1         |        net/http/server.go:3142 +0x8e
ocis-1         | net/http.(*conn).serve(0xc0026f3830, {0x4732fd0, 0xc001a47aa0})
ocis-1         |        net/http/server.go:2044 +0x5e8
ocis-1         | created by net/http.(*Server).Serve in goroutine 643
ocis-1         |        net/http/server.go:3290 +0x4b4

Setup

Used the docker compose file provided from ocis. Removed the traeffik for easier setup.

---
services:
  ldap-server:
    image: bitnami/openldap:2.6
    networks:
      ocis-net:
    entrypoint: ["/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
    environment:
      BITNAMI_DEBUG: true
      LDAP_TLS_VERIFY_CLIENT: never
      LDAP_ENABLE_TLS: "yes"
      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/share/openldap.crt
      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt
      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
      LDAP_ROOT: "dc=owncloud,dc=com"
      LDAP_ADMIN_PASSWORD: admin123
    ports:
      - "127.0.0.1:389:1389"
      - "127.0.0.1:636:1636"
    volumes:
      - ./config/ldap/ldif:/ldifs
      - ./config/ldap/schemas:/schemas
      - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always
  ocis:
    image: owncloud/ocis:5.0.7
    networks:
      ocis-net:
    ports:
      - '9200:9200'
    depends_on:
      - ldap-server
    entrypoint:
      - /bin/sh
    # run ocis init to initialize a configuration file with random secrets
    # it will fail on subsequent runs, because the config file already exists
    # therefore we ignore the error and then start the ocis server
    command: [ "-c", "ocis init || true; ocis server" ]
    environment:
      # users/groups from ldap
      OCIS_LDAP_URI: ldaps://ldap-server:1636
      OCIS_LDAP_INSECURE: "true"
      OCIS_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
      OCIS_LDAP_BIND_PASSWORD: admin123
      OCIS_LDAP_GROUP_BASE_DN: "ou=groups,dc=owncloud,dc=com"
      OCIS_LDAP_GROUP_FILTER: "(objectclass=owncloud)"
      OCIS_LDAP_GROUP_OBJECTCLASS: "groupOfNames"
      OCIS_LDAP_USER_BASE_DN: "ou=users,dc=owncloud,dc=com"
      OCIS_LDAP_USER_FILTER: "(objectclass=owncloud)"
      OCIS_LDAP_USER_OBJECTCLASS: "inetOrgPerson"
      OCIS_LDAP_USER_SCHEMA_USER_TYPE: "ownCloudUserType"
      LDAP_LOGIN_ATTRIBUTES: "uid"
      OCIS_ADMIN_USER_ID: "ddc2004c-0977-11eb-9d3f-a793888cd0f8"
      IDP_LDAP_LOGIN_ATTRIBUTE: "uid"
      IDP_LDAP_UUID_ATTRIBUTE: "ownclouduuid"
      IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary
      GRAPH_LDAP_SERVER_WRITE_ENABLED: "true" # assuming the external ldap is writable
      GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
      # OCIS_RUN_SERVICES specifies to start all services except glauth, idm and accounts. These are replaced by external services
      OCIS_EXCLUDE_RUN_SERVICES: idm
      # General oCIS config
      OCIS_URL: https://localhost:9200
      OCIS_LOG_LEVEL: info
      OCIS_LOG_COLOR: "false"
      OCIS_INSECURE: "true"
      # basic auth (not recommended, but needed for e.g., WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: "false"
      # password policies
      OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
    volumes:
      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
      - ocis-config:/etc/ocis
      - ocis-data:/var/lib/ocis
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always
networks:
  ocis-net:
volumes:
  ocis-config:
  ocis-data:

User Marie:

dn: uid=marie,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ownCloudUser
objectClass: person
objectClass: posixAccount
objectClass: top
uid: marie
givenName: Marie
sn: Curie
cn: marie
displayName: Marie Skłodowska Curie
description: A Polish and naturalized-French physicist and chemist who conducted pioneering research on radioactivity.
mail: marie@example.org
uidNumber: 20001
gidNumber: 30000
homeDirectory: /home/marie
ownCloudUserType: Guest
ownCloudUUID: f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c
userPassword:: e1NTSEF9UmFvQWs3TU9jRHBIUWY3bXN3MGhHNnVraFZQWnRIRlhOSUNNZEE9PQ==

Additional context

We have the problem also at another server in production. Setup is also with docker compose but without changed schema and external LB, LDAP and Keycloak. We used another not yet used default attribute (room).

Any other string in the attribute is ignored and the user is Member of the ocis server.

@blicknix
Copy link
Author

blicknix commented Nov 5, 2024

@dj4oC as discussed today, this is the issue with are facing right now.

@dj4oC
Copy link
Contributor

dj4oC commented Nov 5, 2024

May I ask you @blicknix to quickly try it with 6.6.1 ?
Thank you

@blicknix
Copy link
Author

blicknix commented Nov 5, 2024

Same issue with image: owncloud/ocis-rolling:6.6.1

@dj4oC dj4oC added the Priority:p2-high Escalation, on top of current planning, release blocker label Nov 6, 2024
@2403905 2403905 self-assigned this Nov 6, 2024
@2403905 2403905 moved this from Qualification to In progress in Infinite Scale Team Board Nov 6, 2024
@2403905
Copy link
Contributor

2403905 commented Nov 7, 2024

@blicknix Could you please describe for what purpose you want to use the Guest type?
Why do you expect that Marie is not able to login and is getting an access denied.?

@2403905
Copy link
Contributor

2403905 commented Nov 7, 2024

@dj4oC If the Guest is equivalent to User Light we can map them.
The User Light is a user that doesn't have a personal space

@micbar
Copy link
Contributor

micbar commented Nov 7, 2024

@2403905 @blicknix @dj4oC

let me clarify some things:

  1. The user type only tells us how this user has been created. Guest is normally an external user which has been created not by an admin.
  2. Guest users can be assigned to any possible role.
  3. The default role assignment of a guest user should be „User Light“

@blicknix
Copy link
Author

blicknix commented Nov 8, 2024

@2403905
Marie should be able to login and be a user-light in my opinion with the configuration we did. Sorry if this was not clear.

@micbar
In my understanding, as the term guest and user-light was used in the documentation quite often as synonym, Marie should have been an user-light when she logs in the first time.

Our goal was to auto provision these user-lights out of the ldap directly. Or is this not how this parameter was intended?

@2403905
Copy link
Contributor

2403905 commented Nov 8, 2024

@blicknix Thank you for the clarification. I already prepared the fix.

@github-project-automation github-project-automation bot moved this from In progress to Done in Infinite Scale Team Board Nov 8, 2024
This was referenced Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

4 participants