request #10941 Cannot bind a ugroup to a LDAP directory group that is not at the first level of the tree
    Ruben (lmcrubs)
    2018-01-11 13:21
    2017-12-20 21:16
    Cannot bind a ugroup to a LDAP directory group that is not at the first level of the tree
    While doing tests on Tuleap 9.15
    I am finding problem to ‘Set directory group binding’

    Whatever LDAP group I fill (See included picture) in the text box it results in ‘No results found’
    While this functionality works fine in 9.14

    Is there anything else that should be done in order to be able to bind the directory ?

    It seem that an extra check is being done as compared with 9.14 version
    And this checking seems to be failing

    And hence it is not possible to synchronize. The Synchronize button is never clickable

    Authentication & LDAP
    CentOS 6
    Patricia Carrasco (pcar), Emilio Palmiero (empa), Stephan Bill (stephanbill)

    List of items referenced by or referencing this item.

    Artifact Tracker v5


    • User avatar
    • User avatar
      gerrit #10295 integrated into Tuleap

      • Status changed from Under review to Closed
      • Connected artifacts
      • Close date set to 2018-01-11
    • User avatar
      A patch is under review: gerrit #10295.

      • Summary
        -Set directory group binding , not working in 9.15 
        +Cannot bind a ugroup to a LDAP directory group that is not at the first level of the tree 
      • Status changed from Acknowledged to Under review
    • User avatar
      Hello Thomas,

      The ldap search for an ldap group from command line is like:
      ldapsearch -H ldaps://<ldap server> -x -s sub -D "CN=ALMEGADSVC,OU=CA,OU=SvcAccount,OU=P001,OU=ID,OU=Data,DC=ericsson,DC=se" -w psw -b "OU=P001,OU=GRP,OU=Data,DC=ericsson,DC=se" "cn=idm-openalmadmin"

      Where the last parameter is the group
    • User avatar

      Can you please share the ldapsearch command you have used to test the behavior on a command line interface?
    • User avatar
      Please let me know if there more information you may need to know. To continue on this
    • User avatar
      Hello Thomas,

      Below is the result when accessing the 'url' as required

      results []
      more false
    • User avatar

      After more testing on our side, we are still not able to reproduce the issue.

      Can you please give us the result you got when you try to directly access the URL: https://<your_tuleap_instance>/plugins/ldap/autocomplete.php?ldap_group_name=idm-openalmadmin&page=1
    • User avatar
      The entry in the Log don't really mean that the search was really successful it gives the same lines even for not valid groups

      e.g. If I type 'hello' I get
      2017-12-21T11:15:41-05:00 [4101] [debug] LDAP search success OU=GRP,OU=Data,DC=ericsson,DC=se (cn=*hello *) *** SCOPE: 2 *** ATTRIBUTES: cn
    • User avatar
      I am referring to the 'Ajax script' that is then invoking ~/plugins/ldap/autocomplete.php on every letter you type
      See new attachment (No results found) and the Synchronize button disabled

      The string in that snapshot is a valid LDAP group

      Strange enough I have enabled the Log to debug as recommended and got the entry as follows

      2017-12-21T11:11:45-05:00 [4096] [debug] LDAP search success OU=GRP,OU=Data,DC=ericsson,DC=se (cn=*idm-openalmadmin*) *** SCOPE: 2 *** ATTRIBUTES: cn

      But still the same window with the (No results found) and the Synchronize button disabled

    • User avatar

      I'm not sure to get to which validation you are referring to.

      Did you check the logfile with a sys_logger_level set to debug (this option is available in the local.inc). If not can you please enable it on your staging instance and check the logs again?
    • User avatar
      Hello Thomas,

      It seems that there is more than one scenario:

      1) When project have never been synchronized before. Then whatever you put in the box, valid ldap or not, it results in ‘No results found’ and Synchronization button is never clickable.

      2) When the project was previously synchronized. Then the box is auto-populated with previous entry. Then Synchronization button is clickable. Trying to change the box with another string, results as above scenario 'No results found'

      No entries are found in the logfile (/var/log/tuleap/codendi_syslog)

      Same behavior is consistent in Prod and Staging servers
      Additionally manual ldap search, from command line works as expected, the ldap conf haven't changed from 9.14 to 9.15

      I still suspect something strange validation in the code at :

      Which was not there before. As a workaround I am thinking that it might be possible to disable that validation and enable the Synchronization button.
    • User avatar

      So I have tried to reproduce the issue but it seems to work as expected on my end. I also took a look at the impacted code path but besides some minor changes in the format of data returned to your browser, the way the LDAP directory is queried has not been modified and no extra check seem to have been added.

      Can you check in your logfile (/var/log/tuleap/codendi_syslog) what happens when you look for a group? On a working instance you a trace looking like that:
      2017-12-21T08:35:02+01:00 [192] [debug] Bound to LDAP server: ldap://ldap
      2017-12-21T08:35:02+01:00 [192] [debug] LDAP search success ou=groups,dc=tuleap,dc=local (cn=*gro*) *** SCOPE: 2 *** ATTRIBUTES: cn
      2017-12-21T08:35:03+01:00 [131] [debug] Bound to LDAP server: ldap://ldap
      2017-12-21T08:35:03+01:00 [131] [debug] LDAP search success dc=tuleap,dc=local cn=group user1 *** SCOPE: 1 *** ATTRIBUTES:
      2017-12-21T08:35:03+01:00 [131] [debug] LDAP search success cn=group user1,ou=groups,dc=tuleap,dc=local objectClass=* *** SCOPE: 1 *** ATTRIBUTES: memberUid

      • Status changed from New to Acknowledged
    • User avatar
      • CC list set to Stephan Bill (stephanbill), Emilio Palmiero (empa), Patricia Carrasco (pcar)