LDAP debugging not possible within LXC container?

[rholighaus]

I'm running wekan as a snap app within an unprivileged LXC Ubuntu 19.04 disco container unter Proxmox PVE 5.3. It's running well but I can't manage to LDAP to work. Unfortunately, I cannot see what Wekan is actually sending / receiving to/from the Active Directory server, no matter what I put into my config.

Here is my config:

{
        "default-authentication-method": "ldap",
        "ldap-authentication": true,
        "ldap-authentication-password": "xxxxxx",
        "ldap-authentication-userdn": "CN=Administrator,CN=Users,DC=mydomain,DC=local",
        "ldap-background-sync": true,
	"ldap-basedn": "OU=SHK Benutzer,DC=mydomain,DC=local",
	"ldap-default-domain": "mydomain",
	"ldap-email-field": "mail",
	"ldap-enable": true,
	"ldap-fullname-field": "cn",
	"ldap-host": "192.168.1.6",
	"ldap-internal-log-level": "debug",
	"ldap-log-enable": true,
	"ldap-log-enabled": true,
	"ldap-port": 389,
	"ldap-reject-unauthorized": true,
	"ldap-search-field": "sAMAccountName",
	"ldap-sync-user-data-fieldmap": {
		"cn": "name",
		"mail": "email"
	},
	"ldap-user-authentication": true,
	"ldap-user-authentication-field": "userPrincipalName",
	"ldap-user-search-field": "sAMAccountName",
	"ldap-user-search-scope": "sub",
	"ldap-username-field": "sAMAccountName",
	"loglevel": 5,
	"port": 80,
	"root-url": "http://192.168.100.129"
}

In my syslog, all I can see is this when trying to login:

Sep 18 14:51:24 snaptest wekan.wekan[42496]: [INFO] Init LDAP login "[email protected]"
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [WARN] Lookup for unset variable: LDAP_USER_ATTRIBUTES
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [INFO] Init setup
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [INFO] Connecting "ldap://192.168.1.6:389"
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [DEBUG] connectionOptions{ url: 'ldap://192.168.1.6:389',
Sep 18 14:51:24 snaptest wekan.wekan[42496]:   timeout: 10000,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:   connectTimeout: 10000,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:   idleTimeout: 10000,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:   reconnect: true,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:   log:
Sep 18 14:51:24 snaptest wekan.wekan[42496]:    Logger {
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      domain: null,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      _events: {},
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      _eventsCount: 0,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      _maxListeners: undefined,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      _level: 30,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      streams: [ [Object] ],
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      serializers: null,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      src: false,
Sep 18 14:51:24 snaptest wekan.wekan[42496]:      fields:
Sep 18 14:51:24 snaptest wekan.wekan[42496]:       { name: 'ldapjs',
Sep 18 14:51:24 snaptest wekan.wekan[42496]:         component: 'client',
Sep 18 14:51:24 snaptest wekan.wekan[42496]:         hostname: 'snaptest',
Sep 18 14:51:24 snaptest wekan.wekan[42496]:         pid: 43930 } } }
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [INFO] LDAP connected
Sep 18 14:51:24 snaptest wekan.wekan[42496]: [ERROR] InvalidCredentialsError: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
Sep 18 14:51:24 snaptest wekan.wekan[42496]:  

I can take tcpdump logs and try to find out what Wekan sends to the directory server but that's kind of frustrating and there must be a better way. Any idea why I can't get decent log information?

[xet7]

Config should also have:

"debug": true,

Snap logs to syslog. So to debug inside LXC container, you should first go inside of LXC container:

lxc exec ContainerNameHere -- /bin/bash

And then check syslog.

[rholighaus]

Thanks Lauri. I am debugging within the container and wekan dees write to /var/log/syslog, which you can see above.

Alas, it does not write LDAP debugging information there.

I have set "debug": true but it makes no difference. This is what I'm running:

root@snaptest:~# snap list
Name   Version  Rev   Tracking  Publisher   Notes
core   16-2.41  7713  stable    canonical*  core
wekan  3.44     632   beta      xet7        -

Latest configuration:

root@snaptest:~# snap get -d wekan
{
	"debug": true,
	"default-authentication-method": "ldap",
	"ldap-authentication": true,
	"ldap-authentication-password": "xxxxx",
	"ldap-authentication-userdn": "CN=Administrator,CN=Users,DC=mydomain,DC=local",
	"ldap-background-sync": true,
	"ldap-basedn": "OU=SHK Benutzer,DC=mydomain,DC=local",
	"ldap-default-domain": "mydomain.com",
	"ldap-email-field": "mail",
	"ldap-enable": true,
	"ldap-fullname-field": "cn",
	"ldap-host": "192.168.1.6",
	"ldap-internal-log-level": "debug",
	"ldap-log-enable": true,
	"ldap-log-enabled": true,
	"ldap-port": 389,
	"ldap-reject-unauthorized": true,
	"ldap-search-field": "sAMAccountName",
	"ldap-sync-user-data-fieldmap": {
		"cn": "name",
		"mail": "email"
	},
	"ldap-user-authentication": true,
	"ldap-user-authentication-field": "userPrincipalName",
	"ldap-user-search-field": "sAMAccountName",
	"ldap-user-search-scope": "sub",
	"ldap-username-field": "sAMAccountName",
	"loglevel": 5,
	"port": 80,
	"root-url": "http://192.168.100.129"
}

Running out of ideas here.

Here's the syslog output (again):

Sep 18 16:05:43 snaptest mongod.27019[47713]: [conn5] received client metadata from 127.0.0.1:39932 conn5: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:43 snaptest mongod.27019[47713]: [conn6] received client metadata from 127.0.0.1:39934 conn6: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:48 snaptest mongod.27019[47713]: [conn5] received client metadata from 127.0.0.1:39932 conn5: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:48 snaptest mongod.27019[47713]: [conn6] received client metadata from 127.0.0.1:39934 conn6: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [INFO] Init LDAP login "username"
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [WARN] Lookup for unset variable: LDAP_USER_ATTRIBUTES
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [INFO] Init setup
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [INFO] Connecting "ldap://192.168.1.6:389"
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [DEBUG] connectionOptions{ url: 'ldap://192.168.1.6:389',
Sep 18 16:05:49 snaptest wekan.wekan[46289]:   timeout: 10000,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:   connectTimeout: 10000,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:   idleTimeout: 10000,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:   reconnect: true,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:   log:
Sep 18 16:05:49 snaptest wekan.wekan[46289]:    Logger {
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      domain: null,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      _events: {},
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      _eventsCount: 0,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      _maxListeners: undefined,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      _level: 30,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      streams: [ [Object] ],
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      serializers: null,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      src: false,
Sep 18 16:05:49 snaptest wekan.wekan[46289]:      fields:
Sep 18 16:05:49 snaptest wekan.wekan[46289]:       { name: 'ldapjs',
Sep 18 16:05:49 snaptest wekan.wekan[46289]:         component: 'client',
Sep 18 16:05:49 snaptest wekan.wekan[46289]:         hostname: 'snaptest',
Sep 18 16:05:49 snaptest wekan.wekan[46289]:         pid: 47728 } } }
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [INFO] LDAP connected
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [ERROR] InvalidCredentialsError: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
Sep 18 16:05:49 snaptest wekan.wekan[46289]:  
Sep 18 16:05:53 snaptest mongod.27019[47713]: [conn5] received client metadata from 127.0.0.1:39932 conn5: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:53 snaptest mongod.27019[47713]: [conn6] received client metadata from 127.0.0.1:39934 conn6: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:58 snaptest mongod.27019[47713]: [conn5] received client metadata from 127.0.0.1:39932 conn5: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:58 snaptest mongod.27019[47713]: [conn6] received client metadata from 127.0.0.1:39934 conn6: { driver: { name: "nodejs", version: "2.2.9" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.18-20-pve" }, platform: "Node.js v8.16.1, LE, mongodb-core: 2.0.11" }
Sep 18 16:05:59 snaptest wekan.wekan[46289]: [INFO] Idle
Sep 18 16:05:59 snaptest wekan.wekan[46289]: [INFO] Disconecting
Sep 18 16:05:59 snaptest wekan.wekan[46289]: [INFO] Closed

[xet7]

It could be related to some settings. Please check current values at:
https://github.com/wekan/wekan/blob/master/docker-compose.yml

Also Univention appliance includes LDAP server and Wekan works with it:
https://github.com/wekan/wekan/wiki/Platforms

Wekan at Univention has this Docker template. I think setting depend on LDAP server.

version: '2'

services:

  wekandb:
    image: mongo:3.2.22
    container_name: wekan-db
    restart: always
    command: mongod --smallfiles --oplogSize 128
    expose:
      - 27017
    volumes:
      - /var/lib/univention-appcenter/apps/wekan/data/db:/data/db
      - /var/lib/univention-appcenter/apps/wekan/data/dump:/dump

  wekan:
    image: quay.io/wekan/wekan:v3.42
    container_name: wekan-app
    restart: always
    ports:
      - 8080:8080
    environment:
      - MONGO_URL=mongodb://wekandb:27017/wekan
      - ROOT_URL=@%@wekan/ROOT_URL@%@
      - ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE=@%@wekan/ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE@%@
      - MAIL_URL='smtp://@%@hostname@%@.@%@domainname@%@:25'
      - MAIL_FROM='Wekan Notifications <noreply.wekan@@%@domainname@%@>'
      - WITH_API=true
      - BROWSER_POLICY_ENABLED=true
      - DEFAULT_AUTHENTICATION_METHOD=ldap
      - LDAP_ENABLE=true
      - LDAP_PORT=@%@ldap/server/port@%@
      - LDAP_HOST=@%@ldap/server/name@%@
      - LDAP_BASEDN=@%@ldap/base@%@
      - LDAP_LOGIN_FALLBACK=false
      - LDAP_RECONNECT=true
      - LDAP_TIMEOUT=10000
      - LDAP_IDLE_TIMEOUT=10000
      - LDAP_CONNECT_TIMEOUT=10000
      - LDAP_AUTHENTIFICATION=true
      - LDAP_AUTHENTIFICATION_USERDN=@%@appcenter/apps/wekan/hostdn@%@
      - LDAP_LOG_ENABLED=true
      - LDAP_BACKGROUND_SYNC=false
      - LDAP_BACKGROUND_SYNC_INTERVAL=100
      - LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=false
      - LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=false
      - LDAP_ENCRYPTION=tls
      - LDAP_CA_CERT=@!@
import os
ca_file = '/etc/univention/ssl/ucsCA/CAcert.pem'
if os.path.isfile(ca_file):
	with open(ca_file, 'r') as fd:
		ca = fd.read().replace('\n', '')
		print(ca)@!@
      - LDAP_REJECT_UNAUTHORIZED=false
      - LDAP_USER_SEARCH_FILTER=(wekanActivated=TRUE)
      - LDAP_USER_SEARCH_SCOPE=sub
      - LDAP_USER_SEARCH_FIELD=uid
      - LDAP_SEARCH_PAGE_SIZE=0
      - LDAP_SEARCH_SIZE_LIMIT=0
      - LDAP_GROUP_FILTER_ENABLE=true
      - LDAP_GROUP_FILTER_OBJECTCLASS=univentionGroup
      - LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE=
      - LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE=uniqueMember
      - LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT=dn
      - LDAP_GROUP_FILTER_GROUP_NAME=
      - LDAP_UNIQUE_IDENTIFIER_FIELD=uidNumber
      - LDAP_UTF8_NAMES_SLUGIFY=true
      - LDAP_USERNAME_FIELD=uid
      - LDAP_FULLNAME_FIELD=displayName
      - LDAP_MERGE_EXISTING_USERS=false
      - LDAP_EMAIL_FIELD=mailPrimaryAddress
      - LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mailPrimaryAddress":"email"}
      - LDAP_DEFAULT_DOMAIN=@%@domainname@%@
      - LDAP_SYNC_ADMIN_STATUS=true
      - LDAP_SYNC_ADMIN_GROUPS=@!@
from univention.lib.misc import custom_groupname
print(custom_groupname('Domain Admins'))@!@
      - LDAP_AUTHENTIFICATION_PASSWORD=@!@
import os
pw_file = '/var/lib/univention-appcenter/apps/wekan/machine.secret'
if os.path.isfile(pw_file):
	with open(pw_file, 'r') as fd:
		pw = fd.read()
		print(pw)@!@
@!@
PREFIX = 'appcenter/env/wekan'
for key, value in configRegistry.items():
	if key.startswith(PREFIX) and key != PREFIX:
		print("      - %s=%s" % (key.split('/')[-1], value))
@!@

    depends_on:
      - wekandb

[xet7]

In general, same LDAP settings should work both with Snap and Docker.

[rholighaus]

Hi @xet7 I would prefer to get the logging to work instead of endless trial-and-error...
Any idea how to make it work?

[xet7]

@rholighaus

Do you mean this?

lxc exec ContainerNameHere -- /bin/bash

sudo snap logs wekan.caddy

sudo snap logs wekan.wekan

sudo snap logs wekan.mongodb

[rholighaus]

Hi @xSET7 I know how to read the logfiles. What I'm saying is that LDAP is not logging debugging info. See my logfile excerpts further up in the thread.

I cannot debug ldap. Full stop. I think this is a bug and I'm trying to help fix it.

[xet7]

Hmm? Well, LDAP code is here:
https://github.com/wekan/wekan/tree/master/packages/wekan-ldap

So I think, you just add there showing variables:

console.log variablename

Or alternatively, with checking that environment variable DEBUG=true is set.

Then you rebuild from source code:

git clone https://github.com/wekan/wekan
cd wekan
./rebuild-wekan.sh

Select 1 and Enter to install dependencies. Then:

./rebuild-wekan.sh

Select 2 to build Wekan. Then edit start-wekan.sh to have correct port.
If you use port 80, you need to add support for running at that port by running:

./releases/virtualbox/node-allow-port-80.sh

If you like to have meteor notice changed code files, and then rebuild, instead of start-wekan.sh you should use this kind of script:

cd wekan
WITH_API=true LDAPSETTING1=something ROOT_URL=something meteor --port 4000

To get lint / eslint to accept console.log, you may need to add some ignore rules, that you can find with find.sh script, that ignores those directories that are generated by build scripts and installed npm modules:

cd wekan
./find.sh eslint

[rholighaus]

Hi @xet7,

thank you for your recommendation but a) I'm running the snap version (hence https://github.com/wekan/wekan-snap/issues) and b) I just want the software to tell me what it does so I can see where my settings may be incorrect.

I do everything according to the documentation but the syslog just says

Sep 18 16:05:49 snaptest wekan.wekan[46289]: [INFO] LDAP connected
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [ERROR] InvalidCredentialsError: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
Sep 18 16:05:49 snaptest wekan.wekan[46289]:  

which is what I've posted above. According to some searching, other people seem to face the same issue. No debugging information.

[xet7]

Ooops sorry for my too technical answer. I did re-read this issue and it seems Wekan does not show enough details.

Do you know what are these settings?

Sep 18 16:05:49 snaptest wekan.wekan[46289]: [WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL
Sep 18 16:05:49 snaptest wekan.wekan[46289]: [WARN] Lookup for unset variable: LDAP_USER_ATTRIBUTES

[rholighaus]

no worries :)- Unfortunately, snap doesn’t use environment variables - or I wouldn’t know how to set them.

…

-- Ralf U. Holighaus - on my iPhone Schopenhauerstr. 23 14129 Berlin, Germany Mobile: +49.172.7108171

Am 05.10.2019 um 01:10 schrieb Lauri Ojansivu ***@***.***>:  Ooops sorry for my too technical answer. I did re-read this issue and it seems Wekan does not show enough details. Do you know what are these settings? Sep 18 16:05:49 snaptest wekan.wekan[46289]: [WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL Sep 18 16:05:49 snaptest wekan.wekan[46289]: [WARN] Lookup for unset variable: LDAP_USER_ATTRIBUTES — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.