Page MenuHomePhabricator

Email in LDAP registration form is empty
Closed, ResolvedPublic

Description

I'm configuring the LDAP auth provider. When someone attempts to register the registration form pops up. That guy must fill the email address which is already provided by LDAP.

I can see that rPHU/src/auth/PhutilLDAPAuthAdapter.php:getAccountEmail() is in fact called but the it doesn't show on the dialog (therefore I'm thinking this is a bug).

Version Information:

phabricator 0426ce73f0e63f1900f1cc285cfa1465ea72317e (Fri, Jan 13) (branched from 7276af6a81f49bbdc14ace064aab50afbeb79cfc on origin) 
arcanist    9503b941cc02be637d967bb50cfb25f852e071e4 (Sat, Jan 7)  (branched from ade25facfdf22aed1c1e20fed3e58e60c0be3c2b on origin) 
phutil      10963f771f118baa338aacd3172aaede695cde62 (Fri, Jan 13) (branched from 9d85dfab0f532d50c2343719e92d574a4827341b on origin)

Steps to Reproduce:

  1. Configure LDAP auth provider (search attributes includes mail
  2. Logout
  3. Enter username and password of an LDAP account (not linked to any phabricator account)
  4. Expected prefilled email address, but actually the text entry is empty.

Event Timeline

kugel- created this task.Jan 16 2017, 2:45 PM

I can't reproduce this. Here's what I tried:

  • I launched a new EC2 instance using Ubutntu 16.04 (ami-d8bdebb8).
  • I opened port 389 inbound and assigned the host the DNS name ldap001.epriestley.com.
  • I installed slapd with:
$ sudo apt-get install slapd
$ sudo apt-get install ldap-utils
$ sudo service slapd start
  • This installed slapd with a default dc=nodomain, which is apparently extremely difficult to fix.

Modifying cn=config the proper way with ldapmodify is very painful, and you'll end up accumulating tons of carefully hand-crafted, single-purpose, disposable LDIF files. Compared to just editing slapd.conf it's a nightmare.
http://serverfault.com/questions/499856/is-there-any-bad-thing-happens-if-i-change-etc-ldap-slapd-d-cn-config-ldif-manu

It seems like the "right" way to do this is to manually edit your host file first, then install LDAP:

However, the suffix (or base DN) of this instance will be determined from the domain name of the localhost. If you want something different, edit /etc/hosts and replace the domain name with one that will give you the suffix you desire.
https://help.ubuntu.com/lts/serverguide/openldap-server.html

I uninstalled slapd and ldap-utils using purge:

$ sudo apt-get purge slapd ldap-utils

I used sudo hostname ldap001.epriestley.com to set the hostname and edited /etc/hosts to contain this line, according to the setup guide above:

127.0.1.1 ldap001.epriestley.com ldap001

(Why is this 127.0.1.1 instead of 127.0.0.1?)

I reinstalled slapd and ldap-utils:

$ sudo apt-get install slapd ldap-utils

I copy-pasted some kind of arcane ldapsearch command which apparently tells me if this is completely screwed up or not:

$ ldapsearch -x -LLL -H ldap:/// -b dc=epriestley,dc=com dn
dn: dc=epriestley,dc=com

dn: cn=admin,dc=epriestley,dc=com

That seems OK. I created an init.ldif file following the same document:

init.ldif
dn: ou=People,dc=epriestley,dc=com
objectClass: organizationalUnit
ou: People

dn: uid=ldapuser,ou=People,dc=epriestley,dc=com
objectClass: inetOrgPerson
uid: john
sn: User
givenName: Ldap
cn: LDAP User
displayName: LDAP User
mail: ldapuser@epriestley.com

I added that record to LDAP:

$ ldapadd -x -D cn=admin,dc=epriestley,dc=com -W -f init.ldif
Enter LDAP Password: 
adding new entry "ou=People,dc=epriestley,dc=com"

adding new entry "uid=ldapuser,ou=People,dc=epriestley,dc=com"

I ran ldapsearch to find the record:

$ ldapsearch -x -LLL -b dc=epriestley,dc=com 'uid=ldapuser'
dn: uid=ldapuser,ou=People,dc=epriestley,dc=com
objectClass: inetOrgPerson
uid: john
uid: ldapuser
sn: User
givenName: Ldap
cn: LDAP User
displayName: LDAP User
mail: ldapuser@epriestley.com

I realized that I had neglected to edit uid: john from the example. I changed init.ldif and added the record again to overwrite it:

$ ldapadd -x -D cn=admin,dc=epriestley,dc=com -W -f init.ldif
Enter LDAP Password: 
adding new entry "ou=People,dc=epriestley,dc=com"
ldap_add: Already exists (68)

I used ldapmodify instead:

$ ldapmodify -x -D cn=admin,dc=epriestley,dc=com -W -f init.ldif
Enter LDAP Password: 
ldapmodify: modify operation type is missing at line 2, entry "ou=People,dc=epriestley,dc=com"

I googled a bunch of stuff and came up with this:

modify.ldif
dn: uid=ldapuser,ou=People,dc=epriestley,dc=com
changetype: modify
replace: uid
uid: ldapuser

I executed that with ldapmodify:

$ ldapmodify -x -D cn=admin,dc=epriestley,dc=com -W -f init.ldif
Enter LDAP Password: 
modifying entry "uid=ldapuser,ou=People,dc=epriestley,dc=com"

I re-ran the ldapsearch:

$ ldapsearch -x -LLL -b dc=epriestley,dc=com 'uid=ldapuser'
dn: uid=ldapuser,ou=People,dc=epriestley,dc=com
objectClass: inetOrgPerson
sn: User
givenName: Ldap
cn: LDAP User
displayName: LDAP User
mail: ldapuser@epriestley.com
uid: ldapuser

Okay, so far so good.

Locally, I configured LDAP.

Since I'd upgraded to PHP71 for T9640 I no longer had the ldap extension installed locally. I installed it:

$ brew install php71-ldap
<... snip ...>
Error: No available formula with the name "php71-ldap" 
==> Searching for similarly named formulae...
Error: No similarly named formulae found.
==> Searching taps...
Error: No formulae found in taps.

Oh, okay. I have zero confidence that I can build this from source given how shaky the rest of PHP 7 has been, so let's just put Phabricator on the same host.

  • I opened up port 80 inbound in the security policy.
  • I installed dependencies:
$ sudo apt-get install git mysql-server apache2

Since Ubuntu 16 is on PHP7, I navigated versions with some care:

$ sudo apt-cache search php | grep ldap
php-ldap - LDAP module for PHP [default]
...

Okay, let's try that:

$ sudo apt-get install php php-ldap php-cli 

I created a directory for Phabricator and cloned it:

ubuntu@ldap001:/var$ sudo mkdir phabricator
ubuntu@ldap001:/var$ sudo chown ubuntu:ubuntu phabricator
ubuntu@ldap001:/var$ cd phabricator/
ubuntu@ldap001:/var/phabricator$ ls
ubuntu@ldap001:/var/phabricator$ git clone https://github.com/phacility/libphutil.git
ubuntu@ldap001:/var/phabricator$ git clone https://github.com/phacility/arcanist.git
ubuntu@ldap001:/var/phabricator$ git clone https://github.com/phacility/phabricator.git

I edited the defualt Apache site and restarted apache2:

$ cat /etc/apache2/sites-enabled/000-default.conf 
<Directory "/var/phabricator/phabricator/webroot">
  Require all granted
</Directory>

<VirtualHost *>
  ServerName ldap001.epriestley.com
  DocumentRoot /var/phabricator/phabricator/webroot
  RewriteEngine on
  RewriteRule ^(.*)$          /index.php?__path__=$1  [B,L,QSA]
</VirtualHost>
$ sudo a2enmod rewrite
$ sudo service apache2 restart

Not quite:

$ sudo apt-get install libapache2-mod-php
$ sudo service apache2 restart

Okay, well:

I no-op'd that check and we're nearly in business:

$ nano src/applications/config/check/PhabricatorPHPPreflightSetupCheck.php
$ sudo apt-get install php-mbstring php-curl php-mysql
$ sudo service apache2 restart
$ sudo service mysql start

MySQL (on Ubuntu 16?) has some new weird setup stuff that I ultimately resolved like this:

$ sudo mysql -uroot # must sudo!
mysql> grant all on *.* to root@localhost identified with mysql_native_password by '';

Continuing:

$ phabricator/ $ ./bin/storage upgrade -f

I configured a new LDAP authentication provider with these values:

LDAP Hostname: ldap001.epriestley.com
LDAP Port: 389
Base Distinguished Name: ou=People,dc=epriestley,dc=com
Search Attributes:
  uid
  mail

I set a password for the ldapuser:

$ ldappasswd -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W -S "uid=bob,ou=people,dc=example,dc=com"

I logged in using this user's username (ldapuser) and password (set in the previous step:

This took me to registration:

Note that this form does not include "Email Address". This is because we've read the address from LDAP.

I filled in a real name and clicked "Register Phabricator Account".

In another window, I approved the user account, then went to their settings:

Their email address had correctly populated by default.

I can't reproduce this issue with the information provided. To move forward:

  • provide more detailed reproduction steps which allow us to reproduce the issue in a clean, isolated environment, starting from scratch; or
  • provide me root access to an environment I can destroy where this issue reproduces; or
  • we will close this issue in a few days if we don't receive the information we need to move forward.
kugel- added a comment.EditedJan 17 2017, 7:35 AM

Thank you for your extremely intensive efforts to reproduce my issue.

Here's a screen shot that shows the registration page on my site. Please note that the email entry is shown (and is empty) while in your setup it's not even there.

Here's an ldapsearch run that shows the mail is included in the result (I obfuscated it and the ldap host):

ldapsearch -h xxx.xxx.de -b "ou=Networking,ou=Entwicklung,ou=USER,o=AVM" -x "uid=TMartitz"
# extended LDIF
#
# LDAPv3
# base <ou=Networking,ou=Entwicklung,ou=USER,o=AVM> with scope subtree
# filter: uid=TMartitz
# requesting: ALL
#

# TMartitz, Networking, Entwicklung, USER, AVM
dn: cn=TMartitz,ou=Networking,ou=Entwicklung,ou=USER,o=AVM
mail: xxx@xxx.de
uid: TMartitz
initials: TMA
givenName: Thomas
sn: Martitz
objectClass: inetOrgPerson
objectClass: avmPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
objectClass: DirXML-EntitlementRecipient
objectClass: DirXML-PasswordSyncStatusUser
objectClass: DirXML-ApplicationAttrs
cn: TMartitz

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I tried again on a clean phabricator install (git master as of 10 minutes ago) on Ubuntu 16.04 and php7.1 from https://launchpad.net/~ondrej/+archive/ubuntu/php and still observe the same issue. So it looks like it's specific to our ldap server? Does the output I gave you above ring any bell?

Though, as mentioned before, when the registration popup is shown I can see that the email is queried from the ldap provider (I verified with a error_log() statement in php function PhutilLDAPAuthAdapter.php:getAccountEmail(), and the email address printed is correct, so I'm not sure what's wrong.

kugel- added a comment.EditedJan 17 2017, 8:20 AM

Here is my ldap auth config

So I asked a coworker to register with *his* credentials, and it turns out he can't see the email field. I strongly suspect it has to do with the fact that I already registered with the same email address when setting up the admin account initially.

So, is it possible that the email field is shown when there is already an existing phabricator account with the same email address?

So, is it possible that the email field is shown when there is already an existing phabricator account with the same email address?

Yes. If we read an invalid address from LDAP (duplicate, or just garbage), we prompt the user to select a new one instead of preventing them from registering.

Alright, then this is it. I think a visual indication would be helpful. But apart from that, this can be closed.

epriestley closed this task as Resolved.Jan 17 2017, 6:54 PM
epriestley claimed this task.

See also T3472.