Issue with AD Authentication in recent conservancy version
Mads Kiilerich
mads at kiilerich.com
Fri Mar 6 15:06:44 UTC 2020
(Please keep the list as recipient or CC.)
That error seems to imply that Mercurial isn't compatible with gearbox
--log-file . That can perhaps be fixed or worked around, but for now
just don't use that option.
The --debug and -v options to gearbox will just control output from
gearbox. They will do anything for the logging from the Kallithea app.
Kallithea logging is controlled inside the .ini .
Please just use a simple 'gearbox serve -c my.ini' as described on
https://kallithea.readthedocs.io/en/stable/setup.html . You can find the
relevant lines on the console, or redirect by adding ' 2> gb.log ' .
/Mads
On 3/5/20 7:22 PM, Reuben Popp wrote:
> Hi Mads,
>
> Still having trouble here. I stopped the existing instance from
> supervisord, activated the kallithea-venv and then ran:
> ./kalliteha-venv/bin/gearbox --debug -vvvv --log-file gb.log serve -c
> kallithea/my.ini
>
> The instance fails to start at all. gb.log has a sizable stack trace,
> with the main fault showing:
>
> File
> "/srv/kallithea-venv/lib64/python3.6/site-packages/mercurial/pycompat.py",
> line 148, in <module>
> stdout = sys.stdout.buffer
> AttributeError: 'LazyWriter' object has no attribute 'buffer'
>
> On Thu, Mar 5, 2020 at 11:36 AM Mads Kiilerich <mads at kiilerich.com
> <mailto:mads at kiilerich.com>> wrote:
>
> I'm not familiar with supervisord. I would expect the print output
> to show up in your stdout_logfile ... but only after a restart of
> supervisord (or your Kallithea service).
>
> Do you see other output in the log? What?
> Perhaps instead try
> log.error('Got ldap DN response %s: %r', user_dn, ldap_attrs)
>
> Perhaps also try temporarily running gearbox in the foreground as
> the Kallithea user, just for testing.
>
> (Others with a working AD/LDAP setup can perhaps also help out
> testing.)
>
> /Mads
>
>
>
> On 3/5/20 5:41 PM, Reuben Popp wrote:
>> Okay, so I added that line, along with an additional line above
>> it to print my name as a placeholder, but I'm not seeing this in
>> the stdout file (I'm running kallithea using supervisord). Is
>> there something else I need to do or add to my.ini?
>>
>> Thanks again
>>
>> On Thu, Mar 5, 2020 at 9:48 AM Mads Kiilerich <mads at kiilerich.com
>> <mailto:mads at kiilerich.com>> wrote:
>>
>> On 3/5/20 4:29 PM, Reuben Popp wrote:
>>> Good morning Mads (or afternoon as the case may be where
>>> you're at).
>>>
>>> My apologies that the report was so sparse. When I wrote it,
>>> I was neck deep in the middle of trying to get things set up
>>> for our architects to trial Kallithea.
>>>
>>> Yes, this was the default branch downloaded from the
>>> bitbucket mirror on February 25th.
>>>
>>> My original report and fix were incorrect. With it in
>>> place, what I noticed was that while an Active Directory
>>> account could log in, it would prevent me from logging in
>>> using the (local) kallithea admin account. My best guess
>>> here, being a relatively new python noob is that in the case
>>> of the kallithea admin account, the email was a string
>>> literal, which would then fail because there was no decode()
>>> method. On the other hand, it would work for a byte string
>>> such as that coming from AD.
>>>
>>> That said, the following works for both AD and the local
>>> kallithea account:
>>>
>>> --- lib/helpers.py 2020-02-25 11:18:44.000000000 -0600
>>>
>>> +++ lib/helpers.py.new 2020-03-05 09:11:30.394700849 -0600
>>>
>>> @@ -951,6 +951,9 @@
>>>
>>> if email_address == _def:
>>>
>>> return default
>>>
>>> + if isinstance(email_address, bytes):
>>>
>>> + email_address = email_address.decode('utf-8')
>>>
>>> +
>>>
>>> parsed_url =
>>> urllib.parse.urlparse(url.current(qualified=True))
>>>
>>> url = (c.visual.gravatar_url or
>>> User.DEFAULT_GRAVATAR_URL) \
>>>
>>> .replace('{email}', email_address) \
>>>
>>>
>>> One thing of note though, and I think this is a deeper
>>> issue, as you said, and that's when I look at any AD user
>>> account in kallithea, each field (eg, first, last, etc) is
>>> enclosed in the byte (?) field delimiter. eg: b'Reuben'
>>> b'Popp'
>>
>>
>> Yes, the problem seems to be that values retrieved from LDAP
>> are byte encoded. They should be decoded in auth_ldap. But
>> probably only some of the values. I would thus still need
>>
>>
>>>
>>> Can you try this and report back when it prints out when
>>> you log in
>>> using AD/LDAP?
>>>
>>> --- kallithea/lib/auth_modules/auth_ldap.py
>>> +++ kallithea/lib/auth_modules/auth_ldap.py
>>> @@ -326,6 +326,7 @@ class KallitheaAuthPlugin(auth_modules.K
>>> aldap = AuthLdap(**kwargs)
>>> (user_dn, ldap_attrs) =
>>> aldap.authenticate_ldap(username,
>>> password)
>>> log.debug('Got ldap DN response %s', user_dn)
>>> + print(ldap_attrs)
>>>
>>> def get_ldap_attr(k):
>>> return ldap_attrs.get(settings.get(k),
>>> [''])[0]
>>>
>>
>> /Mads
>>
>>
>
> _______________________________________________
> kallithea-general mailing list
> kallithea-general at sfconservancy.org
> <mailto:kallithea-general at sfconservancy.org>
> https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20200306/72d0a274/attachment.html>
More information about the kallithea-general
mailing list