LDAP authentication error

[Adam Weremczuk]

Hi all,

----------------------------------------------------------------------------------------------------------------

Review Board 3.0.17

----------------------------------------------------------------------------------------------------------------

My LDAP settings:

-> Authentication Method: LDAP

-> LDAP Server: ldap://192.168.x.x:389

-> Review Board LDAP Bind Account: au...@domain.co.uk

-> Review Board LDAP Bind Password: ********

-> LDAP Base DN: cn=Users,dc=domain,dc=co,dc=uk

-> Username Attribute: sAMAccountName

-> Given Name Attribute: givenName

-> Surname Attribute: sn

-> Full Name Attribute: displayName

-> E-Mail LDAP Attribute: mail

-> E-Mail Domain: (blank)

-> Custom LDAP User Search Filter: sAMAccountName=%s

----------------------------------------------------------------------------------------------------------------

My ldapsearch results:

ldapsearch -D 'du...@domain.co.uk' -b 'cn=Users,dc=domain,dc=co,dc=uk' -H ldap://192.168.x.x -W sAMAccountName=dummy

Enter LDAP Password:

# extended LDIF

#

# LDAPv3

# base <cn=Users,dc=domain,dc=co,dc=uk> with scope subtree

# filter: sAMAccountName=dummy

# requesting: ALL

#

# dummy, Users, domain.co.uk

dn: CN=dummy,CN=Users,DC=domain,DC=co,DC=uk

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

sn: Account

givenName: Dummy

instanceType: 4

whenCreated: 20180313125318.0Z

displayName: Dummy Account

uSNCreated: 2511997

objectGUID:: Y5A3vaWhyuKF9j3q/Ek+9w==

badPwdCount: 0

codePage: 0

countryCode: 0

badPasswordTime: 0

lastLogoff: 0

lastLogon: 0

objectSid:: AQUAAAAAAAUVAAAAyHdPCeZosyKsV0w3FAUAAA==

accountExpires: 9223372036854775807

logonCount: 0

sAMAccountName: dummy

sAMAccountType: 805306368

userPrincipalName: du...@domain.co.uk

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=co,DC

 =uk

userAccountControl: 66048

cn: dummy

name: dummy

memberOf: CN=Domain Users,CN=Users,DC=domain,DC=co,DC=uk

memberOf: CN=Remote Desktop Users,CN=Builtin,DC=domain,DC=co,DC=uk

memberOf: CN=RDP Domain Users,CN=Users,DC=domain,DC=co,DC=uk

primaryGroupID: 2354

msSFU30NisDomain: example_domain

uidNumber: 5652

loginShell: /bin/bash

unixHomeDirectory: /home/dummy

gidNumber: 4700

msSFU30Name: dummy

uid: dummy

mail: du...@domain.com

pwdLastSet: 132177051640000000

whenChanged: 20191108164604.0Z

uSNChanged: 3800280

distinguishedName: CN=dummy,CN=Users,DC=domain,DC=co,DC=uk

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

----------------------------------------------------------------------------------------------------------------

On login attempt Review Board error log produces: 

2020-05-21 10:43:09,771 - INFO -  - root - Reloading logging settings

2020-05-21 10:43:09,772 - DEBUG -  - root - Logging to /var/log/reviewboard/reviewboard.log with a minimum level of DEBUG

2020-05-21 10:43:09,826 - WARNING -  - root - Error authenticating user "dummy" in LDAP: {'info': u'acl_read: Error retrieving instanceType for base. at ../source4/dsdb/samdb/ldb_modules/acl_read.c:356', 'desc': u'No such object'}

2020-05-21 10:43:09,827 - ERROR -  - root - Unexpected error authenticating user "dummy" in LDAP: 'NoneType' object has no attribute 'decode'

Traceback (most recent call last):

  File "/usr/local/lib/python2.7/dist-packages/reviewboard/accounts/backends/ldap.py", line 146, in authenticate

    userdn.decode('utf-8'), username)

AttributeError: 'NoneType' object has no attribute 'decode'

----------------------------------------------------------------------------------------------------------------

Is it related to DB backend being set up as MySQL 5.7 with utf8 or something else?

[Paul Mansfield]

On Thu, 21 May 2020 at 11:52, Adam Weremczuk <verem...@gmail.com> wrote:
> My LDAP settings:

do you have python (2.x) ldap module installed?

$ pip2 list | egrep ldap
DEPRECATION: Python 2.7 reached the end of its life on January 1st,
2020. Please upgrade your Python as Python 2.7 is no longer
maintained. pip 21.0 will drop support for Python 2.7 in January 2021.
More details about Python 2 support in pip, can be found at
https://pip.pypa.io/en/latest/development/release-process/#python-2-support
python-ldap 2.4.15

[Adam Weremczuk]

On Thu, 21 May 2020 at 12:06, Paul Mansfield <paul.ma...@agileanalog.com> wrote:

do you have python (2.x) ldap module installed?

pip2 list | egrep ldap
DEPRECATION: The default format will switch to columns in the future. You can use --format=(legacy|columns) (or define a format=(legacy|columns) in your pip.conf under the [list] section) to disable this warning.
python-ldap (3.2.0) 

[Adam Weremczuk]

pip2 install python-ldap
Requirement already satisfied: python-ldap in /usr/local/lib/python2.7/dist-packages
Requirement already satisfied: pyasn1>=0.3.7 in /usr/local/lib/python2.7/dist-packages (from python-ldap)
Requirement already satisfied: pyasn1-modules>=0.1.5 in /usr/local/lib/python2.7/dist-packages (from python-ldap)

Is my version (3.2.0) known to be problematic and are you suggesting 2.4.15 ?

[Paul Mansfield]

On Thu, 21 May 2020 at 13:35, Adam Weremczuk <verem...@gmail.com> wrote:
> Is my version (3.2.0) known to be problematic and are you suggesting 2.4.15 ?

No, I just wanted to be sure that reviewboard would be able to load
python ldap if it needed it.

if you run "sudo netstat -anp | grep -E '389|636' " and then "tcpdump
port 389 or port 686" can you verify that reviewboard is actually
making a connection to the ldap server?

[Adam Weremczuk]

The LDAP server listens on both 389 / 636 and I can telnet to either port from Review Board client fine.

A logging in attempt generates traffic with 13 packets being exchanged:

RB - Review Board client
LD - LDAP server
[ ] - flag

1. RB -> LD   [S]
2. LD -> RB   [S.]
3. RB -> LD   [.]
4. RB -> LD   [P.]
5. LD -> RB   [.]
6. LD -> RB   [P.]
7. RB -> LD   [.]
8. RB -> LD   [P.]
9. LD -> RB   [P.]
10. RB -> LD   [P.]
11. RB -> LD   [F.]
12. LD -> RB   [F.]
13. RB -> LD   [.]

[Adam Weremczuk]

One problem was my LDAP connection settings.

This is almost working for me (thanks to Paul Mansfield):

-> Authentication Method: LDAP

-> LDAP Server: ldap://192.168.x.x:389

-> Review Board LDAP Bind Account: cn=auth,cn=Users,dc=domain,dc=co,dc=uk

-> Review Board LDAP Bind Password: ********

-> LDAP Base DN: cn=Users,dc=domain,dc=co,dc=uk

-> Username Attribute: uid

-> Given Name Attribute: givenName

-> Surname Attribute: sn

-> Full Name Attribute: cn

-> E-Mail LDAP Attribute: mail

-> E-Mail Domain: (blank)

-> Custom LDAP User Search Filter: (blank)

Now I have a weird problem with about half of users being able to log in:

2020-05-26 11:32:07,623 - DEBUG -  - root - Attempting to authenticate user DN "CN=dummy1,CN=Users,DC=domain,DC=co,DC=uk" (username dummy1) in LDAP

and half unable:

2020-05-26 11:40:57,671 - ERROR -  - root - Unexpected error authenticating user "dummy2" in LDAP: 'NoneType' object has no attribute 'decode'

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/reviewboard/accounts/backends/ldap.py", line 146, in authenticate
    userdn.decode('utf-8'), username)
AttributeError: 'NoneType' object has no attribute 'decode'

After ruling out the obvious such as AD groups membership and primary groups I compared ldapsearch dumps:

ldapsearch -D 'ad...@domain.co.uk' -b 'cn=Users,dc=domain,dc=co,dc=uk' -H ldap://192.168.x.x -W sAMAccountName=dummy

I've noticed that all of those who cannot log in are missing msSFU30Name and msDS-SupportedEncryptionTypes attributes.

I've added them to match settings for the successful users as below:

dummy2.ldif

dn: CN=dummy2,CN=Users,DC=domain,DC=co,DC=uk
changetype: modify
add: msSFU30Name
msSFU30Name: dummy2
add: msDS-SupportedEncryptionTypes
msDS-SupportedEncryptionTypes: 0

ldbmodify -H /var/lib/samba/private/sam.ldb dummy2.ldif -U admin
Modified 1 records successfully

Unfortunately it didn't help and I really don't get why.
TBH I haven't been able to find any failed login attempts logged on the samba4 LDAP/DC server.

Any ideas?

[Adam Weremczuk]

ldbmodify -H /var/lib/samba/private/sam.ldb dummy2.ldif -U admin 

My bad editing post. I actually executed -U dummy2 and it got updated successfully and as intended.