Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

can not create group #6104

Closed
IamTaoChen opened this issue May 19, 2024 · 26 comments
Closed

can not create group #6104

IamTaoChen opened this issue May 19, 2024 · 26 comments
Labels

Comments

@IamTaoChen
Copy link

Describe the bug

when I create a new group nothing happens..

Screenshots
image

Server Software (please complete the following information):

  • OS: debian
  • Virtualization: docker
  • Network: reverse proxy
  • Version: 1.1.22
  • Node: [e.g. 18.4.0]
@IamTaoChen IamTaoChen added the bug label May 19, 2024
@si458
Copy link
Collaborator

si458 commented May 19, 2024

U didn't follow the bug template.
What is ur config.json ?

@IamTaoChen
Copy link
Author

I use OIDC and the /admins group is set as siteAdmin

{
    "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
    "settings": {
        "plugins": {
            "enabled": false
        },
        "mongoDb": "mongodb://XXXX:XXXX@mongo:27017/meshcentral",
        "mongoDbName": "",
        "cert": "rd.demo8.org",
        "_WANonly": true,
        "_LANonly": true,
        "sessionKey": "XXXXXX",
        "port": 4430,
        "aliasPort": 443,
        "redirPort": 80,
        "_redirAliasPort": 80,
        "AgentPong": 300,
        "TLSOffload": "127.0.0.1",
        "SelfUpdate": false,
        "AllowFraming": true,
        "AllowLoginToken": true,
        "WebRTC": false,
        "wsCompression": true
    },
    "domains": {
        "": {
            "title": "XXXXX",
            "title2": "RD",
            "minify": true,
            "ssh": true,
            "newAccountsUserGroups":["users"],
            "NewAccounts": true,
            "localSessionRecording": false,
            "userNameIsEmail": false,
            "certUrl": "https://example.org:",
            "showPasswordLogin": false,
            "auth": "ldap",
            "ldapOptions": {
                "url": "ldaps://XXXXXX:636/",
                "tlsOptions": {
                    "rejectUnauthorized": false
                },
                "bindDN": "XXXXX",
                "bindCredentials": "XXXX",
                "searchBase": "XXXXX",
                "searchFilter": "(sAMAccountName={{username}})",
                "reconnect": true
            },
            "LDAPUserKey": "sAMAccountName",
            "ldapUserName": "displayName",
            "LDAPUserGroups": "memberOf",
            "LDAPSyncWithUserGroups": true,
            "authStrategies": {
                "oidc": {
                    "_authorizationURL": "https://XXXXXX.com/protocol/openid-connect/auth",
                    "callbackURL": "https://rd.example.com/oidc-callback",
                    "clientid": "XXXXX",
                    "clientsecret": "XXXXXX",
                    "issuer": "https://XXXXXX.com",
                    "_tokenURL": "https://XXXXXX.com/protocol/openid-connect/token",
                    "_userInfoURL": "https://XXXXXX.com/protocol/openid-connect/userinfo",
                    "_logouturl": "https://XXXXXX.com/protocol/openid-connect/logout",
                    "newAccounts": true,
                    "logouturl" : "https:/XXXXXX.com/protocol/openid-connect/logout",
                    "scope": [
                        "openid",
                        "profile",
                        "email",
                        "groups"
                    ],
                    "groups": {
                        "required": [
                            "/admins",
                            "/members"
                        ],
                        "siteadmin": [
                            "/admins"
                        ],
                        "sync": {
                            "enabled": true
                        },
                        "claim": "groups"
                    }
                }
            }
        }
    },
    "_letsencrypt": {
        "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>",
        "_email": "myemail@mydomain.com",
        "_names": "myserver.mydomain.com",
        "production": false
    },
    "_smtp": {
        "host": "xxxxx",
        "port": 25,
        "from": "xxxx",
        "tls": false,
        "user": "xxxxx",
        "pass": "xxxxx"
    }
}

@si458
Copy link
Collaborator

si458 commented May 19, 2024

You are mixing 2 authentication methods in ur config.json
You have auth: "ldap" set AND authStrategies set
You should only have one or the other!
So comment one to remove it _auth or _authStrategies
Then restart meshcentral and try again

@IamTaoChen
Copy link
Author

You are mixing 2 authentication methods in ur config.json You have auth: "ldap" set AND authStrategies set You should only have one or the other! So comment one to remove it _auth or _authStrategies Then restart meshcentral and try again

it still doesn't work

@si458
Copy link
Collaborator

si458 commented May 19, 2024

@IamTaoChen well which one did you comment out?
whats ur config.json look like now?
you wont be able to create groups with ldap because you have set LDAPSyncWithUserGroups

@IamTaoChen
Copy link
Author

@IamTaoChen well which one did you comment out? whats ur config.json look like now? you wont be able to create groups with ldap because you have set LDAPSyncWithUserGroups

I only change the auth

"_auth": "ldap",

But I just tried to use 1.1.20 and it works.

@si458
Copy link
Collaborator

si458 commented May 19, 2024

the was changes in 1.1.21 and 1.1.22 with the OIDC (a community member changed code for things)
so it might be something there is broken as the was a few other OIDC things that where broken and ive fixed recently.

so u use OIDC for the authentication and not LDAP?

whos the OIDC provider? (i use authentik for my testing)
just want to clarify so i can try replicate it tomorrow for you

@si458
Copy link
Collaborator

si458 commented May 19, 2024

@IamTaoChen after a quick look at the new docs written by the community member
the sync: true feature will copy the oidc groups over, which might be why you cant create any groups manually
https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options

@IamTaoChen
Copy link
Author

@IamTaoChen after a quick look at the new docs written by the community member the sync: true feature will copy the oidc groups over, which might be why you cant create any groups manually https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options

The reason I want to try to create a group manually is the groups didn't sync from OIDC groups, even I can see the group information was extracted by the MeshCentral.

@IamTaoChen
Copy link
Author

IamTaoChen commented May 19, 2024

the was changes in 1.1.21 and 1.1.22 with the OIDC (a community member changed code for things) so it might be something there is broken as the was a few other OIDC things that where broken and ive fixed recently.

so u use OIDC for the authentication and not LDAP?

whos the OIDC provider? (i use authentik for my testing) just want to clarify so i can try replicate it tomorrow for you

Yes, I use OIDC for authentication.

I use keycloak. MeshCentral can get the group infoemation

@si458
Copy link
Collaborator

si458 commented May 19, 2024

The reason I want to try to create a group manually is the groups didn't sync from OIDC groups, even I can see the group information was extracted by the MeshCentral.

Ah right so it's not syncing the groups for starters but then u can't create groups either! I will have a look when I get chance for u

@si458
Copy link
Collaborator

si458 commented May 21, 2024

ok ive just fixed a bug where using the oidc sync feature,
it wasnt syncing the groups correctly if you didnt specify any
5c13f17
but i dont think that fixes ur issue, im still looking into it for you 👍

@si458
Copy link
Collaborator

si458 commented May 21, 2024

@IamTaoChen ok ive looked at this, because you have sync: true basically you arent allowed to create groups,
this is because they need to stay in sync with your oidc provider,
and this happens everytime a user logs in
so the way to create a user group, is create a group in your backend oidc provider,
then add your users you want into them again in using your backend provider
then when a user of that group logs in,
it will download its groups, see the new group, then create the group in meshcentral and add all the others users in it

// Check if we are in a mode that does not allow manual user group creation
if (
  (typeof domain.authstrategies == 'object') &&
  (typeof domain.authstrategies['oidc'] == 'object') &&
  (typeof domain.authstrategies['oidc'].groups == 'object') &&
  ((domain.authstrategies['oidc'].groups.sync == true) || ((typeof domain.authstrategies['oidc'].groups.sync == 'object') && (domain.authstrategies['oidc'].groups.sync.enabled == true)))
) {
  err = "Not allowed in OIDC mode with user group sync.";
}

but the is a bug where you dont get notified in the web ui, so ill fix that for you.

@IamTaoChen
Copy link
Author

@IamTaoChen ok ive looked at this, because you have sync: true basically you arent allowed to create groups, this is because they need to stay in sync with your oidc provider, and this happens everytime a user logs in so the way to create a user group, is create a group in your backend oidc provider, then add your users you want into them again in using your backend provider then when a user of that group logs in, it will download its groups, see the new group, then create the group in meshcentral and add all the others users in it

// Check if we are in a mode that does not allow manual user group creation
if (
  (typeof domain.authstrategies == 'object') &&
  (typeof domain.authstrategies['oidc'] == 'object') &&
  (typeof domain.authstrategies['oidc'].groups == 'object') &&
  ((domain.authstrategies['oidc'].groups.sync == true) || ((typeof domain.authstrategies['oidc'].groups.sync == 'object') && (domain.authstrategies['oidc'].groups.sync.enabled == true)))
) {
  err = "Not allowed in OIDC mode with user group sync.";
}

but the is a bug where you dont get notified in the web ui, so ill fix that for you.

thanks, I'll test it

@si458
Copy link
Collaborator

si458 commented May 21, 2024

@IamTaoChen you might need to use the newest master docker image again (built about 5mins ago)

@IamTaoChen
Copy link
Author

the problem still exists.
image
image

The demo user is in two groups /members and /staff. The /members was synced by the 1.1.20vesion and the /staff is a new group I created at IdP.

And The demo user is in the /members, but /staff was not created.(also, I cannot create a group manually)

@si458
Copy link
Collaborator

si458 commented May 21, 2024

ive just tested it here with my authentik, and it seemed to work?
created new group and new user, added new user to new group, logged into mc with new user, new group shows up?
even then i logged new user out, added new user into my ADMIN group for authentik,
relogged user back in, ADMIN group now shows 2 users on mc
(i had previosuly logged in the admin user to get this group created)

is ur config.json the same as above still? #6104 (comment)
try the latest master docker image from 2 mins ago
https://github.com/Ylianst/MeshCentral/pkgs/container/meshcentral/219060780?tag=master

@IamTaoChen
Copy link
Author

It still doesn't work.
this is my image.

   docker image ls | grep meshcentral                                     
ghcr.io/ylianst/meshcentral                                         master            2fe1c56bb34f   16 minutes ago      910MB
ghcr.io/ylianst/meshcentral                                         <none>            7df036099ce2   About an hour ago   910MB
ghcr.io/ylianst/meshcentral                                         <none>            cd77d6ba8458   2 days ago          910MB
ghcr.io/ylianst/meshcentral                                         latest            7dab3f2d7509   8 weeks ago         905MB
ghcr.io/ylianst/meshcentral                                         1.1.20            da14354298e0   3 months ago        896MB
 docker pull ghcr.io/ylianst/meshcentral:master
master: Pulling from ylianst/meshcentral
Digest: sha256:1e8e0d7a97c6f0a30e0b9223322bc6ecdd09def4de3d0bee48fd52344513106e
Status: Image is up to date for ghcr.io/ylianst/meshcentral:master
ghcr.io/ylianst/meshcentral:master

Yes, I didn't change the config.json which can work with 1.1.20. The user can be added into the existing group, but Meshcentral doesn't create now group

@IamTaoChen
Copy link
Author

how cloud I log more information?

@si458
Copy link
Collaborator

si458 commented May 21, 2024

node node_modules/meshcentral --debug web,authlog
and with docker you set

environment:
  - ARGS=--debug web,authlog

@IamTaoChen
Copy link
Author

✔ Container meshcentral  Started                                                                                                                    10.9s 
meshcentral  | Missing Modules: passport, openid-client, connect-flash
meshcentral  | Installing modules [ 'passport', 'openid-client', 'connect-flash' ]
meshcentral  | NPM Command Line: /usr/bin/node /usr/bin/npm install --save-exact --no-audit --omit=optional --no-fund passport openid-client connect-flash
meshcentral  | MeshCentral HTTP redirection server running on port 80.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 80.
meshcentral  | MeshCentral v1.1.22, Hybrid (LAN + WAN) mode, Production mode.
meshcentral  | MeshCentral Intel(R) AMT server running on example.com:4433.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 4433.
meshcentral  | AUTHLOG: OIDC: Setting up strategy for domain: 
meshcentral  | AUTHLOG: OIDC: OLD CONFIG: Moving old config to new location. strategy.clientid => strategy.client.client_id
meshcentral  | AUTHLOG: OIDC: OLD CONFIG: Moving old config to new location. strategy.clientsecret => strategy.client.client_secret
meshcentral  | AUTHLOG: OIDC: OLD CONFIG: Moving old config to new location. strategy.callbackurl => strategy.client.redirect_uri
meshcentral  | AUTHLOG: OIDC: Discovering Issuer Endpoints: https://auth.demo8.org/realms/iobs
meshcentral  | Loaded web certificate from "https://example.com:", host: "example.com"
meshcentral  |   SHA384 cert hash: 960e0e2645760b375cfca551691d822c022b8d5c8a7679fa7b6fa709d5ebad250408a5aa8b0c1f73cfb6f6e94efa17a2
meshcentral  | AUTHLOG: OIDC: Setup Complete
meshcentral  | AUTHLOG: Setting up authentication strategies login and callback URLs for root domain.
meshcentral  | AUTHLOG: OIDC: Authorization URL: /auth-oidc
meshcentral  | AUTHLOG: OIDC: Callback URL: /oidc-callback
meshcentral  | MeshCentral HTTP server running on port 4430, alias port 443.
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestLogin()
meshcentral  | WEB: 404 Error /loading=lazy
meshcentral  | AUTHLOG: User Authorized: {"strategy":"oidc","sid":"~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21","name":"示 演","email":"demo@ds.iobs","emailVerified":true,"groups":["/staff","/members"],"preset":null}
meshcentral  | AUTHLOG: OIDC: GROUPS: USER: "~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21" Found 2 memberships: ["/staff", "/members"]
meshcentral  | AUTHLOG: OIDC: GROUPS: USER: "~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21" Membership to required group found: "/members"
meshcentral  | AUTHLOG: OIDC: LOGIN SUCCESS: USER: "~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21"
meshcentral  | AUTHLOG: OIDC: User Authenticated: {"_id":"user//~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21","type":"user","name":"示 演","email":"demo@ds.iobs","creation":1716144528,"login":1716144528,"access":1716311879,"domain":"","emailVerified":true,"links":{"ugrp//VC70XOLJi$$RyDMIcO3czsYnChE2ZVixNeh2ySS4UHh4S0GACzBIr7ADq0TLwL0A":{"rights":1}},"subscriptions":["user//~oidc:0c1415dd-3480-4a91-b4ab-3c925af23c21","server-allusers","ugrp//VC70XOLJi$$RyDMIcO3czsYnChE2ZVixNeh2ySS4UHh4S0GACzBIr7ADq0TLwL0A"]}
meshcentral  | WEB: handleRootRequestEx: success.
meshcentral  | WEB: handleRootRequestEx: success.

@si458
Copy link
Collaborator

si458 commented May 21, 2024

@IamTaoChen your config.json is incorrect! doh! just spotted!, the sync section should look like this

"groups": {
  "sync": true
}

https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options

so in your case

"groups": {
  "required": [
    "/admins",
    "/members"
  ],
  "siteadmin": [
    "/admins"
  ],
  "sync": true,
  "claim": "groups"
}

@IamTaoChen
Copy link
Author

IamTaoChen commented May 21, 2024

@IamTaoChen your config.json is incorrect! doh! just spotted!, the sync section should look like this

"groups": {
  "sync": true
}

https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#groups-options

so in your case

"groups": {
  "required": [
    "/admins",
    "/members"
  ],
  "siteadmin": [
    "/admins"
  ],
  "sync": true,
  "claim": "groups"
}

It works.

Sorry, I misunderstood this part. But it's wired that it works at before version.

@si458
Copy link
Collaborator

si458 commented May 21, 2024

@IamTaoChen yes thats because the person who wrote the new oidc code, the code was years behind.
so when it was merged by @Ylianst things goofed up.
also the is a migrate script in to convert old oidc config to new one, but im guessing the sync: { enabled:true} isnt included!
i will sort that out now!

si458 added a commit that referenced this issue May 21, 2024
Signed-off-by: si458 <simonsmith5521@gmail.com>
@si458
Copy link
Collaborator

si458 commented May 21, 2024

ok done migrate groups.sync.enabled (spelt the commit message wrong like but hey ho) bc6451f

@si458
Copy link
Collaborator

si458 commented May 21, 2024

are you ok to close this issue now?
as the original issue has been resolved
you cant create groups when using oidc and sync

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants