Unable to get working alongside existing containers (nginx-proxy, nginx-proxy-letsencrypt, mattermost-docker, openldap)
nkoester opened this issue · comments
Describe the bug
I am unable to get mattermost-ldap working together within an existing infrastructure making use of the following containers:
- nginx-proxy,
- nginx-proxy-letsencrypt,
- mattermost-docker,
- openldap.
Individually, the named containers work, however trying to include mattermost-ldap fails. I am unsure where my configuration is bugged.
The setup looks as follows
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c966fe0bf469 mattermostldap "docker-php-entrypoi…" 26 minutes ago Exited (0) 17 minutes ago mattermost-ldap_mattermost-ldap_1
da4919f7de43 postgres:alpine "docker-entrypoint.s…" 26 minutes ago Exited (0) 17 minutes ago mattermost-ldap_db_1
c29e6058e56e osixia/phpldapadmin:0.9.0 "/container/tool/run" 2 hours ago Up 2 hours 80/tcp, 443/tcp phpldapadmin
55e0f895246f osixia/openldap:1.2.2 "/container/tool/run" 2 hours ago Up 2 hours 389/tcp, 636/tcp openldap
6234fe5807bc mattermost_db "/entrypoint.sh post…" 35 hours ago Up 35 hours (healthy) 5432/tcp mattermost_db_1
0ec0c2984ef8 mattermost_app "/entrypoint.sh matt…" 35 hours ago Up 35 hours (healthy) 8000/tcp mattermost_app_1
b4649a301f5c mattermost_web "/entrypoint.sh" 35 hours ago Up 35 hours (healthy) 80/tcp mattermost_web_1
c2a516f5ca59 jrcs/letsencrypt-nginx-proxy-companion "/bin/bash /app/entr…" 35 hours ago Up 35 hours nginx-proxy-letsencrypt
e8792438dc07 jwilder/nginx-proxy "/app/docker-entrypo…" 35 hours ago Up 35 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp nginx-proxy
Other things:
- I can access
https://oauth.example.com/oauth/index.php
(I cannot auth here, error saysPassword has incorrect format ... Please try again
?) - There are several networks in ths setup. I'd love to have all mattermost and mattermost-ldap related things in their own net and have ldap related thins in a seperated network
- trying to auth via the
Sign in with:
button gives me a 503, redirecting me tooauth.example.com/oauth/resource.php ?response_type=code&client_id=XXXX&redirect_uri=https%3A%2F%2Fchat.example.com%2Fsignup%2Fgitlab%2Fcomplete&state=YYYY%3D%3D
To Reproduce
- Setup the named containers nginx-proxy, nginx-proxy-letsencrypt, mattermost-docker, openldap
- Include the mattermost-ldap container, using the following config:
.env content (xxx1-xxx5 are all different openssl rand -hex 32
values)
# Docker compose parameters for Mattermost-LDAP
#
# Adapt these parameters to match with your configuration.
# More information available in section "Configuration" in README.md
#
# Oauth client configuration
#
# Client ID token. Must be a random hex value. Use `openssl rand -hex 32` to generate a token.
client_id = "xxx1"
# Client Secret token. Must be a random hex value. Use `openssl rand -hex 32` to generate a token.
client_secret = "xxx2"
# Redirect URI use by Oauth server to redirect user after authentifictaion process. Must be the same than as Mattermost give to Oauth server.
redirect_uri = "https://chat.example.com/signup/gitlab/complete"
# Grant types method uses by Oauth server
grant_types = "authorization_code"
# Scope of the client in the Oauth server
scope = "api"
# Non important parameter. Could be used as a commentary field
user_id = ""
#
# Database configuration
#
# Username for the PostgreSQL administrator account
POSTGRES_USER = "postgres"
# Password for PostgreSQL administrator account
POSTGRES_PASSWORD = "xxx3"
# Method to use for connection to database
POSTGRES_HOST_AUTH_METHOD = "trust"
# Oauth user to connect the database
db_user = "oauth"
# Oauth password to connect the database
db_pass = "xxx4"
# Oauth database name
db_name = "oauth_db"
# PostgreSQL database host
db_host = "db"
# PostgreSQL database port
db_port = "5432"
# Database type. Docker compose implementation for Mattermost-LDAP uses PostgreSQL.
db_type = "pgsql"
#
# LDAP configuration
#
# LDAP host or IP
ldap_host = "ldap://openldap"
# LDAP port
ldap_port = "389"
# LDAP protocol version
ldap_version = "3"
# LDAP STARTTLS
ldap_start_tls = "1"
# Unique identifier for entry in LDAP
ldap_search_attribute = "uid"
# Base DN to search from in LDAP
ldap_base_dn = "ou=groups,cn=chat"
# Additional filter for LDAP search
ldap_filter = "(objectClass=*)"
# Service account to bind LDAP server
ldap_bind_dn = "admin"
# Password for service account to bind LDAP server
ldap_bind_pass = "xxx5"
docker-compose.yaml content
version: '3'
volumes:
db-data:
driver: local
networks:
mattermost-docker_mattermost:
external: true
ldap_ldapnet:
external: true
nginx-proxy_proxynet:
external: true
services:
mattermost-ldap:
build: Docker/mattermostldap
image: mattermostldap
restart: always
expose:
- "80"
- "443"
environment:
- ldap_host
- ldap_port
- ldap_version
- ldap_start_tls
- ldap_search_attribute
- ldap_base_dn
- ldap_filter
- ldap_bind_dn
- ldap_bind_pass
- db_host
- db_port
- db_type
- db_name
- db_user
- db_pass
- VIRTUAL_HOST=oauth.example.com,www.oauth.example.com
- LETSENCRYPT_HOST=oauth.example.com,www.oauth.example.com
networks:
- mattermost-docker_mattermost
- ldap_ldapnet
- nginx-proxy_proxynet
db:
image: postgres:alpine
restart: always
volumes:
- ./db_init/init_postgres.sh:/docker-entrypoint-initdb.d/init_postgres.sh
- ./db_init/config_init.sh.example:/docker-entrypoint-initdb.d/config_init.sh
- db-data:/var/lib/postgresql/data/
environment:
- POSTGRES_USER
- POSTGRES_PASSWORD
- POSTGRES_HOST_AUTH_METHOD
- client_id
- client_secret
- redirect_uri
- grant_types
- scope
- user_id
- db_user
- db_pass
- db_name
- db_host
- db_port
networks:
- mattermost-docker_mattermost
log of mattermost-ldap (tried auth with github link and direct auth via https://oauth.example.com/oauth/index.php):
$ docker-compose up
Creating mattermost-ldap_db_1 ... done
Creating mattermost-ldap_mattermost-ldap_1 ... done
Attaching to mattermost-ldap_db_1, mattermost-ldap_mattermost-ldap_1
db_1 |
db_1 | PostgreSQL Database directory appears to contain a database; Skipping initialization
db_1 |
db_1 | 2020-11-29 23:42:51.435 UTC [1] LOG: starting PostgreSQL 13.1 on x86_64-pc-linux-musl, compiled by gcc (Alpine 9.3.0) 9.3.0, 64-bit
db_1 | 2020-11-29 23:42:51.435 UTC [1] LOG: listening on IPv4 address "0.0.0.0", port 5432
db_1 | 2020-11-29 23:42:51.435 UTC [1] LOG: listening on IPv6 address "::", port 5432
db_1 | 2020-11-29 23:42:51.437 UTC [1] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
db_1 | 2020-11-29 23:42:51.439 UTC [21] LOG: database system was shut down at 2020-11-29 23:41:42 UTC
db_1 | 2020-11-29 23:42:51.442 UTC [1] LOG: database system is ready to accept connections
mattermost-ldap_1 | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.176.5. Set the 'ServerName' directive globally to suppress this message
mattermost-ldap_1 | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.176.5. Set the 'ServerName' directive globally to suppress this message
mattermost-ldap_1 | [Sun Nov 29 23:42:51.632639 2020] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.38 (Debian) PHP/7.4.12 configured -- resuming normal operations
mattermost-ldap_1 | [Sun Nov 29 23:42:51.632696 2020] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
mattermost-ldap_1 | 172.29.0.2 - - [29/Nov/2020:23:43:20 +0000] "GET /oauth/index.php HTTP/1.1" 200 991 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36"
mattermost-ldap_1 | 172.29.0.2 - - [29/Nov/2020:23:43:20 +0000] "GET /oauth/style.css HTTP/1.1" 200 1647 "https://oauth.example.com/oauth/index.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36"
mattermost-ldap_1 | 172.29.0.2 - - [29/Nov/2020:23:43:20 +0000] "GET /oauth/images/prompt_icon.png HTTP/1.1" 200 45514 "https://oauth.example.com/oauth/index.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36"
mattermost-ldap_1 | 172.29.0.2 - - [29/Nov/2020:23:43:20 +0000] "GET /favicon.ico HTTP/1.1" 404 471 "https://oauth.example.com/oauth/index.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36"
mattermost-ldap_1 | 172.29.0.2 - - [29/Nov/2020:23:43:27 +0000] "POST /oauth/index.php HTTP/1.1" 200 1003 "https://oauth.example.com/oauth/index.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36"
mattermost-ldap_1 | 172.29.0.2 - - [29/Nov/2020:23:44:16 +0000] "GET /oauth/resource.php%20?response_type=code&client_id=6559130c5bd567f569e636ec43ac26346bc133be36f06384df613ee124de8403&redirect_uri=https%3A%2F%2Fchat.example.com%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6IjFhZ3Ixbnd1YzlzNWl6ZW9zeGdmMW02eXdjamE3eWg4ZW1xdXg4bnc1ZHl5dzVwa3MxM2lkbmptMXhwaHdpNTMifQ%3D%3D HTTP/1.1" 403 474 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36"
mattermost-ldap_1 | [Sun Nov 29 23:44:16.196960 2020] [access_compat:error] [pid 16] [client 172.29.0.2:33584] AH01797: client denied by server configuration: /var/www/html/oauth/resource.php
mattermost-ldap_1 | 172.29.0.2 - - [29/Nov/2020:23:44:16 +0000] "GET /favicon.ico HTTP/1.1" 404 471 "https://oauth.example.com/oauth/resource.php%20?response_type=code&client_id=6559130c5bd567f569e636ec43ac26346bc133be36f06384df613ee124de8403&redirect_uri=https%3A%2F%2Fchat.example.com%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6IjFhZ3Ixbnd1YzlzNWl6ZW9zeGdmMW02eXdjamE3eWg4ZW1xdXg4bnc1ZHl5dzVwa3MxM2lkbmptMXhwaHdpNTMifQ%3D%3D" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36"
mattermost-ldap_1 | 172.29.0.2 - - [29/Nov/2020:23:44:20 +0000] "GET /oauth/resource.php HTTP/1.1" 401 236 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36"
mattermost-ldap_1 | [Sun Nov 29 23:48:55.284630 2020] [autoindex:error] [pid 19] [client 172.29.0.2:33666] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.php,index.html) found, and server-generated directory index forbidden by Options directive, referer: https://www.google.com/
mattermost-ldap_1 | 172.29.0.2 - - [29/Nov/2020:23:48:55 +0000] "GET / HTTP/1.1" 403 478 "https://www.google.com/" "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko"
mattermost-ldap_1 | [Sun Nov 29 23:49:50.286521 2020] [autoindex:error] [pid 20] [client 172.29.0.2:33710] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.php,index.html) found, and server-generated directory index forbidden by Options directive, referer: https://www.google.com/
mattermost-ldap_1 | 172.29.0.2 - - [29/Nov/2020:23:49:50 +0000] "GET / HTTP/1.1" 403 478 "https://www.google.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36"
I'd love to allow acces for all users of the chat group (groupOfUniqueNames)
cn=chat Server: openldap Distinguished Name: cn=chat,ou=groups,dc=example,dc=com
Expected behavior
Well ... for it to work ¯\(ツ)/¯
Screenshots
Will add if anything is unclear.
Project (please complete the following information):
- Project Version: master (122e713)
Desktop
- OS: System is a vserver with a debian
$ uname -a
Linux name 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
- Browser: tried firefox and chromium
- Version latest
Smartphone:
None used
Additional context
Any help is highly appreciated! I did leave out many config files involved as they would be way too much. Let me know if you need anything else! Or anything is unclear.
Eventually, this type of configuration can be beneficial for users in similar surroundings. If I get it working I'd love to document my findings for other lost travelers.
Sidenote: Thanks for this great workaround :) I really fits the needs of the small NGO I am involved in. Managing all users among the platforms would be so much hassle!
Hi,
Thanks you for your interest in the Mattermost-LDAP project and for your detailed description.
I read it diagonally and your set up seems complete and well designed but a bit complex. I'd like to dig this issue with you, I think the demo in this repository could be extended with an openldap server. This will allow to perform more generic validation tests and make users PoC easier.
However, I have no free time this week, I don't think I can work on this before the week end.
Let me know if you advance on this subject,
Regards
I was finally able to follow up on this. sorry for the long delay. I could manage to get some basics working, ie.:
- The auth server now resides at https://oauth.example.com (using nginx-proxy-letsencrypt)
- I can auth on https://oauth.example.com/oauth/index.php against the openldap server (
Congratulation you are authenticated !
)
However:
- I cannot filter groups. I am no ldap expert. I guess this can be done with correct filters? currently these look like this:
ldap_base_dn = "ou=people,dc=example,dc=com"
andldap_filter = "(objectClass=inetOrgPerson)"
but in my openldap server there exists acn=chat
within aou=groups
. Not sure how to filter this - When using the Gitlab button on the mattermost instance to authenticate I get redirected to
https://oauth.exmaple.com/oauth/resource.php?response_type=code&client_id=XXXX&redirect_uri=https%3A%2F%2Fchat.example.com%2Fsignup%2Fgitlab%2Fcomplete&state=YYYY%3D%3D
and the browser shows a 401 error
The logs simply say:
mattermost-ldap_1 | 172.29.0.2 - - [14/Jan/2021:15:07:17 +0000] "GET /oauth/resource.php?response_type=code&client_id=XXXX&redirect_uri=https%3A%2F%2Fchat.example.com%2Fsignup%2Fgitlab%2Fcomplete&state=YYYY%3D%3D HTTP/1.1" 401 236 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36"
- There is one error in the logs I cannot attribute to anything:
mattermost-ldap_1 | [Thu Jan 14 15:14:06.869010 2021] [autoindex:error] [pid 17] [client 172.29.0.2:36678] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.php,index.html) found, and server-generated directory index forbidden by Options directive, referer: http://oauth.example.com
Should I add some specific settings to my nginx?
Not sure what is going wrong here? Any pointers?
Turns out I mixed up the endpoints 🙈 and after deleting the database everything works. Additionally, I found the proper way to use group filters via memberOf
Hi,
Thank you for your update. I am happy that you finally came to a solution.
Your comment on Thursday gave me motivation to continue my work on integrating an OpenLDAP server in the Demo to create a standalone demonstration allowing to easily test and try Mattermost-LDAP. This is working now, I just need to complete the documentation :)
I saw your pull request I will review it this week to merge it as soon as possible. I really want to thank you for your contribution :)
I hope you will enjoy using Mattermost-LDAP
Regards