Issue with AD Authentication in recent conservancy version
Mads Kiilerich
mads at kiilerich.com
Thu Mar 5 17:36:49 UTC 2020
I'm not familiar with supervisord. I would expect the print output to
show up in your stdout_logfile ... but only after a restart of
supervisord (or your Kallithea service).
Do you see other output in the log? What?
Perhaps instead try
log.error('Got ldap DN response %s: %r', user_dn, ldap_attrs)
Perhaps also try temporarily running gearbox in the foreground as the
Kallithea user, just for testing.
(Others with a working AD/LDAP setup can perhaps also help out testing.)
/Mads
On 3/5/20 5:41 PM, Reuben Popp wrote:
> Okay, so I added that line, along with an additional line above it to
> print my name as a placeholder, but I'm not seeing this in the stdout
> file (I'm running kallithea using supervisord). Is there something
> else I need to do or add to my.ini?
>
> Thanks again
>
> On Thu, Mar 5, 2020 at 9:48 AM Mads Kiilerich <mads at kiilerich.com
> <mailto:mads at kiilerich.com>> wrote:
>
> On 3/5/20 4:29 PM, Reuben Popp wrote:
>> Good morning Mads (or afternoon as the case may be where you're at).
>>
>> My apologies that the report was so sparse. When I wrote it, I
>> was neck deep in the middle of trying to get things set up for
>> our architects to trial Kallithea.
>>
>> Yes, this was the default branch downloaded from the bitbucket
>> mirror on February 25th.
>>
>> My original report and fix were incorrect. With it in place,
>> what I noticed was that while an Active Directory account could
>> log in, it would prevent me from logging in using the (local)
>> kallithea admin account. My best guess here, being a relatively
>> new python noob is that in the case of the kallithea admin
>> account, the email was a string literal, which would then fail
>> because there was no decode() method. On the other hand, it
>> would work for a byte string such as that coming from AD.
>>
>> That said, the following works for both AD and the local
>> kallithea account:
>>
>> --- lib/helpers.py 2020-02-25 11:18:44.000000000 -0600
>>
>> +++ lib/helpers.py.new 2020-03-05 09:11:30.394700849 -0600
>>
>> @@ -951,6 +951,9 @@
>>
>> if email_address == _def:
>>
>> return default
>>
>> + if isinstance(email_address, bytes):
>>
>> + email_address = email_address.decode('utf-8')
>>
>> +
>>
>> parsed_url = urllib.parse.urlparse(url.current(qualified=True))
>>
>> url = (c.visual.gravatar_url or User.DEFAULT_GRAVATAR_URL) \
>>
>> .replace('{email}', email_address) \
>>
>>
>> One thing of note though, and I think this is a deeper issue, as
>> you said, and that's when I look at any AD user account in
>> kallithea, each field (eg, first, last, etc) is enclosed in the
>> byte (?) field delimiter. eg: b'Reuben' b'Popp'
>
>
> Yes, the problem seems to be that values retrieved from LDAP are
> byte encoded. They should be decoded in auth_ldap. But probably
> only some of the values. I would thus still need
>
>
>>
>> Can you try this and report back when it prints out when you
>> log in
>> using AD/LDAP?
>>
>> --- kallithea/lib/auth_modules/auth_ldap.py
>> +++ kallithea/lib/auth_modules/auth_ldap.py
>> @@ -326,6 +326,7 @@ class KallitheaAuthPlugin(auth_modules.K
>> aldap = AuthLdap(**kwargs)
>> (user_dn, ldap_attrs) =
>> aldap.authenticate_ldap(username,
>> password)
>> log.debug('Got ldap DN response %s', user_dn)
>> + print(ldap_attrs)
>>
>> def get_ldap_attr(k):
>> return ldap_attrs.get(settings.get(k), [''])[0]
>>
>
> /Mads
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20200305/056ab2bb/attachment.html>
More information about the kallithea-general
mailing list