Content
View differences
Updated by John Doe over 9 years ago
<ins>**Bug description**</ins>
I failed to configure OpenProjekt with our companies OpenLDAP Server.
Using the internal LDAP Auth option (https://www.openproject.org/help/user-guides/administration/manage-ldap-authentication/) always results in the error “Unable to connect (LDAP-Error: Could not authenticate at the LDAP-Server.)” if tested with the “test” function. The Logins always fail using that auth method.
This Problem was tested with Openproject 6/stable and the latest 6.1.4 running bare-metal on a CentOS 7.3,with ruby 2.1.6 and 2.3.3 (https://www.openproject.org/open-source/download/manual-installation-guide/) and using the Dockerimage (https://www.openproject.org/open-source/download/docker/) on a different VM.
The connection to the LDAP server can be established from the machine using ldapsearch.
The configuration I tested is also in use by other software (like redmine, otrs,…) without any problems.
Running tcpdump confirmed that there is <ins>no</ins> traffic between the LDAP server and the openproject server.
SELinux is disabled on the openproject server.
There is also nothing to see in the production.log (on loglevel: debug):
I, [2017-01-24T09:33:50.978364 #22259] INFO -- : Started GET "/admin/ldap_auth_sources/4/test_connection" for 10.0.0.2 at 2017-01-24 09:33:50 +0100
I, [2017-01-24T09:33:50.980274 #22259] INFO -- : Processing by LdapAuthSourcesController#test_connection as HTML
I, [2017-01-24T09:33:50.980451 #22259] INFO -- : Parameters: {"id"=>"4"}
D, [2017-01-24T09:33:50.982828 #22259] DEBUG -- : ESC[1mESC[35mUser Load (0.5ms)ESC[0m SELECT `users`.* FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser', 'DeletedUser', 'SystemUser') AND `users`.
`status` = 1 AND `users`.`id` = 1 LIMIT 1
D, [2017-01-24T09:33:50.987672 #22259] DEBUG -- : ESC[1mESC[36mSQL (1.2ms)ESC[0m ESC[1mSELECT `members`.*, `members`.`id` AS t0_r0, `members`.`user_id` AS t0_r1, `members`.`project_id` AS t0_r2, `members`.`cre
ated_on` AS t0_r3, `members`.`mail_notification` AS t0_r4, `projects`.`id` AS t1_r0, `projects`.`name` AS t1_r1, `projects`.`description` AS t1_r2, `projects`.`is_public` AS t1_r3, `projects`.`parent_id` AS t1_r4
, `projects`.`created_on` AS t1_r5, `projects`.`updated_on` AS t1_r6, `projects`.`identifier` AS t1_r7, `projects`.`status` AS t1_r8, `projects`.`lft` AS t1_r9, `projects`.`rgt` AS t1_r10, `projects`.`project_typ
e_id` AS t1_r11, `projects`.`responsible_id` AS t1_r12, `projects`.`work_packages_responsible_id` AS t1_r13, `roles`.`id` AS t2_r0, `roles`.`name` AS t2_r1, `roles`.`position` AS t2_r2, `roles`.`assignable` AS t2
_r3, `roles`.`builtin` AS t2_r4, `roles`.`permissions` AS t2_r5, `roles`.`type` AS t2_r6 FROM `members` LEFT OUTER JOIN `projects` ON `projects`.`id` = `members`.`project_id` LEFT OUTER JOIN `member_roles` ON `me
mber_roles`.`member_id` = `members`.`id` LEFT OUTER JOIN `roles` ON `roles`.`id` = `member_roles`.`role_id` WHERE `projects`.`status` = 1 AND `members`.`user_id` IN (1) ORDER BY projects.name ASCESC[0m
D, [2017-01-24T09:33:50.989405 #22259] DEBUG -- : ESC[1mESC[35m (0.3ms)ESC[0m SELECT MAX(`settings`.`updated_on`) FROM `settings`
D, [2017-01-24T09:33:50.994148 #22259] DEBUG -- : ESC[1mESC[36mAuthSource Load (0.3ms)ESC[0m ESC[1mSELECT `auth_sources`.* FROM `auth_sources` WHERE `auth_sources`.`id` = 4 LIMIT 1ESC[0m
I, [2017-01-24T09:33:50.995276 #22259] INFO -- : Redirected to http://openproject-test.localdomain/admin/ldap_auth_sources
I, [2017-01-24T09:33:50.995470 #22259] INFO -- : Completed 302 Found in 15ms (ActiveRecord: 2.2ms)
I, [2017-01-24T09:33:51.001287 #22259] INFO -- : Started GET "/admin/ldap_auth_sources" for 10.0.0.2 at 2017-01-24 09:33:51 +0100
I, [2017-01-24T09:33:51.002760 #22259] INFO -- : Processing by LdapAuthSourcesController#index as HTML
D, [2017-01-24T09:33:51.004642 #22259] DEBUG -- : ESC[1mESC[35mUser Load (0.3ms)ESC[0m SELECT `users`.* FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser', 'DeletedUser', 'SystemUser') AND `users`.
`status` = 1 AND `users`.`id` = 1 LIMIT 1
D, [2017-01-24T09:33:51.008811 #22259] DEBUG -- : ESC[1mESC[36mSQL (1.0ms)ESC[0m ESC[1mSELECT `members`.*, `members`.`id` AS t0_r0, `members`.`user_id` AS t0_r1, `members`.`project_id` AS t0_r2, `members`.`cre
ated_on` AS t0_r3, `members`.`mail_notification` AS t0_r4, `projects`.`id` AS t1_r0, `projects`.`name` AS t1_r1, `projects`.`description` AS t1_r2, `projects`.`is_public` AS t1_r3, `projects`.`parent_id` AS t1_r4
, `projects`.`created_on` AS t1_r5, `projects`.`updated_on` AS t1_r6, `projects`.`identifier` AS t1_r7, `projects`.`status` AS t1_r8, `projects`.`lft` AS t1_r9, `projects`.`rgt` AS t1_r10, `projects`.`project_typ
e_id` AS t1_r11, `projects`.`responsible_id` AS t1_r12, `projects`.`work_packages_responsible_id` AS t1_r13, `roles`.`id` AS t2_r0, `roles`.`name` AS t2_r1, `roles`.`position` AS t2_r2, `roles`.`assignable` AS t2
_r3, `roles`.`builtin` AS t2_r4, `roles`.`permissions` AS t2_r5, `roles`.`type` AS t2_r6 FROM `members` LEFT OUTER JOIN `projects` ON `projects`.`id` = `members`.`project_id` LEFT OUTER JOIN `member_roles` ON `me
mber_roles`.`member_id` = `members`.`id` LEFT OUTER JOIN `roles` ON `roles`.`id` = `member_roles`.`role_id` WHERE `projects`.`status` = 1 AND `members`.`user_id` IN (1) ORDER BY projects.name ASCESC[0m
D, [2017-01-24T09:33:51.010295 #22259] DEBUG -- : ESC[1mESC[35m (0.2ms)ESC[0m SELECT MAX(`settings`.`updated_on`) FROM `settings`
D, [2017-01-24T09:33:51.016211 #22259] DEBUG -- : ESC[1mESC[36m (0.2ms)ESC[0m ESC[1mSELECT COUNT(*) FROM `auth_sources`ESC[0m
D, [2017-01-24T09:33:51.017367 #22259] DEBUG -- : ESC[1mESC[35mAuthSource Load (0.2ms)ESC[0m SELECT `auth_sources`.* FROM `auth_sources` LIMIT 20 OFFSET 0
D, [2017-01-24T09:33:51.019868 #22259] DEBUG -- : ESC[1mESC[36m (0.3ms)ESC[0m ESC[1mSELECT COUNT(*) FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser', 'DeletedUser', 'SystemUser') AND `users`.`auth
_source_id` = 4ESC[0m
D, [2017-01-24T09:33:51.021519 #22259] DEBUG -- : ESC[1mESC[35mUser Exists (0.3ms)ESC[0m SELECT 1 AS one FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser', 'DeletedUser', 'SystemUser') AND `users`
.`auth_source_id` = 4 LIMIT 1
I, [2017-01-24T09:33:51.022936 #22259] INFO -- : Rendered auth_sources/index.html.erb within layouts/admin (8.2ms)
I, [2017-01-24T09:33:51.030424 #22259] INFO -- : Rendered admin/_menu.html.erb (6.7ms)
D, [2017-01-24T09:33:51.032167 #22259] DEBUG -- : ESC[1mESC[36mUserPreference Load (0.3ms)ESC[0m ESC[1mSELECT `user_preferences`.* FROM `user_preferences` WHERE `user_preferences`.`user_id` = 1 LIMIT 1ESC[0m
I, [2017-01-24T09:33:51.034929 #22259] INFO -- : Rendered common/_favicons.html.erb (0.9ms)
I, [2017-01-24T09:33:51.042005 #22259] INFO -- : Rendered search/_mini_form.html.erb (0.6ms)
I, [2017-01-24T09:33:51.045193 #22259] INFO -- : Rendered layouts/_action_menu.html.erb (0.1ms)
I, [2017-01-24T09:33:51.045887 #22259] INFO -- : Rendered layouts/base.html.erb (15.1ms)
I, [2017-01-24T09:33:51.046243 #22259] INFO -- : Completed 200 OK in 43ms (Views: 30.6ms | ActiveRecord: 2.9ms)
I, [2017-01-24T09:33:53.476131 #22259] INFO -- : Started GET "/admin/ldap_auth_sources/4/test_connection" for 10.0.0.2 at 2017-01-24 09:33:53 +0100
I, [2017-01-24T09:33:53.478085 #22259] INFO -- : Processing by LdapAuthSourcesController#test_connection as HTML
I, [2017-01-24T09:33:53.478172 #22259] INFO -- : Parameters: {"id"=>"4"}
<ins>**Steps to reproduce the bug**</ins>
docker run -it -p 8080:80 -e SECRET_KEY_BASE=secret openproject/community:6
\- Login with [admin]("admin")
\- Change password (password change is forced by the software)
\- Administration -\> LDAP authentification -\> + Authentification mode -\> \<configure (see picture)\> -\> Create -\> Test -\> “Unable to connect (LDAP-Error: Could not authenticate at the LDAP-Server.)”
<ins>**Misc**</ins>
\- We also tried to use LDAPS on Port 636.
\- The journal and the passenger logs (Level 5 debug) are also not helping.
I failed to configure OpenProjekt with our companies OpenLDAP Server.
Using the internal LDAP Auth option (https://www.openproject.org/help/user-guides/administration/manage-ldap-authentication/) always results in the error “Unable to connect (LDAP-Error: Could not authenticate at the LDAP-Server.)” if tested with the “test” function. The Logins always fail using that auth method.
This Problem was tested with Openproject 6/stable and the latest 6.1.4 running bare-metal on a CentOS 7.3,with ruby 2.1.6 and 2.3.3 (https://www.openproject.org/open-source/download/manual-installation-guide/) and using the Dockerimage (https://www.openproject.org/open-source/download/docker/) on a different VM.
The connection to the LDAP server can be established from the machine using ldapsearch.
The configuration I tested is also in use by other software (like redmine, otrs,…) without any problems.
Running tcpdump confirmed that there is <ins>no</ins> traffic between the LDAP server and the openproject server.
SELinux is disabled on the openproject server.
There is also nothing to see in the production.log (on loglevel: debug):
I, [2017-01-24T09:33:50.978364 #22259] INFO -- : Started GET "/admin/ldap_auth_sources/4/test_connection" for 10.0.0.2 at 2017-01-24 09:33:50 +0100
I, [2017-01-24T09:33:50.980274 #22259] INFO -- : Processing by LdapAuthSourcesController#test_connection as HTML
I, [2017-01-24T09:33:50.980451 #22259] INFO -- : Parameters: {"id"=>"4"}
D, [2017-01-24T09:33:50.982828 #22259] DEBUG -- : ESC[1mESC[35mUser Load (0.5ms)ESC[0m SELECT `users`.* FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser', 'DeletedUser', 'SystemUser') AND `users`.
`status` = 1 AND `users`.`id` = 1 LIMIT 1
D, [2017-01-24T09:33:50.987672 #22259] DEBUG -- : ESC[1mESC[36mSQL (1.2ms)ESC[0m ESC[1mSELECT `members`.*, `members`.`id` AS t0_r0, `members`.`user_id` AS t0_r1, `members`.`project_id` AS t0_r2, `members`.`cre
ated_on` AS t0_r3, `members`.`mail_notification` AS t0_r4, `projects`.`id` AS t1_r0, `projects`.`name` AS t1_r1, `projects`.`description` AS t1_r2, `projects`.`is_public` AS t1_r3, `projects`.`parent_id` AS t1_r4
, `projects`.`created_on` AS t1_r5, `projects`.`updated_on` AS t1_r6, `projects`.`identifier` AS t1_r7, `projects`.`status` AS t1_r8, `projects`.`lft` AS t1_r9, `projects`.`rgt` AS t1_r10, `projects`.`project_typ
e_id` AS t1_r11, `projects`.`responsible_id` AS t1_r12, `projects`.`work_packages_responsible_id` AS t1_r13, `roles`.`id` AS t2_r0, `roles`.`name` AS t2_r1, `roles`.`position` AS t2_r2, `roles`.`assignable` AS t2
_r3, `roles`.`builtin` AS t2_r4, `roles`.`permissions` AS t2_r5, `roles`.`type` AS t2_r6 FROM `members` LEFT OUTER JOIN `projects` ON `projects`.`id` = `members`.`project_id` LEFT OUTER JOIN `member_roles` ON `me
mber_roles`.`member_id` = `members`.`id` LEFT OUTER JOIN `roles` ON `roles`.`id` = `member_roles`.`role_id` WHERE `projects`.`status` = 1 AND `members`.`user_id` IN (1) ORDER BY projects.name ASCESC[0m
D, [2017-01-24T09:33:50.989405 #22259] DEBUG -- : ESC[1mESC[35m (0.3ms)ESC[0m SELECT MAX(`settings`.`updated_on`) FROM `settings`
D, [2017-01-24T09:33:50.994148 #22259] DEBUG -- : ESC[1mESC[36mAuthSource Load (0.3ms)ESC[0m ESC[1mSELECT `auth_sources`.* FROM `auth_sources` WHERE `auth_sources`.`id` = 4 LIMIT 1ESC[0m
I, [2017-01-24T09:33:50.995276 #22259] INFO -- : Redirected to http://openproject-test.localdomain/admin/ldap_auth_sources
I, [2017-01-24T09:33:50.995470 #22259] INFO -- : Completed 302 Found in 15ms (ActiveRecord: 2.2ms)
I, [2017-01-24T09:33:51.001287 #22259] INFO -- : Started GET "/admin/ldap_auth_sources" for 10.0.0.2 at 2017-01-24 09:33:51 +0100
I, [2017-01-24T09:33:51.002760 #22259] INFO -- : Processing by LdapAuthSourcesController#index as HTML
D, [2017-01-24T09:33:51.004642 #22259] DEBUG -- : ESC[1mESC[35mUser Load (0.3ms)ESC[0m SELECT `users`.* FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser', 'DeletedUser', 'SystemUser') AND `users`.
`status` = 1 AND `users`.`id` = 1 LIMIT 1
D, [2017-01-24T09:33:51.008811 #22259] DEBUG -- : ESC[1mESC[36mSQL (1.0ms)ESC[0m ESC[1mSELECT `members`.*, `members`.`id` AS t0_r0, `members`.`user_id` AS t0_r1, `members`.`project_id` AS t0_r2, `members`.`cre
ated_on` AS t0_r3, `members`.`mail_notification` AS t0_r4, `projects`.`id` AS t1_r0, `projects`.`name` AS t1_r1, `projects`.`description` AS t1_r2, `projects`.`is_public` AS t1_r3, `projects`.`parent_id` AS t1_r4
, `projects`.`created_on` AS t1_r5, `projects`.`updated_on` AS t1_r6, `projects`.`identifier` AS t1_r7, `projects`.`status` AS t1_r8, `projects`.`lft` AS t1_r9, `projects`.`rgt` AS t1_r10, `projects`.`project_typ
e_id` AS t1_r11, `projects`.`responsible_id` AS t1_r12, `projects`.`work_packages_responsible_id` AS t1_r13, `roles`.`id` AS t2_r0, `roles`.`name` AS t2_r1, `roles`.`position` AS t2_r2, `roles`.`assignable` AS t2
_r3, `roles`.`builtin` AS t2_r4, `roles`.`permissions` AS t2_r5, `roles`.`type` AS t2_r6 FROM `members` LEFT OUTER JOIN `projects` ON `projects`.`id` = `members`.`project_id` LEFT OUTER JOIN `member_roles` ON `me
mber_roles`.`member_id` = `members`.`id` LEFT OUTER JOIN `roles` ON `roles`.`id` = `member_roles`.`role_id` WHERE `projects`.`status` = 1 AND `members`.`user_id` IN (1) ORDER BY projects.name ASCESC[0m
D, [2017-01-24T09:33:51.010295 #22259] DEBUG -- : ESC[1mESC[35m (0.2ms)ESC[0m SELECT MAX(`settings`.`updated_on`) FROM `settings`
D, [2017-01-24T09:33:51.016211 #22259] DEBUG -- : ESC[1mESC[36m (0.2ms)ESC[0m ESC[1mSELECT COUNT(*) FROM `auth_sources`ESC[0m
D, [2017-01-24T09:33:51.017367 #22259] DEBUG -- : ESC[1mESC[35mAuthSource Load (0.2ms)ESC[0m SELECT `auth_sources`.* FROM `auth_sources` LIMIT 20 OFFSET 0
D, [2017-01-24T09:33:51.019868 #22259] DEBUG -- : ESC[1mESC[36m (0.3ms)ESC[0m ESC[1mSELECT COUNT(*) FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser', 'DeletedUser', 'SystemUser') AND `users`.`auth
_source_id` = 4ESC[0m
D, [2017-01-24T09:33:51.021519 #22259] DEBUG -- : ESC[1mESC[35mUser Exists (0.3ms)ESC[0m SELECT 1 AS one FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser', 'DeletedUser', 'SystemUser') AND `users`
.`auth_source_id` = 4 LIMIT 1
I, [2017-01-24T09:33:51.022936 #22259] INFO -- : Rendered auth_sources/index.html.erb within layouts/admin (8.2ms)
I, [2017-01-24T09:33:51.030424 #22259] INFO -- : Rendered admin/_menu.html.erb (6.7ms)
D, [2017-01-24T09:33:51.032167 #22259] DEBUG -- : ESC[1mESC[36mUserPreference Load (0.3ms)ESC[0m ESC[1mSELECT `user_preferences`.* FROM `user_preferences` WHERE `user_preferences`.`user_id` = 1 LIMIT 1ESC[0m
I, [2017-01-24T09:33:51.034929 #22259] INFO -- : Rendered common/_favicons.html.erb (0.9ms)
I, [2017-01-24T09:33:51.042005 #22259] INFO -- : Rendered search/_mini_form.html.erb (0.6ms)
I, [2017-01-24T09:33:51.045193 #22259] INFO -- : Rendered layouts/_action_menu.html.erb (0.1ms)
I, [2017-01-24T09:33:51.045887 #22259] INFO -- : Rendered layouts/base.html.erb (15.1ms)
I, [2017-01-24T09:33:51.046243 #22259] INFO -- : Completed 200 OK in 43ms (Views: 30.6ms | ActiveRecord: 2.9ms)
I, [2017-01-24T09:33:53.476131 #22259] INFO -- : Started GET "/admin/ldap_auth_sources/4/test_connection" for 10.0.0.2 at 2017-01-24 09:33:53 +0100
I, [2017-01-24T09:33:53.478085 #22259] INFO -- : Processing by LdapAuthSourcesController#test_connection as HTML
I, [2017-01-24T09:33:53.478172 #22259] INFO -- : Parameters: {"id"=>"4"}
<ins>**Steps to reproduce the bug**</ins>
docker run -it -p 8080:80 -e SECRET_KEY_BASE=secret openproject/community:6
\- Login with [admin]("admin")
\- Change password (password change is forced by the software)
\- Administration -\> LDAP authentification -\> + Authentification mode -\> \<configure (see picture)\> -\> Create -\> Test -\> “Unable to connect (LDAP-Error: Could not authenticate at the LDAP-Server.)”
<ins>**Misc**</ins>
\- We also tried to use LDAPS on Port 636.
\- The journal and the passenger logs (Level 5 debug) are also not helping.